Online hosting company GoDaddy admits to a data breach that left thousands of accounts open to a threat actor in October 2019.
A court document outlining the malicious activity was made available to affected customers by GoDaddy CISO and engineering VP Demetrius Comes.
The document noted: “We recently identified suspicious activity on a subset of our servers and immediately began an investigation. The investigation found that an unauthorised individual had access to your login information used to connect to SSH on your hosting account.
“We have no evidence that any files were added or modified on your account. The unauthorised individual has been blocked from our systems, and we continue to investigate potential impact across our environment”.
According to Comes, all affected account holders have had their details reset and the threat actor has been blocked from the system.
Founded in 1997, GoDaddy is a leading domain registrar and web hosting company, providing services for site owners, bloggers and businesses.
Not GoDaddy’s First Breach
The web hosting service is fairly accustomed to data breaches; in 2018 the company attracted media attention when an Amazon Simple Storage Service (AWS S3) bucket was not locked down properly resulting in user data being leaked.
In 2017, the company retracted up to 9,000 secure socket layer (SSL) certificates, used to encrypt online data transfers such as credit card transactions, after a bug resulted in certificates being issued without appropriate domain validation.
Threat intelligence specialist at Venafi Yana Blachman explained the breach further: “The GoDaddy breach underlines just how important SSH security is. SSH is used to access an organisation’s most critical assets, so it’s vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead. This involves implementing strong private-public key cryptography to authenticate a user and a system.
“Alongside this, organisations must have visibility over all their SSH machine identities in use across the data centre and cloud, and automated processes in place to change them. SSH automates control over all manner of systems, and without full visibility into where they’re being used, hackers will continue to target them”.