GoDaddy.com the largest online website name registrar was breached by cyber criminals on October 23, but the threat was not exposed until April 23 GoDaddy told ThreatPost. They are warning customers that the breach may have exposed their hosting account credentials. GoDaddy said that the breach only affected web hosting accounts, not general GoDaddy.com customer accounts. GoDaddy also stated that no customer data in these main accounts was accessed. The domain registrar company has more than 19 million customers worldwide, but apparently only 28,000 were affected by the cyber attack.
GoDaddy’s statements on the attack: “On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment,” GoDaddy’s spokesperson told Threatpost. “This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”
The company filed a data breach notice with the California Attorney General stating that they “identified suspicious activity on a subset of our servers and immediately began an investigation.” The problem is that they did not immediately identify the breach of privacy or unauthorized access until seven months after the initial hack. They state that the breach happened in October of 2019, but did not take action or alert anybody until April 23.
The probability that a cyber criminal had access to secure GoDaddy users hosting credentials and more for seven months and did not maliciously interfere with the accounts is incredibly low. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said via email to ThreatPost, “It just doesn’t add up. GoDaddy should provide more information into the investigation and evidence to support this claim as well as explain why it took almost half a year to detect.” GoDaddy stated they responded immediately to the threat, but never revealed exactly how the cyber attack happened, leading to more vagueness surrounding the actual breach. GoDaddy also said they reset all users’ passwords that were a part of the breach, but recommend to personally check your own account info just to be sure you were not affected.
This is not GoDaddy’s first time dealing with a privacy breach either. In March, one of their technicians fell victim to a Phishing lure to gain access directly into GoDaddy’s servers, according to KrebsonSecurity. In 2018, GoDaddy exposed high-level configuration information for tens of thousands of systems in Amazon AWS due to cloud misconfiguration.
If you use GoDaddy for your domain make sure to double check your account has not been accessed during the breach. It is highly unlikely because the attack only targeted web hosting domains and not the average user, but there could be more information GoDaddy has yet to reveal. Your best security is yourself, constantly checking and changing passwords for any accounts that contain private and sensitive information is a good way to help prevent your data being stolen.