GoDaddy’s latest data breach revelations could deal a serious blow to user confidence, security experts have warned.
The US firm revealed last week that it had fallen victim to a ‘multi-year’ security incident which invoilved hackers stealing source code and installing malware that redirected hosted sites to malicious pages.
In an SEC filing on 16 February, the domain hosting service confirmed that several security incidents spanning nearly three years were carried out by the same threat actor(s).
GoDaddy said that, in December, an initial investigation into customer complaints that their websites were being “intermittently redirected” found that an unauthorised third party had gained access to servers in the company’s cPanel shared hosting environment.
Attackers were found to have installed malware, causing the redirection of customer websites.
“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organised group targeting hosting services like GoDaddy,” the company said in a statement last week.
“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”
Jonathan Wood, CEO at C2, said the “broad scope” of the GoDaddy incident should be of serious concern to users of the hosting service.
“One of the most concerning possibilities is if they had access to the Domain Name Server (DNS),” he said. “This would allow them to create a tag for anyone that visits a website. From infidelity to porn websites, it would allow the attacker to identify the IP address of every visitor.”
“Another concerning possibility is that they could have been redirecting emails from mailboxes hosted on GoDaddy,” he added.
Recurring incidents
The December investigation follows a string of major security incidents at GoDaddy in recent years.
In March 2020, login credentials belonging to employee accounts and around 28,000 GoDaddy customers were exposed in a security incident. While these login credentials did not provide access to customers’ main GoDaddy accounts, the breach sparked concerns over the company’s security practices.
Similarly, in November 2021, a separate security incident at the firm saw threat actors gain access to source code for GoDaddy’s Managed WordPress service.
An investigation into the breach found that an unauthorised party had been able to access login credentials for more than two months. This included login details for WordPress admin accounts, FTP accounts, and email addresses belonging to 1.2 million customers.
GoDaddy was heavily criticised for its handling of the 2021 security incident amid claims that it had not been transparent and forthright with customers.
The security breach was made public after journalists discovered details contained in SEC filings. Only after reports of the breach emerged in the media did the company respond and issue a statement to customers.
Wood noted that, as with previous breaches, GoDaddy is yet to provide clarity on the scale and severity of the incident, and this could further harm user confidence.
“Few customers will be pleased to continue reading about the breach without having clarity on what it means to them,” he warned.
Missed opportunities
Will Richmond-Coggan, a data breach litigation specialist at national law firm Freeths, told IT Pro that the GoDaddy revelations will have serious long-term implications for the company.
“The impact on the company will be particularly serious because it appears that two previously notified breaches were aspects of the same concerted attack,” he said.
“This might suggest that opportunities were missed to close vulnerabilities or root out installed malware at an earlier stage, which would inevitably have limited the nature and extent of the harm for customers.”
Richmond-Coggan added that the GoDaddy breach highlights the critical importance of proposed legislation that aims to introduce more stringent standards on internet ‘gatekeepers’ and protect users.
“This demonstrates the importance of legislation that is being brought forward in the UK and Europe aimed at imposing higher standards on the so-called 'gatekeepers' of the internet - to ensure that they protect all of those who use their services to develop, host and transact online, and the ultimate end users whose data and money is frequently the ultimate target of these attacks."
