Popular web hosting and domain registrar GoDaddy has fallen victim to a data breach involving around 28,000 customers. The incident has prompted a torrent of new concerns around the safety of the company’s servers and around web hosting accounts more generally, and brought about new calls for the use of better authentication methods.
GoDaddy, the world’s largest provider of web hosting accounts, boasts an impressive 19 million customers and manages 77 million domains in total. As a result, a data breach targeting a company of such a magnitude has disastrous potential. While the full extent of the data breach has yet to be fully determined, the company has nonetheless claimed that the affected users have not suffered a significant loss of data.
What we know so far
News of a security incident at GoDaddy first surfaced in an email sent by the company’s CISO and vice president of engineering, Demetrius Comes. Addressed to the State of California Department of Justice, the email stated that an unauthorized individual had gained access to the login information of web hosting accounts that connect them to the secure shell (SSH).
The data breach incident reportedly took place on October 29 of last year, and went on undetected for six months until April 23, 2020 when GoDaddy employees noticed that a subset of one its servers was displaying suspicious activity.
It later emerged that the credentials of an unknown number of web hosting accounts were compromised, and an internal investigation into the matter has yet to reach a conclusion.
“We have no evidence that any files were added or modified on your account,” wrote Comes in the email. “The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”
What customers with web hosting accounts should know
GoDaddy has made efforts to assure its customers that, while the breach had indeed compromised millions of web hosting accounts, the damage caused by the attack had been minimal and swiftly brought under control.
Comes, for example, added in his email that GoDaddy had acted quickly and pragmatically to minimize the impact of the data breach. “We have proactively reset your hosting account login information to help prevent any potential unauthorized access; you will need to follow these steps in order to regain access. Out of an abundance of caution, we recommend you conduct an audit of your hosting account,” he said.
Comes assured customers that that their “main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor.”
GoDaddy itself released a statement on May 5, in which it confirmed that the number of customers affected stood at approximately 28,000.
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers,” the company’s statement reads.
“We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers credentials or modified any customer hosting accounts. The individual did not have access to customers main GoDaddy accounts.”
GoDaddy data breach in context
As GoDaddy’s statement indicates, there is so far little that is known about the origin of the data breach affecting web hosting accounts. However, some speculation has circulated as to how the attack might have been launched in the first place.
Back in March, for example, a customer service representative at GoDaddy fell victim to a phishing attack. According to security news website KrebsOnSecurity, the hacker was able to view and edit several customer records—including the domain settings for a number of GoDaddy customers such as Escrow.com, a well-known transaction broker.
As technology reporter Lance Whitney points out, when a data breach typically occurs, it usually takes advantage of some underlying vulnerability or human error in order to gain unauthorized access. “Savvy cybercriminals are continually hunting for weaknesses and flaws within an organization’s network,” he writes in TechRepublic. “That’s why businesses must make a concerted effort to maintain and strengthen their security measures, especially when they hold the keys to private customer data.”
This is supported by Anurag Kahol, CTO at cybersecurity solutions firm Bitglass. According to him, the data breach serves to highlight the need for stronger cybersecurity oversight—not only for providers of web hosting accounts, but for organizations in general.
“This security incident impacting GoDaddy customers underscores why organizations need to have full visibility and control over their data,” Kahol said. “While the web hosting giant confirmed that the breach only affected hosting accounts and not customer accounts or the personal information stored within them, hackers can still leverage the database of login credentials and commit account takeover.”
More specifically, the incident provides an opportunity for more secure methods of authentication to be integrated into providers of web hosting accounts, with the traditional ‘username-password’ combination not being enough to contend with the rate at which cybercriminality has advanced in recent years.
“As unauthorized parties were able to connect to users’ hosting accounts, it’s clear stronger authentication methods are needed,” asserts Rober Prigge, CEO of Jumio. Prigge points out that GoDaddy, which was a pioneer in internet security during its fledgling years in the 1990s, still has a long way to go in this regard today.
GoDaddy’s #databreach went undetected for six months until employees noticed suspicious activity on a subset of servers. #respectdata
Click to Tweet
“GoDaddy’s response to reset passwords and provide complimentary web security and malware services is simply not enough,” Prigge adds. “How can GoDaddy ensure these new passwords won’t also result in unauthorized account access once the year ends?”