Cyber Incident Victim: GoDaddy
Date:
Mar 2020
Location:
United States of America
Summary
A sophisticated threat actor group conducted a multi-year campaign against a major web hosting provider, compromising its systems to steal source code and install malware. The attackers repeatedly breached the company's infrastructure, including its cPanel shared hosting and WordPress environments, leading to unauthorized access impacting millions of customers. Compromised data included administrative credentials, email addresses, SSL private keys, and hosting account details. The group leveraged stolen information to redirect customer websites for phishing and malware distribution. Forensic investigations linked these incidents to a broader pattern of attacks targeting multiple global hosting providers, with law enforcement confirming the organized nature of the operation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The GoDaddy breach, initially detected through customer reports in early December 2022, was part of a sophisticated multi-year campaign by an organized threat actor group targeting the company's infrastructure. Attackers gained prolonged access to GoDaddy's cPanel shared hosting environment, where they stole source code related to internal services and deployed malware on company servers. This incident was linked to two prior breaches disclosed by GoDaddy: a November 2021 compromise affecting 1.2 million Managed WordPress customers and a March 2020 incident impacting 28,000 hosting account users. The March 2020 breach stemmed from attackers using stolen web hosting credentials in October 2019 to access customer accounts via SSH. The November 2021 intrusion involved unauthorized access to GoDaddy's WordPress hosting environment through a compromised password, exposing customer email addresses, WordPress admin credentials, sFTP details, database credentials, and SSL private keys for active clients. Forensic evidence indicated the threat actors operated across multiple years with objectives including malware installation for phishing operations, malicious software distribution, and website redirection attacks.
GoDaddy confirmed the campaign extended beyond their infrastructure, with law enforcement verifying coordinated attacks against other global hosting providers. The company engaged external cybersecurity forensics teams and collaborated with international law enforcement agencies to investigate the breach's root cause. Customer impacts included unauthorized redirects of legitimate websites to malicious domains, potential exposure of sensitive authentication data, and compromised server integrity due to implanted malware. The breach highlighted systemic risks across the hosting industry, as attackers specifically targeted service providers to amplify malicious activities. GoDaddy's SEC filings emphasized the operational and reputational consequences of these interconnected incidents while underscoring the persistent threat posed by the advanced actor group. No further details regarding containment measures or specific malware variants were disclosed in the available reporting.