GoDaddy Hacked – Attackers Breached Cpanel and Stolen Source Code

GoDaddy, a leading web hosting company, has reported a security breach in which its cPanel shared hosting environment was breached by unknown attackers.

The perpetrators were able to steal source code and install malware on GoDaddy’s servers in a prolonged attack that spanned multiple years.

Although customer reports alerted GoDaddy to this security breach in early December 2022, the attackers had actually gained access to the company’s network several years prior. 

During this time, the perpetrators were able to use compromised sites to redirect traffic to various unknown domains. As one of the world’s largest domain registrars, GoDaddy serves more than 20 million customers globally with its hosting services.

Breach Analysis

According to the company, the recent security breach that occurred over a span of several years is connected to previous breaches that were disclosed in November 2021 and March 2020.

In November 2021, GoDaddy’s WordPress hosting environment was compromised by attackers who used a compromised password. Approximately 1.2 million Managed WordPress users have been affected by this data breach as a result of this issue.

As a result, they gained access to the following information:-

• Email addresses
• WordPress Admin passwords
• sFTP
• Database credentials
• SSL private keys of a subset of active clients

In October 2019, an attacker gained access to the web hosting accounts of 28,000 GoDaddy customers by using their SSH credentials. GoDaddy discovered this breach in March 2020 and promptly notified the affected customers.

GoDaddy’s Response

As part of an ongoing investigation into the cause of the breach, GoDaddy has enlisted the help of external cybersecurity forensics experts and law enforcement agencies around the globe.

A sophisticated and organized group, whose focus is on hosting services, including GoDaddy, was responsible for the incident, as confirmed by both GoDaddy and law enforcement.

The threat actors’ objective is to corrupt websites and servers with malware to execute various malicious activities, such as malware distribution and phishing campaigns.

Here’s what GoDaddy stated:-

“As we continue to monitor their behavior and block attempts from this criminal organization, we are actively collecting evidence and information regarding their tactics and techniques to help law enforcement.”

Moreover, an apology was issued to customers and website visitors for any inconvenience experienced. While the improvements to the security of their systems are underway, utilizing insights gained from the incident to better safeguard customer data.

Network Security Checklist – Download Free E-Book