Web hosting company GoDaddy has suffered repeated breaches for nearly three years now, and a recent investigation reveals that the same attackers appear to be responsible for all of them. The incursions include planting malware in the interface that customers use to manage their website, and stealing some unspecified pieces of platform source code.
Source code stolen and malware planted as customers see websites redirect to new URLs
The hackers have apparently been able to gain illicit access to the web hosting company since at least 2019. It is not clear when the source code was stolen (or exactly what pieces were taken), but malware was apparently planted in the cPanel control system for web site owners in the most recent attack.
The first incident tied to this group was disclosed to the public in March 2020, but actually took place in October 2019. About 28,000 customers of the web hosting company had their login credentials compromised in this incident. The next incident tied to these attackers took place in November 2021, and involved 1.2 million customers that have managed hosting of WordPress websites. This breach resulted from an employee’s credentials being compromised. It is unknown if source code was taken or malware was planted at this time, but customers lost admin passwords, SSL private keys and database credentials among other sensitive information.
The most recent attack by this group, which took place in early December 2022, saw them somehow gain access to the cPanel administrative tool used by those who have websites hosted on the platform. A “small amount” of users reported that their websites were suddenly redirecting to unknown URLs, presumably malware or phishing sites owned by the attackers.
Web hosting company experiences multiple breaches in recent years
It is unclear how many of GoDaddy’s 21 million customers use it as a web hosting company as opposed to simply registering a domain name; it does not appear the incident had any impact on the latter group. It is also not clear how many GoDaddy customers had their website environments infiltrated, with the company calling the malware issues “intermittent.” There is also no clue about the identity of the hackers yet, other than the company calling them “organized” and “sophisticated.”
This not only leaves the web hosting company’s customers with many questions, but the loss of unspecified source code creates doubts about platform security going forward. GoDaddy has yet to do much to reassure these customers other than offering them free access to its internal malware removal and website security services, informing them that they need to audit their own sites to ensure they are secure.
It also remains unclear if there is any connection to two prior GoDaddy security incidents, taking place in 2018 and 2019. The first of these involved a misconfigured database that was exploited to compromise the domains of a number of major companies, and the second involved the compromise of about 15,000 web hosting customer accounts.