Important context before the facts: The claim described in this article has not been independently verified. Home.pl has issued no statement. CERT Polska has published no advisory. No Polish or international security outlet had confirmed the listing as of the time of writing. Dark web forum listings frequently contain fabricated, recycled, or misattributed data. This article reports what is being claimed, analyzes the technical structure of the advertised dataset, and provides context for Home.pl customers and the hosting industry. It does not assert that a breach occurred.
What Is Being Claimed
Threat intelligence account @DailyDarkWeb, which monitors cybercrime forums and dark web marketplaces, flagged a listing advertising a dataset the seller claims originates from Home.pl, one of Poland’s largest hosting and domain service providers. The listing describes the dataset as containing “hundreds of thousands” of customer records organized into three sections: customer and prospect contact records, website session tracking data, and marketing campaign assets.
The advertised contact records include fields for first name, email address, postal address, login username, login password hash, phone number, mobile phone, date of birth, account status, region code, marketing opt-in status, language preference, lead source, and CRM metadata including creation timestamps and assigned account manager. The presence of password hashes rather than plaintext passwords is noted in the listing.
The second section, labeled Website Sessions, contains fields for session identifiers, page views, click counts, active status, session type, and dates. The third section covers marketing campaign assets.
The seller’s description frames the dataset as useful for “research, analysis, or understanding the structure of Poland’s relevant sector,” the standard language used in dark web listings to provide legal cover for what is in practice an offer to sell stolen data to cybercriminals. The listing does not state a price publicly. @DailyDarkWeb’s own analyst note concludes: “At this stage, the origin of the data and any attribution to Home.pl remain unverified and require independent validation.”
What the Schema Tells Us
The field structure of the advertised dataset is technically interesting regardless of whether the attribution is accurate. Two details stand out.
First, the contact section’s schema does not match any standard off-the-shelf CRM system. SugarCRM, the most widely deployed open-source CRM in the European mid-market, stores password data in a field named user_hash in a users table, not in a contacts table under a login_password_hash field name. Salesforce, HubSpot, and Microsoft Dynamics do not store password hashes in contact records at all. The presence of login_password_hash directly in a contacts table alongside CRM fields like assigned_to_user, lead_source, and contact_rating suggests either a heavily customized CRM deployment or a proprietary customer management system that merges billing/authentication data with CRM contact records. Both are plausible for a company of Home.pl’s age and complexity.
Second, and more telling, the Website Sessions table uses Polish-language column names: sesja (session), odslony (page views), klikniecia (clicks), aktywny (active), rodzaj (type), datad (date, likely a truncation of “data działania”). No major commercial CRM or analytics platform uses Polish-language database column names. Standard systems localize their user interface but maintain English column names in the underlying database schema. Polish-language column names at the database level point specifically toward a custom-built or internally developed application. That detail is more consistent with a legitimate Polish company’s internal tooling than with a fabricated or recycled dataset relabeled with a Polish provider’s name.
The combination of CRM contact data, authentication hashes, and session analytics in a single export is also structurally coherent. Hosting providers routinely maintain exactly this kind of integrated customer data: a CRM for contact management, an authentication system for control panel logins, and a session tracking layer for customer engagement analytics. The dataset structure, if authentic, would represent an export from three interconnected internal systems rather than a single database dump.
Home.pl: Who They Are and What Is at Stake
Home.pl is not a small regional provider. Founded in Szczecin in 1997, the company claims to host approximately half of all Polish websites and describes itself as the number one web hosting provider in Poland. Its homepage states over 300,000 customers and more than 1,200,000 active services. Home.pl is owned by IONOS SE, itself a subsidiary of United Internet AG, the German publicly traded internet conglomerate that also owns 1&1, IONOS, Strato, and other European hosting brands. United Internet acquired Home.pl in December 2015 for approximately EUR 135 million plus EUR 20 million in debt assumption.
Home.pl holds ISO/IEC 27001:2013 information security certification, ISO 22301:2019 business continuity certification, and EN 50600 Level 3 data center certification. These are displayed prominently on its homepage. The company maintains a support team of more than 400 staff. Its customer base, concentrated in the Polish SMB and professional market, includes businesses across every sector of the Polish economy.
