GoDaddy, the world’s largest domain registrar, has confirmed that 28,000 of customer web hosting accounts were compromised in a security incident in October 2019. GoDaddy has over 19 million customers, 77 million managed domains and millions of hosted websites. Here’s what you need to know about the breach.
GoDaddy CISO Demetrius Comes reported that the security incident was discovered on April 23, 2020, when the company identified suspicious activity on some of its servers. The breach appears to have occurred on October 19, 2019, according to the California State Department of Justice.
GoDaddy is requiring affected customers to reset their passwords and is offering them one year of free access to the Website Security Deluxe and Express Malware Removal service.
How did the breach happen?
From a technical point of view, it is not yet clear how the attack was carried out. The hackers might have exploited a known vulnerability in OpenSSH that was fixed in version 8.1, which was released on October 9, 2019; this theory is consistent with the time period during which GoDaddy’s hosting servers were compromised. Another possibility is that the company suffered a brute-force attack; however, attackers are moving away from this type of attack because it can take a long time. Perhaps the most likely scenario is that attackers obtained privileged account credentials, either on the dark web or through social engineering or spear phishing, and used them to gain access.
What are the consequences for customers?
GoDaddy claims that the incident involved “only” the credentials (username and password) of the hosting accounts used by customers to access the servers via SSH and that the information stored in the customer accounts was not accessible to the attackers. However, the incident occurred on October 19, 2019, but was not detected until April 23, 2020 — therefore, for 6 months, the attackers had access to the servers of the domains whose credentials had been compromised, and might have exfiltrated the content stored there.
Furthermore, the fact that credentials were exposed poses a threat to any customer who used the same password for other applications and services — this password has been in the hands of hackers since last October. Hackers will now be able to use spear phishing attacks against users whose credentials were compromised, as well as phishing attacks on other GoDaddy users.
How could the breach have been avoided?
Several IT best practices can help companies avoid security incidents like the GoDaddy breach:
- Better auditing of user activity helps organizations spot anomalous user behavior in time to prevent breaches. Solutions are available that can monitor the activity of all users, including privileged users, and alert appropriate staff immediately when any user engages in unusual behavior, such as performing operations they rarely do, being active at suspicious times, connecting from untrusted IP addresses or clients, or accessing or removing large amounts of data.
- Following password management best practices is vital as well. Moreover, instead of relying only on the traditional username and password, organizations need to implement multifactor authentication (MFA), especially for privileged accounts.
- In the case of SSH access credentials, it is essential that organizations respect the highest level of SSH access security. In particular, they should disable credential authentication and use machine identities instead, as well as implement private-public key cryptography to authenticate the user and the system.
Data breaches are becoming larger and more expensive. By following IT best practices and investing in the right software solutions, organizations can dramatically reduce their risk of landing in the headlines and facing the myriad costs associated with security incidents.