sb-eu logo
Story image

GoDaddy reveals widespread data breach

GoDaddy, the internet domain registrar and web hosting company, has reported a ‘security incident’ in which an attacker gained access to users’ SSH accounts, potentially affecting its 19 million customers.

The company, which is the world’s biggest domain registrar with 77 million domains, apologised to an undisclosed number of its users in an email.

“We recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the email said.

“The investigation found that an unauthorised individual had access to your login information used to connect to SSH on your hosting account.”

GoDaddy mentions there was no evidence that any files were ‘added or modified’ on user accounts. 

The nature of the breach, however, indicates that files could potentially have been viewed and exfiltrated.

The company said it has blocked the ‘unauthorised individual’ from their systems, and that it has reset the user’s hosting account login information to prevent unauthorised access.

SC Magazine reported that the actual breach took place in October last year but was only discovered on April 23 2020 – meaning attackers had access for over half a year.

“It is astonishing that GoDaddy was unable to detect unauthorised access to SSH account credentials for about eight months," says LogRhythm Labs chief information security officer and vice president James Carder.

"With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised."

Carder says the breach sheds light on an increasingly pressing issue - that many large enterprises still lack a comprehensive approach to detecting and combating threats.

"It is easy to assume that GoDaddy, as the world’s largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats," says Carder.

"GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password."

GoDaddy urged the recipients of its email to conduct an audit of their hosting account in light of the breach.

It also said that the incident was limited only to customers’ hosting accounts.

“Your main customer account, and the information stored within your customer account, was not accessible by this threat actor,” the company said in the email.

GoDaddy has offered a full year of Website Security Deluxe and Express Malware Removal free of charge to its affected customers.

“With this service, if a problem arises, there is a special way to contact our security team and they will be there to help,” the company said.

Venafi threat intelligence specialist Yana Blachman says the breach underlines just how important SSH security is. 

“SSH is used to access an organisation’s most critical assets, so it’s vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead,” says Blachman.

“This involves implementing strong private-public key cryptography to authenticate a user and a system.

"Alongside this, organisations must have visibility over all their SSH machine identities in use across the data centre and cloud, and automated processes in place to change them,” adds Blachman.

“SSH automates control over all manner of systems, and without full visibility into where they’re being used, hackers will continue to target them.”

Story image
Fortinet resolves to help communities through new Corporate Foundation
“Through the establishment of a Corporate Foundation, we are extending investments in security training and education, employee community engagement and disaster relief efforts to empower and protect our communities, as well as positively impact our business, employees, customers and shareholders.”More
Story image
Australians ignoring cybersecurity policies in favour of productivity
Trend Micro has found that 67% of remote workers have increased their cybersecurity awareness during COVID-19 related lockdowns. However, despite greater awareness people may still engage in risky behaviour, the survey finds.More
Story image
Cyber attacks use LinkedIn to target companies and employees
The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing. More
Story image
US oil & energy providers hit by plunging market cap in 1H 2020
As the COVID-19 coronavirus pandemic continues to lead many market sectors into turbulence, the energy sector has not escaped unscathed.More
Story image
CIOs put too much trust in TLS certificates - survey
Despite the prolific usage of TLS certificates within organisations, many CIOs aren't concerned about security risks associated with TLS machine identities.More
Story image
Gartner recognises Pulse Secure for Zero Trust Network Access solution
In the market guide, Gartner states that ZTNA augments traditional VPN technologies for application access, and removes the excessive trust once required to allow employees and partners to connect and collaborate. More