Web hosting provider GoDaddy has recently reported a security breach in which its servers were compromised, and source code was stolen. This incident occurred after the attackers gained unauthorized access to its cPanel shared hosting environment in a multi-year attack.
GoDaddy discovered the security breach in early December 2022 after receiving multiple reports from customers that their websites were being redirected to unknown domains. Upon investigation, the company found that the intermittent redirects were happening on seemingly random websites hosted on their cPanel shared hosting servers and were not easily reproducible by GoDaddy, even on the same website.
On further investigation, Godaddy found that an unauthorized third party had gained access to servers in our cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites.
The Company believes that the security breach was part of a multi-year campaign carried out by a sophisticated threat actor group. The group installed malware on the company's systems and obtained pieces of code related to some of its services.
GoDaddy's Security Breach
According to the hosting firm's statement in an SEC filing, they believe that the previous breaches disclosed in March 2020 and November 2021 are also linked to this multi-year campaign.
In March 2020, Godaddy reported a threat actor compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of their personnel. However, these hosting login credentials did not provide access to the hosting customers' main GoDaddy account.
In November 2021, using a compromised password, an unauthorized third party accessed the provisioning system in the company's legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million active and inactive MWP customers across multiple GoDaddy brands.
Broader Campaign Targeting Hosting Companies
Godaddy noted in the statement that, they are working with multiple law enforcement agencies around the world, in addition to forensics experts, to further investigate the issue.
Furthermore, GoDaddy claims that it has discovered additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years. This indicates that the attackers are part of an organized and sophisticated group that has been targeting hosting services.
According to the hosting company's statement, the attackers' apparent goal is to infect websites and servers with malware to conduct phishing campaigns, malware distribution, and other malicious activities. This means that not only GoDaddy but also its customers and their websites could be at risk.