HACKED —

GoDaddy says a multi-year breach hijacked customer websites and accounts

Three breaches over as many years all carried out by the same threat actor.

A cartoon man runs across a white field of ones and zeroes.

GoDaddy said on Friday that its network suffered a multi-year security compromise that allowed unknown attackers to steal company source code, customer and employee login credentials, and install malware that redirected customer websites to malicious sites.

GoDaddy is one of the world’s largest domain registrars, with nearly 21 million customers and revenue in 2022 of almost $4 billion. In a filing Thursday with the Securities and Exchange Commission, the company said that three serious security events starting in 2020 and lasting through 2022 were carried out by the same intruder.

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company stated. The filing said the company’s investigation is ongoing.

The most recent event occurred last December when the threat actor gained access to the cPanel hosting servers customers use to manage websites hosted by GoDaddy. The threat actor then installed malware on the servers that “intermittently redirected random customer websites to malicious sites.”

“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” company officials wrote in a separate statement published on Thursday. “According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”

A separate event occurred in March 2020, when the threat actor obtained login credentials that gave it access to a “small number” of employee accounts and the hosting accounts of roughly 28,000 customers. The hosting login credentials didn’t provide access to the customers' main GoDaddy account. The breach was disclosed in May 2020 in a notification letter sent to affected customers. The company said on Thursday it’s responding to subpoenas related to the incident that the Federal Trade Commission issued in July 2020 and October 2021.

GoDaddy discovered a separate incident in November 2021 when the threat actor obtained a password that gave access to source code for GoDaddy’s Managed WordPress service, which streamlines the creation and management of customer sites using the WordPress content management system. Starting in September of that year, the unauthorized party used the access to obtain login credentials for WordPress admin accounts, FTP accounts, and email addresses for 1.2 million current and inactive Managed WordPress customers. GoDaddy disclosed the breach on November 22, 2021.

Over the years, security lapses and vulnerabilities have led to a series of suspicious events involving massive numbers of sites hosted by GoDaddy. In 2019, for instance, a misconfigured domain name system service at GoDaddy allowed hackers to hijack dozens of websites owned by Expedia, Yelp, Mozilla, and others and use them to publish a ransom note threatening to blow up buildings and schools. The DNS vulnerability exploited by the hackers had come to light three years earlier.

Also in 2019, a researcher uncovered a campaign that used hundreds of compromised GoDaddy customer accounts to create 15,000 websites that published spam promoting weight-loss products and other goods promising miraculous results.

Channel Ars Technica