The largest domain registrar, GoDaddy, with 19 million customers, has revealed a data breach impacting web hosting account credentials.
more than 19 million customers, 77 million domains managed, and millions of websites hosted, most everyone has heard of GoDaddy. According to Bleeping Computer, broke the news yesterday evening, an as yet unknown number of customers have been informed that their web hosting account credentials had been compromised.
The confirmation of the data breach, in an email signed by GoDaddy CISO and vice-president of engineering, Demetrius Comes, revealed that the security disturbance in question came to light after suspicious activity was recently identified on some GoDaddy servers. The breach itself appears to have occurred on October 19, 2019, according to the State of California Department of Justice, with which the disclosure notification email sample was filed.
The email notification stated that, upon an investigation of the disturbance, it was determined that an “unauthorized individual” had gained access to login credentials that meant they could “connect to SSH” on the affected hosting accounts. SSH is an acronym for secure shell, a network protocol used by system administrators to access remote computers. SSH is, as you might imagine then, quite a useful attack vector for hackers. If you want to jump into the technical detail, then Hackaday has an excellent article about the “terminal program that talks to a server using an encrypted connection.”
“The GoDaddy breach underlines just how important SSH security is,” Yana Blachman, a threat intelligence specialist at Venafi, said. “SSH is used to access an organization’s most critical assets, so it’s vital that organizations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead,” Blachman said, “this involves implementing strong private-public key cryptography to authenticate a user and a system.”
Importantly, the GoDaddy email said that the breach is limited only to hosting accounts and did not involve customer accounts or the personal information stored within them. It noted that no evidence was found to suggest that any files were modified or added to the affected accounts but fell short of mentioning if files had been viewed or copied. However, all impacted hosting account logins have been reset, and the email contained the procedure customers need to follow in order to regain access to the hosting accounts concerned. GoDaddy has also recommended, “out of an abundance of caution,” that users audit their hosting accounts.
However, the investigation into this incident is far from over. While the attacker has been “blocked from our systems,” the email said, it also stated that GoDaddy is continuing to determine any potential impact across its environment. Information is scarce, at this stage, beyond what I’ve already detailed. I have reached out to GoDaddy with regards to how many accounts were affected and will update this article once I have an official response.