SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
GoDaddy reveals widespread data breach
Wed, 6th May 2020
FYI, this story is more than a year old

GoDaddy, the internet domain registrar and web hosting company, has reported a ‘security incident' in which an attacker gained access to users' SSH accounts, potentially affecting its 19 million customers.

The company, which is the world's biggest domain registrar with 77 million domains, apologised to an undisclosed number of its users in an email.

“We recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the email said.

“The investigation found that an unauthorised individual had access to your login information used to connect to SSH on your hosting account.

GoDaddy mentions there was no evidence that any files were ‘added or modified' on user accounts.

The nature of the breach, however, indicates that files could potentially have been viewed and exfiltrated.

The company said it has blocked the ‘unauthorised individual' from their systems, and that it has reset the user's hosting account login information to prevent unauthorised access.

SC Magazine reported that the actual breach took place in October last year but was only discovered on April 23 2020 – meaning attackers had access for over half a year.

“It is astonishing that GoDaddy was unable to detect unauthorised access to SSH account credentials for about eight months," says LogRhythm Labs chief information security officer and vice president James Carder.

"With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy's hosting environment were compromised."

Carder says the breach sheds light on an increasingly pressing issue - that many large enterprises still lack a comprehensive approach to detecting and combating threats.

"It is easy to assume that GoDaddy, as the world's largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats," says Carder.

"GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password."

GoDaddy urged the recipients of its email to conduct an audit of their hosting account in light of the breach.

It also said that the incident was limited only to customers' hosting accounts.

“Your main customer account, and the information stored within your customer account, was not accessible by this threat actor,” the company said in the email.

GoDaddy has offered a full year of Website Security Deluxe and Express Malware Removal free of charge to its affected customers.

“With this service, if a problem arises, there is a special way to contact our security team and they will be there to help,” the company said.

Venafi threat intelligence specialist Yana Blachman says the breach underlines just how important SSH security is.

“SSH is used to access an organisation's most critical assets, so it's vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead,” says Blachman.

“This involves implementing strong private-public key cryptography to authenticate a user and a system.

"Alongside this, organisations must have visibility over all their SSH machine identities in use across the data center and cloud, and automated processes in place to change them,” adds Blachman.

“SSH automates control over all manner of systems, and without full visibility into where they're being used, hackers will continue to target them.