GoDaddy Breached 3 Times in Multi-Year Campaign

GoDaddy, a domain registrar and web hosting service with over 20 million customers, disclosed last Friday that an unknown group of cybercriminals has gained access to customer accounts three times in the last three years.

In an SEC filing, GoDaddy said, "These incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy."

The most recent breach occurred in December 2022. GoDaddy received customer complaints that their sites were being hijacked to redirect users to unknown, malicious domains. After investigating the matter, it was found that this was the result of malware installed on GoDaddy’s hosting servers by hackers.

The company claims this most recent incident is just part of an ongoing campaign by a single threat actor group, who they assert were the culprits behind earlier breaches revealed in March 2020 and November 2021.

In March 2020, GoDaddy disclosed that threat actors got hold of login information that allowed them to access the hosting accounts of about 28,000 customers, as well as a small number of employee accounts. The attackers used the stolen account credentials to access hosting accounts over SSH in October 2019.

Then, in November 2021, the hackers used a stolen password to breach GoDaddy’s WordPress environment and access the data of 1.2 million Managed WordPress clients. The stolen data included email addresses, WordPress Admin passwords, sFTP and database login information, and SSL private keys.

The company has been investigating the ongoing issue with multiple law enforcement agencies throughout the world, along with forensic experts.

GoDaddy released the following statement on Thursday: "We have evidence, and law enforcement has confirmed that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.”