GoDaddy Breach: What You Need to Know
tl;dr GoDaddy, the big daddy of domain registrars, has repeatedly faced security compromises since at least 2020, not been forthcoming with incident details, and has seemingly done very little to prevent recurrences. If you are a GoDaddy user, you should seriously consider alternatives at this point.
So, What Happened?
In March 2020, a voice phishing scam targeting GoDaddy employees also assumed control of several domains, including escrow.com. Then, in May, GoDaddy discovered that a threat actor had compromised the hosting login credentials of ~28,000 customers, as well as the login credentials of some of their employees. In November 2020, fraudsters tricked GoDaddy employees yet again into redirecting email and web traffic for several cryptocurrency platforms.
In November 2021, attackers breached GoDaddy's Managed WordPress hosting environment using a compromised password, affecting 1.2 million customers, and gained access to sensitive data like admin passwords, sFTP and database credentials, and SSL private keys. In December 2022, attackers gained access to and installed malware on GoDaddy's cPanel hosting servers, which redirected random customer websites to malicious sites.
Finally, on 16 February 2023, GoDaddy published a statement acknowledging the customer website redirects, and claimed that this was the work of a sophisticated and organised threat actor, but shared very few details about the incidents. In fact, the multi-year security compromise only came to light because of their 10-K filing with SEC earlier that day. The attackers stole company source code, customer and employee login credentials, and installed malware on critical systems. While GoDaddy discovered the breach in December 2022, the attackers "had access to the company's network for multiple years"!
Does This Impact Me?
Over the years, exploitation of several security weaknesses, social engineering, and unauthorised access to sensitive data has allowed attackers to run amok in GoDaddy's proverbial garden. In many cases, customers took a while to realise that traffic intended for their domains was being redirected to malicious sites.
After such data breaches, customers usually see an increase in malicious activity - data theft, website defacement or disruption, payment fraud, malware outbreaks and more - often resulting in reputational damage, legal liabilities and regulatory compliance penalties. If you are already affected, have a look at GoDaddy's documentation on locking down a compromised account. If you aren't, count your blessings and start reviewing your GoDaddy account settings.
What Should I Do Now?
If you are a GoDaddy customer, consider doing the following immediately:
- Reset your login credentials; use strong passwords while you are at it.
- Enable two-factor authentication using hardware security keys like Google Titan or YubiKey (USB-A/NFC, USB-C/NFC or USB-C/Lightning).
- Check for unauthorised changes to your account, especially DNS records.
- Monitor changes to your domain and website e.g. unexpected downtime, decrease in traffic, redirects, unsanctioned content changes.
- Periodically scan your websites for vulnerabilities; fix as you find them.
- Ensure that you back up your content regularly, and test your backups.
- If possible, change the payment methods associated with your account. Monitor for fraudulent transactions.
- Be on the lookout for phishing scams, and other social engineering attempts on your employees. Ensure your DNS administrators are extra vigilant.
- Consider changing your domain registrar to providers who take security seriously e.g. Cloudflare or Google.