UPDATE
GoDaddy, the world’s largest domain name registrar, is warning customers that attackers may have obtained their web hosting account credentials.
An “unauthorized individual” was able to access users’ login details in an intrusion that the company said took place back in October — the company told Threatpost that the issue was discovered on April 23.
The company said that the breach only affected hosting accounts, not general GoDaddy.com customer accounts, and that no customer data in the main accounts was accessed. The Scottsdale, Ariz.-based company has more than 19 million customers worldwide, but only 28,000 were affected by the attack.
The company didn’t confirm how long the attacker had access to the credentials. GoDaddy did give Threatpost a comment:
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment,” a spokesperson told Threatpost. “This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”
Meanwhile, “we recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the company said in a data-breach notice filed with the California Attorney General, obtained by media. “The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”
SSH is typically used to log into a remote machine and execute commands, but it’s also used to transfer files using the associated SSH file transfer (SFTP) or secure copy (SCP) protocols.
“GoDaddy indicates that the customer accounts were breached in October of 2019, however, has apparently only just now detected the compromise and notified customers,” Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said via email. “If this is the case, it means the attacker had control of GoDaddy customer hosting accounts for about seven months before they were discovered. GoDaddy stated to the affected customers that ‘we have no evidence that any files were added or modified on your account,’ however it seems highly implausible that an attacker would have access for that long without attempting anything nefarious. It just doesn’t add up. GoDaddy should provide more information into the investigation and evidence to support this claim as well as explain why it took almost half a year to detect.”
The company also said that it launched an investigation “immediately” upon discovering the breach, but didn’t say how the attack was carried out. Threatpost has asked for any technical details on the incident.
In response to the incident, GoDaddy has reset affected users’ passwords: “We have proactively reset your hosting account login information to help prevent any potential unauthorized access…out of an abundance of caution, we recommend you conduct an audit of your hosting account.”
This is only GoDaddy’s most recent data breach – in March an attacker phished an employee to gain access to GoDaddy’s internal support system, and went on to change at least five customer’s domain name entries.
“It’s a terrible security practice, but it’s also not uncommon for support technicians to enter sensitive information such as account passwords into notes in their ticket tracking systems,” Clements said. “It’s not hard to imagine that with access to an internal support system that attackers could have exfiltrated as much of the ticketing system data as possible to later comb through for other avenues of attack. While this hasn’t been confirmed, it would easily explain the source of the new attacks.”
GoDaddy also exposed high-level configuration information for tens of thousands of systems (and competitively sensitive pricing options for running those systems) in Amazon AWS back in 2018, thanks to yet another cloud storage misconfiguration.
This article was updated at 5 p.m. ET on May 5, with a statement from GoDaddy.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.