Tech Insight
Discover how a sophisticated threat actor group compromised millions of customer websites in the recent GoDaddy security breach. Learn about the risks and stay protected
GoDaddy, one of the world's leading domain registrars, announced in a filing with the Securities and Exchange Commission (SEC) on Thursday, February 16th, 2023, that it had experienced multiple security breaches between 2020 and 2022. The company stated that a threat actor had been responsible for all three incidents and had installed malware on GoDaddy's systems, including on the cPanel hosting servers used by customers to manage websites hosted by the company. As a result, the intruder was able to redirect random customer websites to malicious sites as well as other attacks.
A spokesperson for GoDaddy said that the company believes the incidents were part of a multi-year campaign by a "sophisticated threat actor group" to obtain code and information related to some of the company's services. The company has not yet disclosed how many customers were affected, but given that GoDaddy has nearly 21 million customers, the scale of the breach could be significant.
The first thing to note is the severity of the breach, which impacted not just the company but also its customers. The intruder was able to access the cPanel hosting servers used by customers, which could potentially expose customer data, including personal and financial information. Furthermore, the malware installed by the intruder was able to redirect customer websites to malicious sites, which could have resulted in the theft of customer data or the installation of further malware on their systems.
The second issue facing customers is the length of time that the threat actor was able to remain undetected. The filing with the SEC stated that the breaches had occurred over 2-3 years, which suggests that the intruder was able to maintain access to GoDaddy's systems for an extended period. This is particularly concerning, as the intruder may have had ample time to steal data, install further malware, or carry out other malicious activities.
In November 2021, GoDaddy became aware of another incident in which a password was obtained by the threat actor, allowing them access to the source code of GoDaddy's Managed WordPress service. This service simplifies the creation and management of customer sites using the WordPress content management system. Beginning in September of the same year, the unauthorized party used this access to acquire login credentials for WordPress admin accounts, FTP accounts, and email addresses of 1.2 million Managed WordPress customers, both active and inactive.
Unfortunately, these breaches at GoDaddy are a stark reminder of the ongoing threat posed by cybercriminals and the importance of good cybersecurity practices, which don’t appear to be important to GoDaddy. The severity of the breach, the length of time that the threat actor remained undetected, and the potential impact on customers are all causes for major concern.
GoDaddy has been unable to shake its reputation for low-cost but low-quality hosting and support, constantly letting down their customers and allowing breaches to run rampant throughout the business's lifetime.
If you have been affected by these incidents and want to help protect your business against further incidents, contact us at CoreBlue and our security team can help.
Interest in reading more about Cyber Security? Check out these blogs:
Don't hesitate to get in touch with us! Whether you have a project in mind or simply want to learn more about our services, our team is ready to help.