UPDATE (February 3, 2026): Virtualizor has released an official statement clarifying the attack vector. The company confirms there is no vulnerability in Virtualizor software or its billing modules. Instead, attackers gained access through a sophisticated session hijacking attack on Virtualizor's support ticket system, despite the company having 2FA, MFA on email accounts, and SMS-based 2FA on VPN/tunnels.
The breach exposed approximately 1,500 old support tickets—some over a year old—where customers had sent plain-text root credentials via email rather than through Virtualizor's secure, encrypted submission forms. Attackers then used these stolen credentials to access customer servers.
According to Virtualizor's forensic analysis, the compromised servers shared two critical security failures: they were still using passwords that hadn't been rotated after the original support tickets were resolved (some over a year old), and they lacked IP whitelisting or firewall restrictions on their Virtualizor Admin Panel and SSH access, allowing login attempts from unauthorised external IP addresses.
A widespread ransomware campaign targeting virtual private server (VPS) providers has permanently destroyed customer data across multiple hosting companies, with the attack traced to stolen credentials from a security breach of Virtualizor's support ticket system.
CloudCone, HostSlick, and OuiHeberg are among confirmed victims, with the intrusion succeeding due to poor password management practices and a lack of network security controls rather than software vulnerabilities.
CloudCone officially confirmed the grim reality in customer support tickets: user data is unrecoverable. The Los Angeles-based provider is rebuilding affected nodes from scratch rather than attempting data restoration, forcing customers to reinstall systems and rely on their own backups—if they have them. The company's status page shows servers have been offline since January 30, with recovery efforts focused on getting infrastructure operational rather than salvaging existing data.
"An attacker exploited a vulnerability to gain access to our VPS server node," CloudCone's support team wrote in ticket responses shared by affected users. "The attacker has compromised the disk associated with your server, rendering the data on the disk unrecoverable."
According to discussions in the LowEndTalk community, attackers leveraged vulnerabilities in how Virtualizor's billing panel plugin communicates with its API, enabling them to execute unauthorised commands across connected virtual machines without triggering standard security alerts like SSH logs.
CloudCone's incident report confirms the intrusion bypassed traditional access controls. "Evidence suggests that this activity originated through management-layer access rather than direct SSH connectivity, which explains the absence of anomalous SSH login records," the company stated, noting that unauthorised scripts were executed on affected nodes through the management interface—consistent with attackers using legitimate stolen credentials rather than exploiting software vulnerabilities.
The broader impact extends beyond confirmed victims. Providers using Virtualizor's WHMCS plugin identified as potentially vulnerable include ColoCloud, Virtono, SolidSEOVPS, Naranjatech, LittleCreek, DediRock, Chunkserv, and RareCloud. Security experts are urging customers using these services to back up their data immediately.
This attack fits a disturbing 2026 trend. Research from Huntress shows hypervisor-targeted ransomware surged from 3% of incidents in early 2025 to 25% in the second half of the year, with virtualisation infrastructure becoming a prime target for threat actors seeking maximum impact with minimal effort. A single compromised hypervisor can simultaneously encrypt dozens or hundreds of virtual machines—exactly what happened to CloudCone's customers.
The timing coincides with increased exploitation of virtualisation platforms globally. Recent campaigns have targeted VMware ESXi vulnerabilities, with threat actors developing sophisticated toolkits that escape VM isolation to compromise host systems. While the CloudCone attack involved different software, the pattern is identical: attackers recognise that hypervisors represent high-value targets where traditional endpoint security tools often have limited visibility.
What Users Should Do Now:
If you received a notification from Virtualizor about ticket access:
- Immediately rotate your root password if you haven't already
- Implement IP whitelisting for your Virtualizor Admin Panel and SSH access
- Migrate to Virtualizor's new Support Access system that uses SSH keys instead of passwords and creates temporary users that auto-delete after 7 days
For all VPS customers:
- Never send plain-text credentials via email or support tickets—use secure, encrypted submission methods
- Rotate passwords immediately after any support interaction is resolved
- Implement firewall rules restricting admin panel and SSH access to known IP addresses
- Back up all critical data to external storage independent of your hosting provider
CloudCone has not provided a timeline for when rebuilt servers will be available, stating only that affected customers will receive direct email notifications. The company emphasises that customer personal data and billing systems were not compromised—only the virtual machines themselves were affected.
The incident reveals a sobering truth about cloud security: even sophisticated session hijacking attacks can succeed when basic security hygiene fails. The real vulnerability wasn't in the software—it was in human behaviour. Customers who sent passwords via insecure channels, never rotated credentials, and left admin panels exposed to the internet created the perfect storm for attackers armed with stolen credentials.
Virtualizor has since redacted all ticket data containing sensitive credentials and implemented UEM-managed hardware with 3FA/MFA at multiple access levels to prevent future session hijacking. The company no longer accepts root credentials through support tickets.
The incident underscores a harsh reality of budget hosting: cheap infrastructure comes with serious risks. But as security experts note, even premium providers face these threats. The difference lies not in price but in preparation—specifically, whether you maintain backups independent of your hosting provider.
As one security researcher bluntly summarised the situation: "Your data is basically cold." For customers without backups, that assessment is devastatingly accurate.
Disclosure: This article has been updated with information from Virtualizor's official security statement published February 3, 2026.