An unknown cybercriminal has been sitting on GoDaddy’s systems for several years, installing malware, stealing source code and targeting the company’s customers, the hosting giant has confirmed.
corporate SEC filing (opens in a new tab) (By Beeping Computer (opens in a new tab)), the attackers broke into GoDaddy’s cPanel shared hosting environment and used it as a launch pad for further attacks. The company described the hackers as a “sophisticated group of cybercriminals”.
The group was finally noticed in late 2022 when customers began reporting that traffic to their websites was being redirected elsewhere.
Links to previous incidents
GoDaddy now believes that the data breaches reported in March 2020 and November 2021 were related.
“Based on our investigation,” the filing said, “we believe these incidents are part of a multi-year campaign by a sophisticated group of cybercriminals that, among other things, installed malware on our systems and obtained code snippets related to certain GoDaddy services.”
During an incident in November 2021, the attackers accessed the data of approximately 1.2 million of the company’s customers. This affected both active and inactive users, with their email addresses and customer numbers exposed.
The company also said that the original WordPress admin password, created after a fresh WordPress installation was completed, was also leaked, giving attackers access to those installations.
GoDaddy also revealed that active customers had leaked their sFTP credentials and usernames and passwords for their WordPress databases, which are used to store all their content.
However, in some cases, a customer’s SSL private keys have been leaked and, if misused, this key could allow an attacker to impersonate a customer’s website or other services.
Although GoDaddy has reset WordPress customers’ passwords and private keys, it is currently in the process of issuing new SSL certificates to them.
IN statement (opens in a new tab) published in February 2023, the hosting giant says it has hired an external cybersecurity team and brought in law enforcement from around the world to investigate further.
It is now also clear that the GoDaddy attacks were part of a wider campaign against hosting companies around the world.
“We have evidence and law enforcement has confirmed that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy”
“According to the information we have received, their obvious purpose is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”