06 December 2021

Internet domain and web hosting firm GoDaddy said almost 1.2 million of its customers’ accounts were exposed in a recent hack.

The US giant filed an incident report with the Securities and Exchange Commission (SEC), stating it had identified ‘suspicious activity’ in its Managed WordPress hosting environment.

According to the document, “an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress”.

GoDaddy admitted that emails and customer numbers were collected during the attack and warns that this could result in phishing attacks, a type of scam where an attacker sends a fraudulent message designed to trick the victim into giving them sensitive information.

“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” chief information security officer Demetrius Comes said in the filing.

GoDaddy said it had immediately blocked the unauthorised third party and an investigation was still going on. The firm found the unauthorised third party accessed its system on September 6, 2021, but the firm did not identify the attack until November 17.

For active customers, SSH File Transfer Protocol, which is a network protocol that provides file access, transfer and management over a data stream, and database usernames and passwords were exposed.

However, the filing says GoDaddy has reset both passwords.

“We are sincerely sorry for this incident and the concern it causes for our customers,’ Comes wrote in the SEC filing. “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

Martin Riley, director of managed security services, Bridewell Consulting told Networking+ that “it’s no surprise that the GoDaddy breach took over two months to be identified” though this is “better” than the 270 day average cited by the Ponemon data breach report.

“The breach of 1.2 million customer accounts is going to be expensive in terms of the total cost of ownership from detection to recovery,” he said. “The report highlights that a managed hosting service operating legacy code was the root cause for the breach, which suggests that there are very technical controls around vulnerabilities and monitoring within these areas of GoDaddy’s architecture.”

Riley added that once the incident has been addressed, the key learning for GoDaddy is to increase focus on threat detection and response, which increases visibility for the security operations teams. “By leveraging services such as managed detection and response (MDR), technology can be deployed to improve detection, containment and eradication of threats within hours and minutes, not days and weeks,” he continued. “The Ponemon report suggests that there is a cost of $175 for each customer PII record breached, equating to a potential total cost to GoDaddy of $280m. I think it’s safe to say an improved security operations strategy would have a much smaller price tag.”

In 2012, a separate incident shut down all websites hosted on GoDaddy’s system.

A more recent attack on GoDaddy was confirmed by the company in May 2020, admitting 28,000 customer hosting accounts were compromised in a security breach.