webhostingnz.com hacked and customer data leaked

Forums › IT Pro and developers › webhostingnz.com hacked and customer data leaked

mikecr

2 posts

Wannabe Geek
+1 received by user: 2

#324587 1-May-2026 12:26

I had email hosting with webhosting nz. At 5am I got an automated email from cpanel saying a full access privilege API token had been added to the account. I immediately tried to login on the website but the entire client area was not working. Additionally the live chat wasn't working. I tried logging in to the specific server directly but the password had been changed. I tried to email them but their support email bounced all emails. I messaged them on facebook and got no response. There was no way to get in to shut it down and no way to contact them. It was like this for almost 6 hours. When I finally gained access to cpanel the API token was still there and I had to revoke it myself.

Since they never pulled down the mailserver for the hours it was compromised, I was able to mbsync down my emails, open accounts with a different provider, upload the mail there, then nuke all the emails in the webhostingnz mailboxes. I also deleted the mx records for my domains to prevent new messages being delivered to a compromised mailserver. I assume all of my emails were copied by the hackers, though. Dovecot virtual folders appeared in the mailboxes in question which I am assuming happened when the hackers were syncing my emails.

When webhostingnz's site was working again I logged in, cancelled my services and raised a ticket asking what the hell. I got a boilerplate email about a cpanel zero-day and how they prudently pulled down the servers while they waited for a patch from upstream then redeployed everything from backups which they claim prevented data leaks. This was blatantly false as my server (rosie.whsl206.com) never went down for a second and still contained the hacker's full-access API token when I logged in.

If anyone has anything hosted with them I would strongly suggest logging into cpanel, checking if there's an API token, changing all your passwords, then moving to a different hosting provider. I think it's safe to assume that 100% of their customer's data has been leaked. The fact there was no way to contact them for hours and they never pulled the hacked server down to try minimise data excursion is extraordinary.

gnfb

2699 posts

Uber Geek
+1 received by user: 200

ID Verified

#3486224 1-May-2026 13:00

Oh Great thats what the problem is out of intrest who are you moving to? whan i regain access which i have not got at present what files should i be searching for?

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

mikecr

2 posts

Wannabe Geek
+1 received by user: 2

#3486226 1-May-2026 13:06

I just had mail hosting & have moved the mailboxes to hostinger in the meantime but will probably reevaluate, I just wanted to get them somewhere quick. The place to look would be in cpanel in the API token area or whatever it's called. I'm not sure if all their servers stayed up and if all were affected, I can only speak for the server named rosie.

OmniouS

436 posts

Ultimate Geek
+1 received by user: 48

Trusted

Lifetime subscriber

#3486228 1-May-2026 13:10

From: Hackers are actively exploiting a bug in cPanel, used by millions of websites | TechCrunch

Security researchers are sounding the alarm on a newly discovered vulnerability in the widely used web server management software cPanel and WebHost Manager (WHM).

The bug allows hackers to hijack and take full control of the servers running the affected software, which is thought to be used by tens of millions of website owners around the world.

Many commercial web hosting companies have patched their customers’ systems already. But the cPanel maker urged customers to ensure that their systems are patched as the bug affects all supported versions of the software.

cPanel and WHM are two software suites used for managing web servers that host websites, manage emails, and handle important configurations and databases needed to maintain an internet domain. The two suites have deep-access to the servers that they manage, allowing a malicious hacker potentially unrestricted access to data managed by the affected software.

The bug, officially tracked as CVE-2026-41940, allows malicious hackers to remotely bypass its login screen to gain full access to the software’s administration panel.

Given the ubiquity of the cPanel and WHM software across the web hosting industry, hackers could compromise potentially large numbers of websites that haven’t patched the bug.

Voyager referral link - Get $50 credit

freitasm

BDFL - Memuneh
80950 posts

Uber Geek
+1 received by user: 41720

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3486229 1-May-2026 13:13

mikecr:

cpanel

https://techcrunch.com/2026/04/30/hackers-are-actively-exploiting-a-bug-in-cpanel-used-by-millions-of-websites/

https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

gnfb

2699 posts

Uber Geek
+1 received by user: 200

ID Verified

#3486257 1-May-2026 14:55

Uptime is saying some of my websites are up allshop.nz etc but when you try to go to any webhostingnz.com or the cpanel entry or allshop.nz get error messages

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

boosacnoodle

1394 posts

Uber Geek
+1 received by user: 931

#3486265 1-May-2026 15:37

A friend of mine had their cPanel hacked, too. I believe the whole website was destroyed.

AliExpress

Shop now on AliExpress (affiliate link).

gnfb

2699 posts

Uber Geek
+1 received by user: 200

ID Verified

#3486383 1-May-2026 20:01

anyone know anymore on this situation? still cant seem to access my sites

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

freitasm

BDFL - Memuneh
80950 posts

Uber Geek
+1 received by user: 41720

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3486384 1-May-2026 20:04

@gnfb:

anyone know anymore on this situation? still cant seem to access my sites

Have you contacted their support team? Do you have backup? Do you have a disaster recovery plan? Are you prepared to move your domain somewhere else if the servers aren't recovered within a certain timeframe?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

gnfb

2699 posts

Uber Geek
+1 received by user: 200

ID Verified

#3486393 2-May-2026 00:00

freitasm:

@gnfb:

anyone know anymore on this situation? still cant seem to access my sites

Have you contacted their support team? Do you have backup? Do you have a disaster recovery plan? Are you prepared to move your domain somewhere else if the servers aren't recovered within a certain timeframe?

Yes, No,No, Yes if they can provide the backup they told me in the past they make

Is an English Man living in New Zealand. Not a writer, an Observer he says. Graham is a seasoned 'traveler" with his sometimes arrogant, but honest opinion on life. He loves the Internet!.

I have two shops online allshop.nz patchpinflag.nz
Email Me

djtOtago

1190 posts

Uber Geek
+1 received by user: 614

#3486404 2-May-2026 10:49

If their Facebook post is to be believed, they are in the process of restoring everything, it just may take a few days.
https://www.facebook.com/webhostingnz

saf

238 posts

Master Geek
+1 received by user: 591

ID Verified

Trusted

Vetta Group

Subscriber

#3486884 2-May-2026 22:42

Now that we’ve seen this ourselves in a consulting/advisory role, I’ve made a separate post with some information and IoC’s to look for if you manage cPanel servers: https://www.geekzone.co.nz/forums.asp?forumid=46&topicid=324602

My views are as unique as a unicorn riding a unicycle. They do not reflect the opinions of my employer, my cat, or the sentient coffee machine in the break room.

AliExpress

Shop now on AliExpress (affiliate link).

tim0001

280 posts

Ultimate Geek
+1 received by user: 147

#3487013 3-May-2026 13:48

WebHostingNZ have announced on their client portal:

"Restorations: We have officially completed the restoration of all accounts onto our new servers in New Zealand. Ongoing Tweaks: While the accounts are "back," we know there are still some lingering issues and individual bugs we are ironing out. "

My website is not back yet (but I don't mind if they have a bit of a rest before looking at it).