GoDaddy, a leading US web hosting company supplying services to many countries including the UK recently announced it has suffered a data breach. The malicious attack involved unknown threat operators stealing its source code and installing malware on its dedicated servers. Reports indicate that attackers penetrated GoDaddy’s servers after accessing its cPanel in what appears to be a multi-year attack.

Details of a data breach

GoDaddy identified the security breach after receiving customer reports back in early December last year. The reports informed them that the sites they operated were now being used for nefarious purposes, to redirect traffic to random domains, indicating that the attackers involved had enjoyed access to the hosting provider’s network for several years.

In a recent SEC filing, the company detailed its findings for the record, commenting:

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”

The hosting provider states that previous breaches it had disclosed in November of 2021 and March the year before were also linked to this extensive and malicious multi-year campaign.

The incident on November 2021 resulted in a massive data breach impacting 1.2 million of its Managed WordPress customers, following attackers breaching GoDaddy’s WordPress hosting environment. Access was obtained by attackers utilising a compromised company password.

The attack group behind the assault obtained access to email addresses belonging to all affected customers, along with their WordPress administrator passwords, database and SFTP credentials, as well as SSL private keys of active GoDaddy clients.

Following the data breach in March 2020, the hosting provider alerted around 28,000 clients that a threat operator had employed their personal web hosting account credentials back in October 2019, with the purpose of connecting to their hosting account through SSH.

Actions after a cyberattack

GoDaddy has commented that it is now working closely with external experts in cybersecurity forensics as well as worldwide law enforcement agencies as part of what will be an ongoing investigation to discover the initial cause of the data breach on its systems.

GoDaddy confirmed it has also found further evidence linking the malicious actors to a wider campaign that targets other hosting companies around the world over the last few years.

The hosting company commented:

“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organised group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

You can find the full announcement here.

GoDaddy is currently one of the world’s largest domain registrars; it supplies hosting services to more than 20 million customers across the globe. Dedicated service providers like GoDaddy are prime targets for threat operators who seek out targets where they can access vast volumes of personal data when they successfully penetrate security systems.