Hostinger has publicly disclosed an unauthorized access incident linked to its infrastructure that may have affected traffic to Notepad++ update assets. In a blog post published on February 3, 2026, Hostinger Engineering lead Saulius Lazaravičius detailed the timeline and scope of the issue following suspicious activity identified on December 1, 2025.
According to the disclosure, the incident was limited in scope and tied to a specific set of internal service credentials on a shared hosting server, rather than a platform-wide breach (read here). Hostinger confirmed that hosting accounts, customer websites, login credentials, and billing systems were not compromised as part of the incident.
Incident Summary: What Happened
Hostinger reported that on December 1, 2025, it detected suspicious activity on one of its shared hosting servers. Further investigation revealed that credentials associated with an internal service on that server could have been used to intercept and redirect some traffic related to the Notepad++ update mechanism, specifically the getDownloadUrl.php endpoint.
Hostinger’s logs indicate that the server in question had been compromised until September 2, 2025, when scheduled maintenance including kernel and firmware updates were performed. After that date, the suspicious patterns stopped appearing in logs, suggesting the attacker no longer had access. However, Hostinger observed that some credentials remained valid until December 2, 2025.
The company stated that there is no evidence other customers hosted on the server were targeted, nor that customer websites were accessed or modified. Affected credentials were rotated, vulnerabilities were addressed, and logs across other infrastructure components were reviewed.
Scope of Impact
Hostinger clarified that the incident involved only data stored inside the Notepad feature.
What may have been exposed:
- Text content manually stored by users in the Notepad tool
What was not exposed:
- Hosting account credentials
- Passwords or authentication data
- Websites, databases, or server files
- Payment or billing information
Users who did not use the Notepad feature were not impacted.
Hostinger’s Response and Remediation Steps
Hostinger stated that it acted immediately after identifying the unauthorized access. Access to the affected system was restricted, and the configuration issue responsible for the exposure was fixed to prevent further misuse.
Following containment, Hostinger conducted an internal security review to assess whether the issue extended beyond the Notepad feature. The company reported that no evidence was found indicating broader access to hosting accounts, customer websites, or internal production systems.
Hostinger also confirmed that impacted users were notified directly. Additional access controls were applied, and relevant credentials were rotated as part of the remediation process. The company noted that no service downtime or hosting disruptions occurred during or after the incident.
What This Means for Web Hosting Users
Based on Hostinger’s announcement, the impact of this incident remained confined to the identified component and did not extend to customer hosting environments.
What Hostinger Confirmed Was Not Affected
According to Hostinger, the unauthorized access did not involve customer hosting accounts, websites, databases, login credentials, or billing systems. The company also confirmed that no service outages or hosting disruptions occurred as a result of the incident.
How HostScore Interprets the Disclosure
From HostScore’s perspective, this incident aligns with what Hostinger described: a scoped issue involving a specific internal component, rather than a platform-wide compromise.
Our interpretation is based strictly on Hostinger’s published statements, including:
- The defined scope of affected data
- The absence of evidence pointing to customer account or website access
- The remediation steps taken and disclosed
Hostinger’s publication of a detailed timeline and attribution to engineering leadership adds clarity and accountability to the disclosure.
Practical Takeaways for Hosting Users
While Hostinger did not recommend specific user actions, this disclosure reinforces several general best practices:
- Avoid storing sensitive information in control-panel note or utility tools
- Treat convenience features as plain-text storage unless explicitly stated otherwise
- Use password managers or encrypted vaults for credentials and API keys
- Enable two-factor authentication on hosting accounts where available
- Periodically review account security settings and unused features
These precautions apply broadly across hosting providers and are not unique to this incident.
Wrapping Up
This incident does not affect Hostinger’s uptime, performance, or suitability for common hosting use cases. Customer websites and hosting environments were not compromised, and the issue was contained to a narrow, non-core component.
At HostScore, we track disclosures like this to evaluate how hosting providers communicate, respond, and remediate security incidents. In this case, the defined scope and level of transparency shown align with expectations for a global hosting provider.
We will continue monitoring hosting security disclosures as part of our ongoing infrastructure assessments and reviews.
