Bea Beltran Tech 02.17.2023 22:Feb PM EST

GoDaddy Suffers Multi-Year Cyber Attack Resulting in Theft of Source Code

GoDaddy has been subjected to a system breach that appears to have been going on for years. The hackers stole the company's source code and installed malware on its servers, leaving its customers vulnerable to malware.

Recent GoDaddy Breach

The web hosting company, which has 20 million customers globally, found out about the security breach with its cPanel shared hosting environment back in December 2022. Customers claimed that their sites were used to intermittently redirect to different domains.

GoDaddy has reason to believe that the hackers breached their systems for several years now, saying that the incidents were part of a multi-year campaign by a sophisticated group of hackers. The attackers installed malware that led to the company's source code being stolen.

The company also suffered a system breach back in November 2021 as well as March 2020. According to Bleeping Computer, the company believes that the previously mentioned attacks are connected to the recent breach, signifying a multi-year campaign.

The company found additional evidence that links the hackers to a bigger campaign that targets other hosting companies from all over the world. GoDaddy is already working with law enforcement agencies and forensic experts to investigate the issue.

The company says that based on its investigation, the threat actors' goal is to infect websites and servers with malware to conduct phishing campaigns and distribute malware, as well as other malicious activities, according to their website.

Previous Attacks

The web hosting company's November 2021 data breach saw unauthorized third-party access to its Managed WordPress hosting environment. Upon detecting suspicious activity, GoDaddy investigated the issue with the assistance of an IT forensics firm and law enforcement.

The attackers used a compromised password to access the provisioning system in the company's legacy code for Managed WordPress, according to an SEC filing. They determined that the threat actors have had access to customer information since early September 2021.

Around 1.2 million Managed WordPress customers, both active and inactive, had their email addresses and contact numbers accessed. It also resulted in the original WordPress Admin password being exposed, prompting the company to reset the passwords.

The threat actors also access sFTP and database usernames, as well as passwords for active customers leading to a password reset. This also goes for a subset of customers where their SSL private key was exposed, resulting in the issuing and installing of new certificates.

In the March 2020 incident, GoDaddy sent an email to its customers informing them of the system breach, which exposed their web hosting account credentials. Suspicious activity was also detected in their servers which prompted an investigation.

The hackers had access to customers' login credentials that are used to connect to SSH on their hosting accounts. However, the company found no evidence of added files or modifications in the affected accounts and investigated the issue further.

GoDaddy eventually reset the hosting account login information of the customers to avoid unauthorized access in the future. The company urged its customers to conduct an audit of their hosting accounts to see if there have been some changes.