Web hosting provider and domain registrar GoDaddy was hit by a data breach that compromised the account credentials of around 28,000 customers. In a Submitted Breach Notification to the California Attorney General’s office, the company revealed that the suspicious activity occurred on some of its servers on Oct. 19, 2019. Following an investigation, GoDaddy learned that an unauthorized individual had gained access to the login credentials of customers who use SSH (Secure Shell) to connect to their hosting accounts.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium download) 

The company provided further details in the following statement shared with TechRepublic:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

SSH offers a secure way to work with remote systems and transfer files over a network. With a company such as GoDaddy, SSH is used by customers to connect to their hosting accounts to upload or move files and run commands via a command line.

In its notification, the company said it found no evidence that any files were added or modified for the affected accounts, though it’s continuing to investigate the potential impact. The incident was limited to the hosting accounts of users and didn’t affect actual customer accounts. The person identified in the breach has since been blocked from GoDaddy’s systems.

GoDaddy has also been advising users to conduct an audit of their hosting accounts. Further, the company said that it will provide affected users with a free year of Website Security Deluxe and Express Malware Removal, services that scan customer websites for any potential security issues.

GoDaddy didn’t reveal the exact cause of the data breach. But in March, a customer service rep at the company was ensnared by a phishing email, according to security news site KrebsOnSecurity. The attacker was able to view and change several customer records, including domain settings for a few GoDaddy customers such as transaction brokering site escrow.com. In a follow-up notice, escrow.com CEO Matt Barrie said that his company managed to regain control of its DNS entries.

In data breaches, some vulnerability or mistake is typically to blame for the unauthorized access. Savvy cybercriminals are continually hunting for weaknesses and flaws within an organization’s network. That’s why businesses must make a concerted effort to maintain and strengthen their security measures, especially when they hold the keys to private customer data.

“It’s unclear whether GoDaddy’s reported incident was because of the re-use of previously stolen credentials or from brute-force attacks,” Matt Walmsley, EMEA director at security company Vectra, told TechRepublic. “There have also been recent reports of GoDaddy’s support employees being successfully phished, which might be connected. Regardless of how the unauthorized access was gained, it’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach.”

The data breach should be a large concern for GoDaddy customers, according to Joseph Carson, chief security scientist and Advisory CISO at Thycotic. Any unauthorized access using SSH accounts should not have happened if the company was using multifactor authentication (MFA) or privileged access management (PAM) for remote access accounts.

“A data breach such as this on a large hosting provider is a significant issue as it could unlock the doors to many of their customers’ businesses via unauthorized configuration changes to their websites,” Carson said. “Even worse, it could allow the cybercriminal to make modifications to web services that could steal data, credit card information, or account passwords.”

To guard against these types of data breach, organizations need to make sure they’re using end-to-end security protection. As always, the goal is to prevent such infiltrations before they occur. But technology can only go so far. Organizations also need to educate their employees about phishing emails and other types of attacks designed to exploit confidential data.

Customers and users must also follow proper and recommended security guidelines to protect their online accounts. The following advice is always worth repeating:

Create a strong password. Juggling all the passwords you use online is challenging. But you still must devise a strong password for your accounts to keep them as safe as possible from hackers. If you can’t create or remember secure passwords, your best bet is to use a password manager to do the hard work.

Use two-step verification (or two-factor authentication). Using a verification code sent to your mobile phone or email provides a secondary means of confirming your logins. Even if a cybercriminal were to gain access to your login credentials, that person could not sign into your account without knowing the accompanying code.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see