Unveiling the GoDaddy Breach: Navigating a Timeline of Intrusions

What does GoDaddy do exactly?

We can consider the GoDaddy website as one of the backbones of the global public internet. 

GoDaddy is primarily known as a domain registrar, where you can buy a domain, set up a website and host those domains on their server. They also offer a service specifically for clients that use WordPress to create their websites and host those websites on the GoDaddy server. 

GoDaddy and WordPress are known global organisations responsible for many millions of clients, websites and credentials embedded in their systems. As per domainnamestat.com, GoDaddy is one of the most popular domain registrars with 83 million domains as of this moment. 

How did those breaches happen and what GoDaddy did do to protect its customers against threat actors?

Let's walk through the timeline of the GoDaddy breaches:

March 2020 - Initial Compromise of Login Credentials:

In March 2020, GoDaddy first encountered a breach, where a sophisticated threat actor compromised a substantial number of login credentials.

The breach was a result of a compromised GoDaddy employee account. The attackers were able to obtain the employee's login credentials, likely through a phishing attack or other social engineering techniques. With these credentials, the attackers were able to access the company's systems and carry out their malicious activities.

The attackers were able to gain unauthorised access to the company's systems and obtain customers' login credentials. As a result, the attackers were able to modify DNS records for certain domains, redirecting traffic to malicious websites and affecting approximately 28,000 customers.

GoDaddy took immediate action to address the breach. They reset the passwords for the affected customer accounts and notified them of the incident. The company also launched an investigation to determine the extent of the breach and implemented additional security measures to prevent similar incidents in the future.

GoDaddy also provided complimentary years’ worth of security and malware removal services for those customers affected and has expressed "regret this incident occurred."

This early breach set the stage, highlighting vulnerabilities in GoDaddy's security landscape, affecting both customers and internal employees.

November 2021 - Targeting Managed WordPress Service:

Fast forward to November 2021, the same threat actor redirected their focus, this time compromising GoDaddy's Managed WordPress service.

The GoDaddy breach reportedly occurred through a compromised password. According to GoDaddy's filing with the SEC (U.S. Securities and Exchange Commission), the threat actor gained unauthorized access to the system using a compromised set of login credentials. It's suggested that the threat actor might have acquired an email and password login combo from a dark web marketplace, and upon discovering its efficacy on GoDaddy's legacy codebase, successfully logged in, compromised the system, and accessed sensitive data. The breach went undetected for an estimated 60-70 days, during which the threat actor likely pursued specific data, highlighting the targeted nature of the attack.

How did the breach impact the business?

GoDaddy lost critical customer information, including email addresses, customer numbers, and various login credentials associated with their hosting services. While GoDaddy managed to reset some credentials, compromising customer email addresses remains a significant concern, potentially paving the way for dark web sales and widespread phishing or business email compromise campaigns.

GoDaddy lost up to 1.2 million active and inactive WordPress customers, email addresses their customer numbers and then of other different login credentials associated with their hosting service were also exposed.

Beyond compromising customer data, GoDaddy faced financial ramifications, including investigation and response fees, regulatory costs, assessment expenses, and legal liabilities.

GoDaddy implemented enhanced security measures, including strengthening their network defences and conducting thorough investigations to identify the root cause of the breach. They also promptly notified affected customers and provided them with guidance on how to protect their accounts and personal information. 

December 2022 - Compromised cPanel Hosting Servers:

In the early days of December 2022, a series of customer complaints emerged, echoing concerns of websites intermittently redirecting users to unfamiliar destinations. What initially appeared as a technical glitch unfolded into a breach of the hosting servers for cPanel.

It turned out that an attacker had breached and planted malware on the company's hosting servers for cPanel, a control panel program for Web hosts. This malware intermittently redirected users from the websites they intended to visit, to malicious sites.

After investigating, Goddady has confirmed with the help of law enforcement that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy and they believe it is the same threat actors from the previous breaches.

GoDaddy issued a separate statement stating: “Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections.”

What can we learn from these breaches?

The GoDaddy breaches taught us that cybersecurity is a shared responsibility. From keeping strong passwords to quickly responding to incidents, protecting our digital lives is crucial. Learning and adapting from such events ensures a safer online space for all of us. 

Investing in Cybersecurity Education is a must!

Cybersecurity is a shared responsibility. Educating employees, customers, and stakeholders about cybersecurity best practices is crucial for creating a resilient defence against evolving threats.