Fake Hotjar / FullStory session recording and heatmap subscription payment failed, session recordings and heatmaps suspended, or replays and UX analytics inaccessible phishing

Phishing emails impersonating Hotjar or FullStory claiming the session recording subscription payment has failed, session recordings and heatmaps are suspended, user recordings are no longer collecting, or replays and UX analytics are inaccessible — directing them to update billing or restore their subscription through a credential-harvesting portal. A distinct attack category targeting UX analytics and session recording tools. Key facts: (1) Hotjar serves 1,300,000+ registered users with 170,000+ paying customers ($32-171/month Business/Scale) used by product managers, UX researchers, and marketing teams to record user sessions, generate heatmaps, and collect feedback surveys — Hotjar session recordings are typically running continuously and capturing every user session; a billing suspension that stops recordings creates a gap in the product analytics data stream that cannot be retroactively filled; (2) The 'heatmaps and session recordings suspended' hook is effective because Hotjar data is time-critical: if session recordings stop during a product launch, A/B test, or marketing campaign, the behavioral data from that period is permanently lost; UX teams losing Hotjar data mid-experiment face the choice of restarting the experiment or making decisions with incomplete data; (3) FullStory serves 3,000+ enterprise customers ($???/month, enterprise pricing only) used by enterprise product and CX teams for Digital Experience Intelligence — FullStory session recordings are typically integrated into customer support workflows (support agents use FullStory to watch the session a customer had when they reported a bug); billing suspension breaks this support-debugging workflow; (4) LogRocket (also covered by this signal) serves product and engineering teams who use session recordings for bug reproduction — 'your LogRocket session recordings have been suspended' during active product development creates urgency because engineering teams cannot reproduce reported bugs without session replay; (5) Hotjar and FullStory credentials expose session recordings that may contain users entering sensitive information, heatmaps revealing which parts of a product users interact with most (competitive intelligence), and feedback survey responses including customer complaints about product issues. Warning signs: sender not hotjar.com/fullstory.com/logrocket.com; genuine Hotjar billing at hotjar.com/account; FullStory billing at app.fullstory.com.