Ask HN: Hetzner asking for passport for new account? just me, or everyone?
Just made a Hetzner account, activated 2FA, the usual.
Then go to buy a storage box, and I get this;
> Our automated system check indicates that your account information has an increased level of risk. Please choose one of the following verification methods:
And you can pay 20 EUR up front by PayPal, or hand over your passport (fat chance!)
Is this genuine, or does everyone get this and it's a fake reason?
(I've signed up to pay by bank transfer, so I'm also wondering why they don't ask me for pre-payment by bank transfer. As it is, no way on God's clean earth they get a passport, and I'm not on Paypal, so will try to use a friend's, but seems my second try to board Hetzner train has bounced - first time I left almost immediately, when I saw spaces not permitted in passwords.)
Hi there, Katie from Hetzner here. We are extra careful about new accounts because we find that it helps us to prevent abuse, and in situations where a new account is somewhere in the grey zone of possibly real or fake, we may ask for additional information, or a PayPal payment, like in this situation. If you choose PayPal, the €20 will go on your account in the form of credit and will automatically be used towards your future invoices. If you decide to cancel your account, and there is credit left on your account, we will refund you for that amount. For the passport (or other documents) -- We have very strict data protection laws here in Germany and the EU. We only use this data to confirm your identity, and after that, it is automatically deleted from our systems after a short time. We have a data protection team who customers can contact if they have any questions at data-protection@hetzner.com. --Katie
So, two or three things.
1. You replied here, and stated and reasonably and rationally Hetzner's case. That's excellent.
2. I emailed Hetz two days ago, explained the situation (passport a no-no, friend has PP, but I'm signed up with bank transfer so could I just use that).
Hetz replied saying account has now been enabled and I'm good to go.
Also excellent.
3. The observations in this reply about passport - if you've been hacked and not noticed yet, all passports passing through your hands are being exfiltrated (assuming attackers cares about them, of course). You'd only realize how long its being going on for once the breach is detected. I'm not worried about what you are going to use it for, I trust you - the concern is that security is basically impossible and everyone gets breached sooner or later. There's nothing you or any organization can say or do to ameliorate this concern. The basic ground working assumption is : everyone is hacked, if not already, then sooner or later, and it won't be noticed for some time. Given that, how do we behave? what do we do? how do we act? obviously, identity via passports is off the menu.
Finally, there's no info during sign about about passport document being held only for a short time; seems potentially useful to have that.
1. Thanks for the feedback! That's a nice pick-me-up. :D 2. Glad to hear that worked out. 3. I understand that many people have reservations about sharing personal documents, and for very valid reasons. We understand that there is a lot of trust involved with this, and we take that responsibility very seriously. If people want more specific information, I genuinely recommend that they write to our data protection team. --Katie
You're sensitive to your passport information being stolen. You don't trust their security. That's all perfectly OK.
Fortunately they offer other option(s), which it seems you made use of. So you're all good.
A different user may have different priorities, and may choose a different option.
Which is fine. Options are good. There's no requirement that you have to like the ones you don't use.
> We only use this data to confirm your identity, and after that, it is automatically deleted from our systems after a short time.
Isn't that what every company says before a data breach proves otherwise? I've been hearing a lot about Hetzner, thought about trying it out, but if the service is requiring me to submit a passport or even any form of ID, then absolutely not. Your service is dead to me.
It's not requiring you to submit a passport. That is just one of the options.
Feel free to use a different option.
There are two options;
1. Paypal 2. Passport
I do not have Paypal, and would not do passport.
That's fine - Hetzner's business belongs to them. I did not criticize that no options could be viable; only that passport was an option that should not be in use.
It happened to me too, and I was unable to verify myself by any acceptable means due to being based in a country other than that of my passport. Having been redirected somewhere else for the identity verification onboarding, I think the process is outsourced by Hetzner to a firm of security specialists apparently oblivious to edge cases. Nice work if you can get it.
There's some other specific character besides spaces that's also not permitted in passwords. It's a normal printable ascii character but I can't remember what it is any more, and sometimes it's not caught. Let's hope nobody signs up with it by mistake.
If they're geo checking IP to passport, I also would fail.
You raised some red flags with the information you provided. This doesn't happen to everyone. A support rep from Hetzner has spoke a bit more about this process on WebHostingTalk before[1], although they don't get into which specific heuristics may result in flagged accounts for obvious reasons. I'd imagine it's a combination of things like unpaid balances on previous accounts, IP address reputation, uncommon e-mail domains and so on.
[1] https://www.webhostingtalk.com/showthread.php?t=1810197&p=10...
Good.
I've seen, or I think I've seen, AWS and Twitter giving completely fake "security" reasons for eliciting additional information. I made an account on Twitter, did nothing with it at all, next day was told I violated the T&C and needed to prove my identity by handing over phone number.
So I'm cagey about this sort of thing. Obviously, actual real security concerns are a good thing to see, people are thinking about the issue and taking care, and asking for validation is naturally what you do and it's better than a flat no. OTOH, passport is BS - solves their security risk but gives me a security risk.
So what? If you spend any amount of time traveling outside the EU, there are dozens of copies of your passport floating around on hotel scrap paper, random employees personal phones and the like. Not to mention any other services, including those in the EU, that require KYC authentication. Just to add a data point I sent Hetzner my passport in 2009 and nothing bad happened.
> nothing bad happened.
That you know of.
One can also say the same about smoking cigarettes.
"I smoked all day long for ten years and nothing bad happened!"
Either you want to be a customer or you won't.
Using a friend's paypal will get you banned for sure.
Why not just provide the passport if you want to use their service, jf that's their requirement.
It's an expensive document which is hard and slow to replace, and when Hetzner get hacked - and they like everyone will be, sooner or later - I would have to do that.
No problem for Hetzner, and it solves their authentication problem. Big problem for me.
Hetzner has had a bad reputation for quite some time. I am not sure why people are mentioning them nowadays again as a provider they are moving to or setting up new accounts. I have noticed this uptick in mentions of Hetzner on the internet via personal stories in past month or two which makes me believe they invested into some guerilla promotion campaign. If you search the internet and go beyond articles older than one year, you will find all the bad stories related to Hetzner and how they treat their customers.
Personally, I tried to set up account with them in the past, fully being aware of their reputation, because of one service I wanted to use. But after I registered and gave them my payment card details, all fully legit, they blocked the account and I never had a chance to use them. So my own personal opinion is that they can pound sand and experiences of other people should not be ignored and you should definitely not risk putting your data or your business reputation into their hands. There are MUCH better providers in Europe that. Again, I have no idea why people even give Hetzner a chance nowadays.
I've heard good and bad.
I've seen complaints about servers disappearing without warning.
I've also seen people say they're completely happy.
It seems to me Hetz have good pricing, and technically what seems to be a superior product. I was put off by lack of spaces in passwords (trivial in and of itself, but like... 2025 you know), but I've seen their support do something sensible in my case just now, and Kathy posting here in NH.
If by "guerilla marketing" you mean me and a few teammates who check places like HN to see what people write and try to write reasonable responses, then yes. Our team posts using accounts that clearly show we are with Hetzner. Other comments are from genuine customers. --Katie
I sensed you were one with dark side, Katie :-)