GoDaddy Investigates a Series of Cyber Attacks on Its Infrastructure

GoDaddy is investigating a series of attacks on its infrastructure that it first learned about following customer complaints late last year.

Website owners said that their sites were redirecting visitors to random domains in what later transpired to be a sophisticated and ongoing attack.

In a statement, GoDaddy confirmed that it was alerted to the suspicious activity in December 2022, and an investigation revealed that criminal hackers had stolen source code and installed malware on its systems.

An ongoing breach

This breach at first appeared to the latest in a series of unconnected data breaches that GoDaddy had suffered in the past three years. However, the organization’s investigation revealed that all three incidents were caused by the same vulnerability – something of a blessing and a curse.

On the one hand, it explains why the organization has suffered quite so many data breaches. But on the other, it’s concerning that the vulnerability has only now been identified.

Following the March 2020 data breach, GoDaddy notified 28,000 customers that a cyber criminal used compromised web hosting account credentials to connect to their hosting account via SSH.

In the organization’s Form 10-K – an annual report that US companies are required to file with the Securities and Exchange Commission – it provided more details of the attack, and explained how it was connected to other incidents.

The second incident was discovered in November 2021, and resulted in a data breach compromising the accounts of 1.2 million Managed WordPress customers. The criminal hackers reportedly breached GoDaddy’s WordPress hosting environment using a compromised password.

They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

Discussing the latest incident, GoDaddy explained that attackers planted malware that “intermittently redirected random customer websites to malicious sites.”

GoDaddy said it is continuing to investigate the root cause of the incident. “Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy”.

It added that it’s monitoring the behaviour of, and blocking attacks from, the organization responsible, and is enhancing its security to “further protect its customers and their data.”