‘Unauthorized Individual’ Accessed SSH File, Company Says
GoDaddy logo outside its headquarters in Scottsdale, Arizona (Photo: GoDaddy)
Web hosting giant GoDaddy confirms that a data breach has affected about 28,000 of its customers’ web hosting accounts, according to a a company spokesperson. The company has reset passwords and usernames for some customers as a precaution, although it says no data appears to have been altered, it states in a notification letter to clients.
GoDaddy filed a breach notification letter with the California Attorney General’s Office this week. In the letter, Demetrius Comes, the company’s CISO and vice president for engineering, notes that an “unauthorized individual had access to your login information used to connect to SSH on your hosting account.”
Comes notes that the intruder who accessed and altered an SSH file has now been removed from the company’s hosting environment and blocked from the network. And while the company’s security team did not find that any customer accounts were modified, Comes adds that customers’ usernames and passwords have now been reset.
“Out of an abundance of caution, we recommend you conduct an audit of your hosting account,” Comes says. “This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor.”
Delay in Discovery
On Thursday, a GoDaddy spokesperson confirmed reports from earlier this week that about 28,000 customer accounts were affected.
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers,” the spokesperson told Information Security Media Group.
This security incident happened in October 2019 and was only discovered in April, according to Bleeping Computer, which first reported the breach later this week.
On April 17, the affected SSH file was removed, and GoDaddy began resetting customer’s credentials and notifying those affected on April 23, the spokesperson says.
In its latest financial report in February, GoDaddy reported that at the end of 2019, the company had 19 million web hosting customers. Net income for the year was approximately $139 million with total revenue of about $3 billion.
And while it’s not clear whether the hacker in this case gained access to credentials by stealing them or using brute-force methods to guess passwords and usernames, the incident is a reminder for all companies to closely monitor who has access to privileged credentials and how they are used, says Matt Walmsley, a director at the cybersecurity firm Vectra.
“It’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach,” Walmsley tells Information Security Media Group.
In March, security blogger Brian Krebs reported that a GoDaddy employee was targeted during a spear-phishing attack, which gave the attackers access to some customer records and also allowed the hackers to change DNS settings of some hosted sites, including Escrow.com.
It’s not clear if there’s any connection between that phishing incident and the altering of the SSH file at GoDaddy.
This article was updated to include comments from a GoDaddy spokesperson.