Web hosting provider GoDaddy has revealed it suffered a security breach that lasted for several years, resulting in the installation of malware on its servers and the theft of source code related to some of its services. The company has attributed the campaign to a "sophisticated and organized group targeting hosting services."
According to a statement published on its website, GoDaddy discovered the breach in December 2022 after receiving a small number of complaints from customers about their websites being intermittently redirected. Upon further analysis, GoDaddy found that hackers had breached servers in the company's cPanel shared hosting environment and installed malware that caused customer websites to redirect their visitors.
GoDaddy stated that the hackers' apparent goal was to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities. Law enforcement has confirmed that this was a sophisticated and organized attack, and GoDaddy believes that it was part of a multi-year campaign carried out by the same threat actor.
A 10-K report filed by GoDaddy with the U.S. Securities and Exchange Commission (SEC) also revealed that this and other attacks were part of a multi-year campaign that involved the theft of source code related to some of its services. The same report includes a brief description of previously disclosed incidents that appear to be part of the same campaign.
One of the incidents came to light in May 2020 when GoDaddy discovered that the login credentials of 28,000 hosting customers, as well as some employees, had been compromised. The other incident occurred in November 2021 when a rogue actor used a compromised password to access a provisioning system in the company's legacy code base for Managed WordPress (MWP), affecting close to 1.2 million active and inactive MWP customers across multiple GoDaddy brands.
GoDaddy has assured its customers that these incidents and other cyber threats and attacks have not resulted in any material adverse impact to its business or operations. However, it acknowledges that such threats are constantly evolving, making it increasingly difficult to detect and successfully defend against them.
The company has not disclosed any information about the number of customers affected in this breach, but it is advising all customers to reset their passwords and monitor their accounts for any unauthorized activity. It is also recommending that customers enable multi-factor authentication (MFA) for added security.
Subscribe to SecureWorld News for more stories related to cybersecurity.