The unauthorized attacker was able to connect to accounts using SSH access
The incident was discovered when the GoDaddy security team spotted some suspicious activity on some subset servers.[1] According to the reports, the data breach took place on October 19, 2019. Customers got notified via email because the third-party individual gained access to login credentials that allowed this attacker to connect to hosting accounts via SSH.[2]
SSH is the acronym to secure shell, a network protocol used by system admins, in most cases, to access remote computers. This is a powerful attack vector for criminals since it allows controlling important parts of the network remotely.[3]
The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account.
GoDaddy is one of the largest domain registration and web hosting companies that has around 19 million customers all over the world. The service manages 77 million domains, and millions of websites get hosted using this domain registrar. It is unknown how many customers got notified about the compromised credentials and data breach.
The breach affected hosting accounts only
As the confirmation email signed by the vice-president of engineering, Demetrius Comes, revealed the incident is limited to the hosting account credentials. General GoDaddy customer accounts or information stored in those accounts were not accessible to the individual that managed to get a hold of hosting account login information.[4]
Unfortunately, there are no details on the actions that possibly took place. The company states that there is no evidence about added or modified parts of accounts yet. This unauthorized hacker was blocked from the systems, and the impact across the whole GoDaddy environment is still under investigation.
There are no particular reasons and explanations of how or why this breach happened. To take care of its clients, the company offers Website Security Deluxe and Express Malware Removal services for free. Customers can run these on their websites and get alerts about any potential risks and vulnerabilities.
GoDaddy platform and its customers – a common target of hackers
Unfortunately, GoDaddy company had other issues regarding the security of client accounts. In March, the phishing attack was reported with the name of this company because it affected the employee and led to more damage.[5] Customer service worker was tricked, and the actor gained access to customer records, so information may have been seen and modified. This issue affected another company – the transaction brokering site escrow.com.
Also, last year it was reported that scammers had used some of the compromised GoDaddy accounts to create subdomains impersonating popular pages. These subdomains were used to redirect users to spam pages promoting “miracle” snake oil products. Using celebrity names and pictures, scammers endorsed products and tricked people into visiting sales pages. This was a shady affiliate marketing campaign that compromised the name of a legitimate and popular GoDaddy service with those 15,000 compromised accounts.