sb-as logo
Story image

GoDaddy reveals widespread data breach

GoDaddy, the internet domain registrar and web hosting company, has reported a ‘security incident’ in which an attacker gained access to users’ SSH accounts, potentially affecting its 19 million customers.

The company, which is the world’s biggest domain registrar with 77 million domains, apologised to an undisclosed number of its users in an email.

“We recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the email said.

“The investigation found that an unauthorised individual had access to your login information used to connect to SSH on your hosting account.”

GoDaddy mentions there was no evidence that any files were ‘added or modified’ on user accounts. 

The nature of the breach, however, indicates that files could potentially have been viewed and exfiltrated.

The company said it has blocked the ‘unauthorised individual’ from their systems, and that it has reset the user’s hosting account login information to prevent unauthorised access.

SC Magazine reported that the actual breach took place in October last year but was only discovered on April 23 2020 – meaning attackers had access for over half a year.

“It is astonishing that GoDaddy was unable to detect unauthorised access to SSH account credentials for about eight months," says LogRhythm Labs chief information security officer and vice president James Carder.

"With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised."

Carder says the breach sheds light on an increasingly pressing issue - that many large enterprises still lack a comprehensive approach to detecting and combating threats.

"It is easy to assume that GoDaddy, as the world’s largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats," says Carder.

"GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password."

GoDaddy urged the recipients of its email to conduct an audit of their hosting account in light of the breach.

It also said that the incident was limited only to customers’ hosting accounts.

“Your main customer account, and the information stored within your customer account, was not accessible by this threat actor,” the company said in the email.

GoDaddy has offered a full year of Website Security Deluxe and Express Malware Removal free of charge to its affected customers.

“With this service, if a problem arises, there is a special way to contact our security team and they will be there to help,” the company said.

Venafi threat intelligence specialist Yana Blachman says the breach underlines just how important SSH security is. 

“SSH is used to access an organisation’s most critical assets, so it’s vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead,” says Blachman.

“This involves implementing strong private-public key cryptography to authenticate a user and a system.

"Alongside this, organisations must have visibility over all their SSH machine identities in use across the data centre and cloud, and automated processes in place to change them,” adds Blachman.

“SSH automates control over all manner of systems, and without full visibility into where they’re being used, hackers will continue to target them.”

Story image
Acronis expands global data centre network, including new facilities in NZ
The expansion ensures that the full range of Acronis Cyber Protection Solutions will be available to partners and organisations around the world.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
CrowdStrike targets Zero Trust blind spot with new offering
CrowdStrike has officially launched CrowdStrike Falcon Zero Trust Assessment (ZTA), designed to aid in overall security posture by delivering continuous real-time assessments across all endpoints in an organisation regardless of the location, network or user. More
Link image
How to head off a rise in DDoS attacks
Many businesses invest in costly DDoS mitigation and protection solutions, but few test them. NCC Group tests all environments and is one of only two AWS DDoS Test Partners. Claim 10% off your next DDoS service today.More
Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
Palo Alto Networks extends cloud native security platform with new modules
Palo Alto Networks has announced the availability of Prisma Cloud 2.0, including four new cloud security modules, thus extending its Cloud Native Security Platform (CNSP). More