Customer Data Breach

On 27 April 2026, Greenhost identified and resolved a security vulnerability that exposed limited customer data to unauthorized access. 59 customers in total were affected. This post is the public record of what happened, what was exposed, and what comes next.

Greenhost has written openly when things go wrong, like when we had major outages in 2018 and 2021. We are writing this post because transparency is nice at comfortable times, but especially important in the uncomfortable moments.

Here is what happened

A hidden API endpoint, intended only for Greenhost staff, was deployed in 2023 with incorrect access controls. For roughly two years, the endpoint was technically reachable but not referenced anywhere in publicly visible code, making accidental discovery very unlikely. In September 2025, a reference to it was added to the front-end. From that point onwards, anyone analyzing the code could find it.

On 25 April 2026, a security researcher noticed the endpoint and accessed a small set of records to confirm the scope of the issue. They reported it through our Responsible Disclosure Program over the weekend. On the next working day, 27 April, Greenhost confirmed the report and patched the vulnerability. On 29 April, the incident was reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

What was exposed

For affected accounts, the following data was visible:

  • Company name, or personal name, where the customer is a private person
  • Billing e-mail address
  • IBAN data stored directly with Greenhost
  • List of active domain registrations
  • Internal Greenhost comments on the account

What was not exposed

  • Login names and passwords (including hashed passwords)
  • Customer addresses and phone numbers
  • Payment information stored with the external payment provider
  • Cloud customer data and contract data
  • Contact persons or their details
  • Support system data

Who was affected

Log analysis identified 20 customers whose data was accessed by automated bot traffic, a pattern consistent with broad security scanning rather than targeted activity. A further 39 customers had their data viewed by the security researcher in good faith while confirming the scope of the issue.

There is no current evidence of misuse. The 59 customers who’s data was accessed have been contacted about this via separate, individual e-mail.

Why this happened

The vulnerability resulted from inconsistencies in access control between two different mechanisms used in different parts of the platform. The risk of operating two methods in parallel was already known internally, and refactoring to consolidate them was already underway. This incident sharpens that priority. Finalizing a single, consistent access control mechanism is now at the top of the engineering queue.

Reflection

The honest assessment is that this should not have happened. The operational gap that allowed the endpoint to be exposed in the first place is the kind of issue Greenhost holds itself to a higher standard on. As such, we are embarrassed this happened. Privacy and security are not just commitments printed on a website; they are operational responsibilities, and on this occasion, the operations fell short.

There are two things worth saying beyond the apology.

The first is about data minimization. The most reliable way to protect customer data is to store less of it. Predating this incident, Greenhost has been simplifying onboarding and reducing the amount of information collected. We have also been working on removing previously obtained information, and we will continue doing this with renewed focus. Less data on the books means less data exposed when something goes wrong. This is privacy by design in its most practical form: Daily decisions about what data to ask for, what to keep, and for how long.

The second is about responsible disclosure. The reason this incident is being written about now, rather than discovered later through misuse, is that a researcher chose to report it through the proper channel. Greenhost's Responsible Disclosure Program exists precisely to make that the easier choice, and in this case, it worked. Programs like this are a quiet infrastructure for the open Internet. They depend on trust between researchers and operators, and they deserve more recognition than they usually get.

The researcher in this case is Shubham Bothra, who identified the exposed endpoint, retrieved only the minimum data needed to confirm the scope of the issue, reported it clearly and quickly through the proper channel, and offered to walk the Greenhost team through the steps to help resolve it. The work was carried out exactly in the spirit the Responsible Disclosure Program is built around. Greenhost has awarded Shubham a reward of €2,000 for the disclosure (the maximum possible payout under our program), and the team is grateful for the care and professionalism he brought to the process. He has been listed in the Hall-of-fame, where you can also see other researchers who were rewarded.

What comes next

Beyond the immediate fix and the notification to the regulator, Greenhost is:

  • Prioritizing completion of the access control refactoring already underway
  • Continuing the work to reduce the volume of customer data stored at all times
  • Reviewing internal processes for how new endpoints are reviewed before deployment, with particular attention to features that exist for staff use only
  • Reviewing what log retention is needed to investigate incidents like this thoroughly, while staying within the principle of storing only what is necessary

Trust, once shaken, is not restored by a blog post. It is restored by the work that follows, by the next year of decisions, and by being honest the next time something goes wrong too. That is the focus from here.

For any questions or concerns, the team can be reached at support@greenhost.net or through our contact form.

— On behalf of everyone at Greenhost