GoDaddy – “unauthorized individual” had access to login info

Web hosting behemoth GoDaddy just filed a data breach notification with the US state of California.

The breach letter that’s now part of the public record is just a template, with blanks for the name of the recipient and for a phone number relevant to their region, but it sets out what’s known so far.

If you’re a GoDaddy customer, you’ll know if you were on the list of affected accounts if you see a message like this:

Subject: Security Incident Impacting Your GoDaddy Web Hosting Account
[…]
We need to inform you of a security incident impacting your GoDaddy web hosting account credentials. We recently identified suspicious activity on a subset of our servers and immediately began an investigation.

The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.

There’s more, including a warning that your account information was reset and how to get back into your account, but from a technical point of view – what actually happened and how the breach was detected – there is only the above text to go on.

Clearly this isn’t just a case of credential stuffing, where accounts were accessed because their passwords were the same as the passwords used on other services that had already been breached, or GoDaddy wouldn’t have filed a breach notification.

Also, what’s not obvious from the breach letter (though it is stated on the State of California’s website), is that the breach dates back to October 2019.

In other words, even though resetting your account at this stage was something that GoDaddy needed to do, any crook or crooks who knew your login details could, in theory, have been riffling through your stuff for more than six months.

That’s why GoDaddy also “recommend[s] you conduct an audit of your hosting account”.

That should include looking through your logs for modifications you didn’t expect, especially changes to or additions of files such as PHP scripts, HTML pages, JavaScripts and server plugins.

(When you’re doing an audit for one reason, you might as well be on the lookout for trouble that could have started for other reasons while you’re about it – such as unpatched software or incorrectly configured server options.)

What we can’t tell you is how the “unauthorized individual” mentioned above got access to the illicit data, what that “login information” actually entailed, and what sort of access they actually effected, if any.

We are assuming that GoDaddy’s suggestions that no files “were added or modified” is reasonable – no matter how little else is known as this stage of the investigation, we suspect that unlawful alterations would have been detectable in some way, somwhere in the company’s logs.

We don’t know how many files, if any, the intruder was able to riffle through and perhaps even to make off with, but we’re assuming that GoDaddy may have more findings to reveal in the future.

Figuring out all the many things that could have happened but didn’t is often the hardest part of any follow-up, and GoDaddy’s investigation is still going on.

What next?

GoDaddy is offering affected customers access to some of its add-on services for free, namely the products it calls Website Security Deluxe and Express Malware Removal.

You might as well try them out – if you end up not using them you have lost nothing, but you might find that they find problems you would otherwise have missed, such as long-outdated web server plugins or software that you forgot to patch.


Latest Naked Security podcast

go top