sb-au logo
Story image

GoDaddy reveals widespread data breach

GoDaddy, the internet domain registrar and web hosting company, has reported a ‘security incident’ in which an attacker gained access to users’ SSH accounts, potentially affecting its 19 million customers.

The company, which is the world’s biggest domain registrar with 77 million domains, apologised to an undisclosed number of its users in an email.

“We recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the email said.

“The investigation found that an unauthorised individual had access to your login information used to connect to SSH on your hosting account.”

GoDaddy mentions there was no evidence that any files were ‘added or modified’ on user accounts. 

The nature of the breach, however, indicates that files could potentially have been viewed and exfiltrated.

The company said it has blocked the ‘unauthorised individual’ from their systems, and that it has reset the user’s hosting account login information to prevent unauthorised access.

SC Magazine reported that the actual breach took place in October last year but was only discovered on April 23 2020 – meaning attackers had access for over half a year.

“It is astonishing that GoDaddy was unable to detect unauthorised access to SSH account credentials for about eight months," says LogRhythm Labs chief information security officer and vice president James Carder.

"With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised."

Carder says the breach sheds light on an increasingly pressing issue - that many large enterprises still lack a comprehensive approach to detecting and combating threats.

"It is easy to assume that GoDaddy, as the world’s largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats," says Carder.

"GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password."

GoDaddy urged the recipients of its email to conduct an audit of their hosting account in light of the breach.

It also said that the incident was limited only to customers’ hosting accounts.

“Your main customer account, and the information stored within your customer account, was not accessible by this threat actor,” the company said in the email.

GoDaddy has offered a full year of Website Security Deluxe and Express Malware Removal free of charge to its affected customers.

“With this service, if a problem arises, there is a special way to contact our security team and they will be there to help,” the company said.

Venafi threat intelligence specialist Yana Blachman says the breach underlines just how important SSH security is. 

“SSH is used to access an organisation’s most critical assets, so it’s vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead,” says Blachman.

“This involves implementing strong private-public key cryptography to authenticate a user and a system.

"Alongside this, organisations must have visibility over all their SSH machine identities in use across the data centre and cloud, and automated processes in place to change them,” adds Blachman.

“SSH automates control over all manner of systems, and without full visibility into where they’re being used, hackers will continue to target them.”

Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Link image
How a metrics-driven mindset can enable DevOps at enterprise scale
Here's how to enable dev teams to deploy higher-quality software and create reporting standards that clearly communicate software performance.More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More
Story image
Strong cybersecurity posture crucial for company success - Fortinet
"They should also conduct due diligence to ensure partners aren’t inadvertently creating vulnerabilities with insufficient cybersecurity measures."More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More