- GoDaddy has disclosed a multi-year data breach in which unknown attackers breached its cPanel shared hosting environment.
- The web hosting company revealed that the attackers stole its source code, employee and customer login credentials, and installed malware on its servers.
- GoDaddy says it has put in place security measures to prevent similar attacks from now on and that the company is working with law enforcement to stop the attackers.
GoDaddy, arguably the leading web hosting company, has revealed a multi-year security breach that allowed unknown third parties to access the company’s source code and employee and customer login credentials. The perpetrators also installed malware that redirected customer websites to malicious sites.
The company confirmed,
Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.
The data breach enabled attackers to hijack client websites and accounts.
There’s no denying that no security breach is a good one, but the latest reveal is worse than normal; it might cast some doubt on the company and its services.
How did the breach happen?
In early December last year, GoDaddy received complaints from an unspecified number of customers about their websites being redirected to malicious sites. The company later found that it was a result of an unauthorized third party that had accessed the company’s servers hosted in their cPanel environment.
The perpetrators “installed malware that caused the sporadic redirection of customer websites.” The main objective was to infect servers and websites with malware for phishing campaigns and malware distribution, among other malicious activities.
Although the complaints alerted GoDaddy to the security breach in December 2022, actually the attackers had gained access to their network system several years prior.
According to the company, the latest breach is connected to the earlier breaches. The company revealed that in 2021 a hacker used a compromised password and gained access to the company’s legacy code base. The breach resulted in the exposure of more than 1.2 million emails from active and inactive clients. Furthermore, it exposed the WordPress admin password set up during the provisioning of the website.
Moreover, a threat actor that occurred in early 2020 compromised several hosting login credentials of over 28,000 customers and other login details of a few company personnel. Other things that were affected include SSL private keys and database login information.
One thing is for sure; security breaches alone aren’t a sign that the hosting company has failed – given that mitigation measures can help reduce the severity of a breach.
Therefore, as part of the ongoing investigation, GoDaddy has sought help from external cybersecurity forensics experts as well as law enforcement agencies across the globe. The company stated;
“As we continue to monitor their behavior and block attempts from this criminal organization, we are actively collecting evidence and information regarding their tactics and techniques to help law enforcement.”
Moreover, the company issued an apology to customers as well as website visitors for the inconvenience experienced.
The incident appears to be bad news for the major hosting platforms globally, given that there’s a group dedicated to targeting specifically hosting services. So perhaps, it makes sense to hack a hosting service as it’s a one-stop center for a mammoth of other websites. Besides, the customers are the actual target, which is, unfortunately, bad news for folks currently hosting their websites on the platform.