Cyber Incident Victim: GoDaddy
Date:
Oct 2019
Location:
United States of America
Summary
GoDaddy experienced a security incident where unauthorized individuals accessed a subset of customer hosting accounts via compromised SSH credentials, discovered after detecting altered SSH files and suspicious server activity. The breach was confined to hosting accounts, with no evidence of file modifications or access to primary customer accounts. The company reset affected credentials, advised users to review their accounts, and provided complimentary security services. This incident followed prior issues involving compromised accounts for scam subdomains and unauthorized website script injections.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 19, 2019, an unauthorized party gained access to a subset of GoDaddy's hosting accounts by exploiting compromised credentials, enabling connections via SSH. The breach remained undetected until April 23, 2020, when GoDaddy's security team identified an altered SSH file within their hosting environment alongside suspicious server activity. Investigation revealed the attackers infiltrated web hosting accounts specifically, with no evidence of file additions or modifications on impacted accounts. GoDaddy confirmed the attackers could not access customers' primary accounts, limiting exposure to hosting credentials. As the world's largest domain registrar serving approximately 19 million customers, the incident posed significant operational risks despite the constrained breach scope.
Upon discovery, GoDaddy initiated credential resets for affected hosting accounts and notified impacted users about the six-month latency between intrusion and detection. The company advised customers to audit their accounts for unauthorized changes and offered complimentary security services: one year of Website Security Deluxe and Express Malware Removal. No financial or main account compromises were reported, aligning with GoDaddy's assessment that only hosting infrastructure was targeted. This incident followed prior security challenges, including 2019 incidents where scammers abused compromised accounts to create fraudulent subdomains and GoDaddy itself injected JavaScript into customer sites for performance monitoring. The breach highlighted persistent credential-based vulnerabilities in hosting environments despite segmented account architectures.