The significance of the alleged dataset, if authentic, scales with that customer base. Hundreds of thousands of records from Poland’s largest hosting provider would represent one of the largest personal data exposures in Polish hosting history. The data types described, including dates of birth, password hashes, phone numbers, email addresses, postal addresses, and account status, constitute a high-value dataset for credential cracking, phishing, and social engineering. A threat actor holding authentic login usernames and hashed passwords for home.pl accounts would have a viable path to account takeover against customers who reuse passwords across services. The marketing opt-in flags and engagement metrics would allow highly targeted phishing campaigns constructed around a target’s known account status and activity patterns.
The Verification Gap and GDPR Obligations
As of the time of writing, Home.pl has published no statement on its blog, help center, or social media channels addressing the alleged listing. CERT Polska has issued no advisory. The Polish data protection authority, UODO (Urząd Ochrony Danych Osobowych), has published no enforcement action or breach notification referencing Home.pl. No Polish security publication, including Niebezpiecznik.pl, Sekurak.pl, or Zaufana Trzecia Strona, has reported the claim.
The absence of coverage does not confirm or deny the claim. Cybercrime forum listings for major providers frequently appear and are verified days or weeks later. They also frequently turn out to be fabricated, recycled from prior breaches, or assembled from publicly available sources relabeled under a known brand. Without independent sample verification, which requires comparing advertised data samples against known-good customer records, attribution cannot be confirmed.
If Home.pl’s internal security team has determined that a breach did occur, GDPR Article 33 imposes a 72-hour notification obligation to UODO from the moment the controller becomes aware of a breach. Article 34 requires notification to affected individuals without undue delay when the breach is likely to result in high risk to their rights and freedoms. A dataset combining passwords, personal contact data, and dates of birth would almost certainly meet that threshold. Home.pl, as part of the IONOS/United Internet group, has mature GDPR compliance infrastructure. If a confirmed breach has not produced a public notification within 72 hours of internal discovery, that either means the breach has not been confirmed internally or that the notification was filed with UODO non-publicly, which the regulation permits in some circumstances.
Poland’s threat context is relevant background. Poland ranked first globally for detected ransomware attacks in the first half of 2025, accounting for approximately 6% of all global incidents, and 88% of Polish organizations reported experiencing a cyberattack or breach in the same period. The country is an active target. In December 2025, Dom Development, one of Poland’s largest residential real estate developers, confirmed unauthorized access to systems containing customer, employee, and contractor personal data. In April 2026, a dataset of 130,000 to 145,000 customer records from two Polish e-commerce companies was published on a hacker forum, covered by Dark Web Informer and Polish security outlets. The Home.pl claim arrives in a threat environment where Polish organizations at every scale are under active pressure.
What Home.pl Customers Should Do Now
The unverified status of this claim does not mean customers should wait for confirmation before acting. The practical risk exists regardless of whether the specific dataset is authentic, because home.pl customer credentials are a known target: phishing campaigns impersonating home.pl’s invoicing and domain renewal systems have been documented since at least 2020, and any exposure of authentic credentials accelerates those campaigns.
Home.pl customers should change their home.pl account password immediately if they reuse it on any other service. A hashed password in a leaked dataset is not plaintext, but it is crackable. Common passwords, short passwords, and passwords based on dictionary words or personal information (including dates of birth, which are also in the alleged dataset) can be recovered from hashes in hours using GPU-accelerated cracking tools. A password that was strong in 2020 may not withstand cracking tools available in 2026 if the underlying hash algorithm is older or lacks adequate salting.
Customers should also enable two-factor authentication on their home.pl account if they have not already done so, audit active sessions through the account control panel for any unrecognized access, and treat any incoming communication that references home.pl account details with heightened suspicion regardless of how convincingly it is formatted. A dataset combining email address, account username, phone number, and account status provides everything needed to construct a convincing phishing message that references accurate personal details.
webhosting.today has contacted Home.pl for comment and will update this article if a response is received.
Łukasz Nowak
Nearly two decades in IT. A decade in web hosting - and still in the trenches. Writing about the infrastructure that runs the internet from the inside.