GoDaddy, a domain registration and website hosting company, has released a security bulletin stating that its internal systems have been penetrated by hackers for several years.
According to the investigation, the hackers may have first breached the cPanel shared environment in 2019 and installed malicious software on GoDaddy servers to continue their attacks.
Over the next few years, GoDaddy was unaware of the breach, leading to critical data and even customer-hosted websites being hijacked.
It wasn’t until December 2022 that a user reported that their website would randomly redirect to other sites, prompting GoDaddy to investigate and confirm the breach.
Investigations found that the advanced threat actors who had penetrated the internal system were linked to security incidents that occurred at GoDaddy in 2019, 2020, and 2021.
For example, in October 2019, hackers used credentials to SSH into hosting accounts, affecting at least 28,000 GoDaddy customers.
In November 2021, GoDaddy was hit by a massive data breach, affecting 1.2 million WordPress sites hosted on GoDaddy.
What data did the hackers successfully obtain? All affected customers’ email addresses, website administrator passwords, database passwords, and even private keys were stolen.
GoDaddy itself had all its source code stolen by the hackers, and while GoDaddy didn’t say it, it’s likely that other critical internal data had also been compromised.
The investigation revealed that the hacker group that penetrated GoDaddy was highly specialized and targeted hosting providers, and there was evidence that other peers had been hacked.
However, GoDaddy did not disclose which peers had been hacked, or it could just mean that they want to express that others have also been hacked and it’s not just their problem.
It’s worth noting that in the security bulletin, GoDaddy didn’t mention domain names at all, which probably indicates that the hackers’ target was data rather than domain names.
Currently, there are over 61 million domains registered with GoDaddy, and if the hackers wanted to, obtaining these domains should also be a straightforward task.
In conclusion, GoDaddy has only briefly mentioned the security incident on its official website, and all other details can only be found in the SEC filing.