Hostinger server unauthorized access case: What happened with Notepad++ and what measures we took to resolve it
What happened and what was affected?
On December 1, 2025, we identified suspicious activity on one of our servers where our clients’ websites were hosted. After investigation, we found that one of our customers, Notepad++, was specifically targeted, and we were working with them to secure their services. While there is no evidence that any other Hostinger clients’ websites or data were affected, as a precaution, we notified customers who had their data on the affected server and moved all websites to another server. To stay transparent about this incident, we are sharing what happened, how we resolved it, and what steps we’re taking to make our systems stronger.
Incident timeline
- The shared hosting server in question was compromised until September 2, 2025. On this particular date, the server had scheduled maintenance where the kernel and firmware were updated. After this date, we could not identify any similar patterns in logs, and this indicates that the bad actors had lost access to the server. We also did not find any evidence of similar patterns on any other shared hosting servers. As a precaution, we immediately transferred clients to a secure environment on a different server and notified them.
- Even though the bad actors lost access to the server on September 2, 2025, they retained credentials of one of the internal services existing on that server until December 2, which could have allowed the malicious actors to redirect some of the traffic going to https://notepad-plus-plus.org/getDownloadUrl.php to their own servers and return a download URL containing compromised updates.
- Based on our logs, we see no evidence of other clients hosted on this particular server being targeted. The bad actors specifically searched for the notepad-plus-plus.org domain with the goal of intercepting the traffic to the website, as they might have known the then-existing Notepad++ vulnerabilities related to insufficient update verification controls.
Conclusion and next steps
After concluding our research, the identified security findings were no longer observed in the web hosting systems from December 2, 2025, onward, as:
- We fixed vulnerabilities that could have been used to target Notepad++. In particular, we do have logs indicating that the bad actor tried to re-exploit one of the fixed vulnerabilities; however, the attempt did not succeed after the fix was implemented.
- We rotated all the credentials that bad actors could have obtained prior to September 2, 2025.
We checked the logs for similar patterns across all web hosting servers and didn’t find any evidence of systems being compromised, exploited in a similar way, or data being breached. We continue to work closely with the affected client, their partners, and internal and external security researchers to further improve our services and ensure they remain reliable and secure.
As VP of Product at Hostinger, Saulius oversees Web Hosting Platform & Tools, Managed WordPress, and WebPro Experience. Saulius enjoys observing users through their daily life activities, looking for problems to solve, and building products that make users more efficient online, help them spend more time on the things they love, and leave all the rest for technology to solve.
