Dateline: March 26, 2026
1.6 Million Customers, 5.9 Million Sites — and a Breach Nobody Can Confirm
Europe’s largest web hosting provider is at the center of a cybersecurity storm this week — though the actual damage remains unconfirmed.
Introduction
On March 24, 2026, a post appeared on BreachForums with a bold claim: a threat actor going by “contactbreachforums” said they had broken into OVHcloud, one of the biggest cloud hosting providers in the world, serving millions of websites across Europe and the US. What followed was a wave of concern, skepticism, and a flat denial from the company’s own founder.
What Happened?
The threat actor, posting under the alias “Normal” on BreachForums, claimed to have infiltrated OVHcloud’s server infrastructure on March 23, 2026. According to the post, they had gained access to a high-privilege administrative “parent account” — essentially the keys to the kingdom — and from there, allegedly siphoned off a staggering amount of data.
The claim put 590 terabytes of data up for sale, said to include 1.6 million customer records and active data from 5.9 million websites — source code, SQL databases, server configurations, and personal information like names, phone numbers, email addresses, and physical addresses.
To prove the theft, the attacker posted a single line of sample data and reached out via a Telegram intermediary, inviting the company to make an offer for its own data back.
OVHcloud founder Octave Klaba responded quickly. After investigating the sample data provided, he stated the company found no evidence that it originated from their servers. Security researchers who reviewed the sample were equally skeptical — one line of data is simply not enough to verify a breach of this scale.
What’s the Impact?
Even without confirmation, claims like this cause real disruption. Customers started rotating credentials and API keys out of caution. Discussions across hosting communities picked up, with users unsure whether their VPS environments were compromised.
Researchers noted that the threat actor had no history of confirmed breaches on the forum — the OVHcloud post was their only one. The pattern fits a known playbook: post a big claim, offer a “sample,” and collect payment from buyers before disappearing. Similar fake breach claims have recently targeted Dell, SAS Institute, and AXA.
Still, the timing is awkward for OVHcloud. The company had already recorded a series of technical incidents in February 2026, including an electrical failure at its Gravelines data center that caused service outages across multiple hosted applications. Those incidents had nothing to do with a cyberattack, but they primed users to worry.
More broadly, if a breach of this scale ever were confirmed at a major European cloud provider, it would put a serious dent in the case for “digital autonomy” — the push by European companies to offer a local alternative to AWS, Azure, and Google Cloud.
How to Avoid This
Whether or not this specific breach turns out to be real, it’s a good reminder of what cloud customers should already be doing:
Rotate credentials and API keys regularly, not just after a scare. Enable multi-factor authentication — ideally hardware-based — on every admin account. Monitor for unusual access patterns across your hosting environment, especially at the account level. Don’t wait for a breach to be confirmed before taking basic precautions. And if a “hacker” posts your data for sale and asks you to pay for it back through a Telegram middleman, treat that as a major red flag that it may be a scam.
Cloud providers rarely store full card numbers, using tokenization instead — but billing addresses and account details are fair game if an admin account is ever truly compromised. That’s the real risk worth protecting against.
As of publishing, OVHcloud has not issued a formal public statement beyond Klaba’s personal denial. The investigation is presumably ongoing.
