ColoCrossing 2025 Breach - The LowEnd Perspective

On 24 May 2025 at 3:06pm UTC ColoCrossing Cloud customers with an active VM recieved an email detailing an external breach in the ColoCrossing infrastructure with a ransom request.[1]

A screenshot of this email along with the full email headers were posted as a thread to the online forum Lowendtalk.com confirming the email came from a sendgrid.com IP address with passing SPF/DKIM validation.[2] [3]

The breach targeted the Virtualizor control panel of the ColoCrossing Cloud VPS and VDS product lines, exposing end user's Full Name, Email Address and the Root Password to VPS and VDS products for these customers.[4] [5]

Independently on the online forum Nodeseek.com another user posted how they had also contacted the attacker and received screenshots of the ColoCrossing Virtualizor Control Panel further indicating the breach was legitmate.[6] [7]

A second email from the compromised [email protected] email was sent at 4:28pm UTC. [8]

At 6:16pm UTC a user on Lowendtalk confirmed their VPS had been breached / compromised. [9] [10]

At 7:02pm UTC multiple users on Lowendtalk confirm the Virtualizor Control Panel Database had been leaked in it's entirety.[11] [12] [13] [14] [15]

On 25 May 2025 at 1:45am UTC ColoCrossing send a 'Security Notice' to all end users via the [email protected] address claiming "the attacker was able to access limited system metadata, email addresses and used our mail server API to send an unauthorized message to ColoCloud customers." and "stemmed from a vulnerability in a Single Sign-On (SSO) feature".[16]

At 2:19am UTC a user on Lowendspirit.com with a copy of the virtualizor database confirms customer data is in the DB in plain text including passwords, email address and data related to VM's.[17]

At 9:49am UTC the Host Provider account for xHosts confirms they have spoken to Virtualizor and "the issue appears to have been human error and not a software issue".[18]

At 2:52pm UTC a user on Lowendtalk.com posts a screenshot from the attacker claiming to show a screenshot of the attacker deleting customer VMs.[19] [20]

At 3:22pm UTC a user on Lowendtalk points out and confirms ColoCrossing is still actively accepting orders during this security incident.[21]

Between 3:44pm and 5:21pm UTC multiple compromised user accounts on Lowendtalk show up, claiming to be the hacker and stating that ColoCrossing had never made any attempts to contact them after the breach.[22]

At 4:50pm UTC a representative from ColoCrossing 'CVPS_Chris' posts on Lowendtalk "Significant steps are being taken to disconnect the platform from the internet to allow time for us to work on this issue. If your virtual server is down currently it is likely because of this action." [23]

At 5:33pm UTC an end user from Hudson Valley Host (ColoCrossing Sub-brand) claims both VMs they had went offline and they had credentials dumped in the virtualizor DB.[24]

Quick Comparison

ColoCrossing PR is in full cleanup mode hot with misinformation, lets clear some of that up.

• Claim: Stemmed from a vulnerability in a Single Sign-On (SSO) feature in Virtualizor.
  Fact: No Independent confirmation from Virtualizor regarding this and LowEndTalk host reps have confirmed Virtualizor is reporting this incident is infact due to human error.


• Claim: Did not impact the ColoCloud billing system (WHMCS) or expose any personal or payment information.
  Fact: Multiple LowEndTalk users have been able to confirm their personal details (Full Name, Email) are in the compromised Virtualizor database. No additional information regarding payment information or WHMCS.


• Claim: All stored container passwords remain securely encrypted.
  Fact: Multiple LowEndTalk users have confirmed viewing the database including VM passwords in plain text, additional claims of these plain text credentials being used to install Cryptominers and other malicious software on end user VMs are starting to be raised.