Security incident at ZAP – Full statement

UPDATE 20.03.2022: We are receiving an increasing number of messages from customers asking why we are only reporting the leak now when the dataset is dated 22.11.2021. The perpetrator did not publish the dataset until 13.03.2022/14.03.2022. Prior to that, nothing was known to us or the public.
--

Dear ZAP user,

as already informed on 15.03.2022 in a newsletter, we analyze attacks on our infrastructure since. Between 13.03 and 15.03 there were several very targeted attacks on internal services of our infrastructure. Immediately the team dealt with the analysis of the attacks and the protection of affected systems. The damage here could be limited to a large extent, so that the infrastructure was almost fully operational again within 48 hours and no further impairments in the customer portal were recorded. In connection with these incidents, a database dump of the customer portal with data status 22.11.2021 was published on Clear-Net. A connection between the two incidents is considered highly probable.

Obviously, an attempt was made here to just cause damage by brute force and through the publication of the aforementioned dump. Negotiations or blackmail on the part of the hacker did not occur.
We would like to inform you that your e-mail address and your username were included in this database dump. If address data was provided when ordering a contract server or if there was a chat with our customer support, these may also be included in the said dump. Passwords to the ZAP customer portal are only included in encrypted form. With the exception of some subuser accounts. We send these accounts with auto-generated passwords via support e-mail, which in turn were available as log entries in the database. We have already reset these auto-generated passwords, so there is no longer any danger here. We still recommend changing your ZAP customer account password.

Credit card data or other payment information with security features were not included. We are still working on the analysis of the database leak. If any new information comes to light, we will inform you immediately.

Your booked products/servers at ZAP are also not compromised! No access data was leaked.

Security is our first priority at ZAP-Hosting. We have been working with white-hat hackers for several years through our bug bounty program, improving the company's security on a daily basis. More information on how such incidents could still happen will be shared with you shortly!

I, Marvin Kluck, would like to apologize personally and in the name of my company, ZAP-Hosting GmbH & Co. KG to you! The thought that despite all my efforts in the last 12 years of ZAP-Hosting I did not manage to prevent such an incident and the thought that there are people in our world who are up to their mischief in our digital and analog world with such viciousness and obviously without a healthy sense of morals and ethics is equally depressing as well as scary.

Security should be the be-all and end-all for any business in this day and age. I assure that it was and is for me!
Attacks of this kind can unfortunately never be 100% prevented. My task is and was to reduce the probability of such attacks to a minimum. I have been working on this together with my team for years and especially intensified now, so that I save no expense and effort to continue to provide the best possible security on ZAP.

We would like to share a small apology with every ZAP user:
20€ voucher: wekeepworkingforyoursafety (Code is expired and not redeemable anymore)
Feel free to redeem it in your ZAP Cashbox and use it to book any service or renew a current service: https://zap-hosting.com/en/customer/home/cashbox/ (click on "redeem voucher").

Keep your chin up! Warm regards,
Marvin & the whole ZAP team