GoDaddy – “unauthorized individual” had access to login info

By Paul Ducklin, Sophos

May 5, 2020

Web hosting behemoth GoDaddy just filed a data breach notification with the US state of California.

The breach letter that’s now part of the public record is just a template, with blanks for the name of the recipient and for a phone number relevant to their region, but it sets out what’s known so far.

If you’re a GoDaddy customer, you’ll know if you were on the list of affected accounts if you see a message like this:

Subject: Security Incident Impacting Your GoDaddy Web Hosting Account
We need to inform you of a security incident impacting your GoDaddy web hosting account credentials. We recently identified suspicious activity on a subset of our servers and immediately began an investigation.

The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.

There’s more, including a warning that your account information was reset and how to get back into your account, but from a technical point of view – what actually happened and how the breach was detected – there is only the above text to go on.

Clearly this isn’t just a case of credential stuffing, where accounts were accessed because their passwords were the same as the passwords used on other services that had already been breached, or GoDaddy wouldn’t have filed a breach notification.

Also, what’s not obvious from the breach letter (though it is stated on the State of California’s website), is that the breach dates back to October 2019.

In other words, even though resetting your account at this stage was something that GoDaddy needed to do, any crook or crooks who knew your login details could, in theory, have been riffling through your stuff for more than six months.

That’s why GoDaddy also “recommend[s] you conduct an audit of your hosting account”.

That should include looking through your logs for modifications you didn’t expect, especially changes to or additions of files such as PHP scripts, HTML pages, JavaScripts and server plugins.

(When you’re doing an audit for one reason, you might as well be on the lookout for trouble that could have started for other reasons while you’re about it – such as unpatched software or incorrectly configured server options.)

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement