GoDaddy says a multi-year breach hijacked customer websites and accounts

 

Three breaches over as many years all carried out by the same threat actor.

GoDaddy, one of the world’s largest domain registrars, has confirmed that its network has been the victim of a sophisticated and sustained attack by unknown attackers over multiple years, resulting in the theft of company source code, customer and employee login credentials, and the installation of malware that redirected customer websites to malicious sites.

The company has nearly 21 million customers and generated revenue of almost $4 billion in 2022, making it one of the most popular domain registrars globally. However, despite its popularity, the company has faced several security incidents in recent years, leading to concerns about its cybersecurity practices.

In a filing with the Securities and Exchange Commission (SEC), the company reported three serious security events that started in 2020 and lasted through 2022 and were carried out by the same intruder. The most recent event occurred in December 2022, when the threat actor gained access to cPanel hosting servers, causing customer websites to be intermittently redirected to malicious sites.

According to the company’s statement, “We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”

The company believes that the attacks are part of a sophisticated campaign by a threat actor group to infect websites and servers with malware for malicious activities such as phishing campaigns and malware distribution. GoDaddy's investigation into the matter is ongoing, and the company has not provided any details regarding the identity of the attackers or how they managed to breach its security systems.

In addition to the December 2022 attack, the company disclosed a breach in November 2021 when the threat actor obtained a password that gave access to source code for GoDaddy’s Managed WordPress service, compromising the login credentials for WordPress admin accounts, FTP accounts, and email addresses of 1.2 million Managed WordPress customers. The company disclosed the breach on November 22, 2021.

Furthermore, a separate event occurred in March 2020, when the threat actor obtained login credentials that gave it access to a “small number” of employee accounts and the hosting accounts of roughly 28,000 customers. The hosting login credentials didn’t provide access to the customers' main GoDaddy account. The breach was disclosed in May 2020 in a notification letter sent to affected customers.

The company has responded to subpoenas related to the incident that the Federal Trade Commission (FTC) issued in July 2020 and October 2021. The FTC has the authority to investigate security breaches and take enforcement actions against companies that fail to protect customer data adequately. GoDaddy is cooperating with the FTC’s investigation, and the company has not provided any further information about the subpoenas.

Over the years, GoDaddy has faced several security lapses and vulnerabilities leading to suspicious events involving massive numbers of sites hosted by the company. In 2019, for instance, a misconfigured domain name system service at GoDaddy allowed hackers to hijack dozens of websites owned by Expedia, Yelp, Mozilla, and others and use them to publish a ransom note threatening to blow up buildings and schools. The DNS vulnerability exploited by the hackers had come to light three years earlier.

Also in 2019, a researcher uncovered a campaign that used hundreds of compromised GoDaddy customer accounts to create 15,000 websites that published spam promoting weight-loss products and other goods promising miraculous results.

These incidents highlight the need for companies to take their cybersecurity practices seriously and implement measures to protect their systems and data from unauthorized access. The consequences of a security breach can be severe, including damage to the company’s reputation, loss of The third and most recent incident occurred in November 2021 when the attackers obtained a password that gave them access to the source code for GoDaddy's Managed WordPress service. The unauthorized party then used this access to obtain login credentials for WordPress admin accounts, FTP accounts, and email addresses for 1.2 million current and inactive Managed WordPress customers. GoDaddy disclosed this breach on November 22, 2021.

GoDaddy's announcement of the security incidents came as a shock to many, especially since the company is one of the world's largest domain registrars, with almost 21 million customers and revenue of nearly $4 billion in 2022. GoDaddy has a responsibility to protect its customers' data and ensure that their websites remain secure, so the fact that they suffered three significant security incidents over two years is deeply concerning.

GoDaddy has assured its customers that it is taking the necessary steps to investigate the breaches and improve its security measures. The company has also said that it is cooperating with law enforcement agencies in their investigations. However, it is unclear what exactly these steps entail and whether they are sufficient to prevent similar security incidents from occurring in the future.

The breaches at GoDaddy are just the latest in a series of high-profile security incidents involving large companies. In recent years, companies such as Equifax, Target, and Capital One have suffered significant data breaches that have compromised the personal and financial information of millions of customers. These incidents highlight the need for companies to prioritize cybersecurity and invest in robust security measures.

One of the reasons why large companies are particularly vulnerable to security breaches is because of their complexity. Large companies typically have numerous systems, applications, and databases, which can make it difficult to manage and secure them all. Additionally, large companies often have a large number of employees, contractors, and third-party vendors, all of whom may have access to sensitive data.

One way that companies can mitigate their cybersecurity risks is by adopting a zero-trust security model. In a zero-trust security model, every user, device, and application is treated as a potential threat, and access is granted only on a need-to-know basis. This approach can help companies reduce their attack surface and limit the potential damage caused by a security incident.

Another critical component of a robust cybersecurity program is regular security testing and vulnerability assessments. By regularly testing their systems and applications, companies can identify and address security vulnerabilities before they can be exploited by attackers.

In conclusion, the security incidents at GoDaddy underscore the importance of cybersecurity for large companies. With so many customers and such a significant amount of revenue at stake, companies like GoDaddy must prioritize cybersecurity and invest in robust security measures to protect their customers' data and ensure the integrity of their systems. While the company has assured its customers that it is taking steps to improve its security measures, it remains to be seen whether these measures will be sufficient to prevent similar security incidents from occurring in the future.

Enter your email to get the Ars Technica newsletter

Join Ars Technica and

Get Our Best Tech Stories

DELIVERED STRAIGHT TO YOUR INBOX.

By signing up, you agree to our user agreement (including the class action waiver and arbitration provisions), our privacy policy and cookie statement, and to receive marketing and account-related emails from Ars Technica. You can unsubscribe at any time.