GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH.
The security incident that took place on October 19, 2019, was discovered on April 23, 2020, after the company's security team discovered an altered SSH file in GoDaddy's hosting environment and suspicious activity on a subset of GoDaddy's servers.
GoDaddy is the world’s largest domain registrar and a web hosting company that provides services to roughly 19 million customers around the world.
Hosting account passwords reset
"The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account," GoDaddy revealed in the notification letter sent to affected customers.
The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts' hosting.
Additionally, the company assured the affected users that only their hosting accounts were affected as part of the incident, while their main GoDaddy account was not accessible to the attackers.
"We have proactively reset your hosting account login information to help prevent any potential unauthorized access," GoDaddy added.
Customers are also advised to conduct an audit of their hosting accounts to make sure that everything is in order.
This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor. - GoDaddy
Even though the breach notification letter's wording doesn't point to the exact reason behind this incident, GoDaddy's message and offer of free services show that this was not likely the customers' fault.
"On behalf of the entire GoDaddy team, we want to say how much we appreciate your business and that we sincerely regret this incident occurred. We are providing you one year of Website Security Deluxe and Express Malware Removal at no cost," the letter reads.
"These services run scans on your website to identify and alert you of any potential security vulnerabilities. With this service, if a problem arises, there is a special way to contact our security team and they will be there to help."
BleepingComputer has reached out to GoDaddy for more details but had not heard back at the time of this publication.
Previous GoDaddy issues and compromised accounts
Last year, scammers used hundreds of compromised GoDaddy accounts to create 15,000 subdomains, some of them attempting to impersonate popular websites, to redirect potential victims to spam pages that were pushing snake oil products.
Earlier during 2019, GoDaddy was found to inject JavaScript into US customers' websites without their knowledge, potentially rendering them inoperable or impacting the sites' overall performance.
That script was used to monitor websites for internal bottlenecks, and to collect data on connection time and page load times — so-called Real User Metrics (RUM) — from U.S. customers using cPanel Shared Hosting or cPanel Business hosting.
Update: GoDaddy's Vice President for Corporate Communications told BleepingComputer in an official statement that roughly 28,000 customers' hosting accounts were affected in the incident.
On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers’ credentials or modified any customer hosting accounts. To be clear, the threat actor did not have access to customers’ main GoDaddy accounts.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
Msunique96 - 5 years ago
This article is such bull$^&^* they have known about the issues and it goes much further than just the main accounts. The problem with GoDaddy is they have no clue who they are dealing with on this issue. These are very intelligent hackers and my account has been compromised since January and they cannot figure it out, they even sent it to the developers but at this point it’s been with MS for 5 days and the engineers cannot figure it out either. But I will say that their resolution is to change your password to your GoDaddy account but go ahead and leave (him, her, them, they, or whoever) as the global admin the azure portal and it will be okay
Msunique96 - 5 years ago
https://blog.knowbe4.com/heads-up-new-ransomware-strain-encrypts-cloud-email-real-time-video