Cyber criminals breached the systems of web hosting services provider and domain registrar GoDaddy almost seven months ago, with thousands of hosting accounts accessed by an unauthorised individual, the firm has revealed.
In a notification to affected customers that has been made available via the Attorney General’s Office in California, GoDaddy CISO and engineering vice-president Demetrius Comes said the unauthorised individual gained access to login information that its customers used to connect to Secure Shell (SSH) on their hosting accounts.
Comes said an investigation had found no evidence that the attackers had modified or deleted any files on the affected accounts and the perpetrator had now been blocked from the system. All impacted accounts have had their credentials reset.
“Out of an abundance of caution, we recommend you conduct an audit of your hosting account,” said Comes in the customer letter. “This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor.
“On behalf of the entire GoDaddy team, we want to say how much we appreciate your business and that we sincerely regret this incident occurred. We are providing you one year of Website Security Deluxe and Express Malware Removal at no cost.
“These services run scans on your website to identify and alert you of any potential security vulnerabilities. With this service, if a problem arises, there is a special way to contact our security team and they will be there to help.”
This is not the first time GoDaddy has been forced to own up to cyber security failures, indeed it seems to suffer major incidents with a degree of regularity.
Back in 2017, it was forced to revoke almost 9,000 secure sockets layer (SSL) certificates when a bug in its domain validation processing system resulted in certificates being issued without proper domain validation
It also hit the headlines in 2018 when data leaked out after it failed to properly lock down an Amazon Web Services Simple Storage Service (AWS S3) instance. This is a non-trivial matter considering that S3 buckets are in fact secure by default and any data exposure or leakage from them is down to actions taken – or not taken – by users, not AWS.
Last year, scammers compromised hundreds of GoDaddy accounts which they used to redirect to malicious spam websites peddling snake oil products such as miracle diet supplements, or brainpower-boosting pills.
And at the end of March 2020, one of its customer service employees was targeted in a spear-phishing attack, in which the attacker was able to modify the records of several GoDaddy customers, including Escrow.com, a transaction brokering site, which had its homepage replaced with a profane message after its DNS records were changed to point to a third-party server.
On this occasion, it is understood that none of Escrow.com’s own systems, customer data or financial information was compromised, and GoDaddy has since introduced more end-user training to stop future phishing attacks.