GoDaddy Data Breach: Here Is What You Shoud Know
The web hosting supplier and domain registrar GoDaddy was struck by a data breach that jeopardized the accounts of some 28,000 clients. The company submitted a Breach Notification to the California Attorney General's Office, where they confirmed that the suspicious behavior occurred on several of its servers on October 19, 2019. Following a detailed analysis, GoDaddy managed to learn that an unauthorized person had gained access to the login details of their customers using SSH (Secure Shell) to communicate with their hosting accounts.
The company provided further details in the following statement:
"On April 23, 2020, we identified an unauthorized individual who had compromised SSH usernames and passwords in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers' credentials or modified any customer hosting accounts.
The individual did not have access to customers' main GoDaddy accounts." The breach came hot on the heels of another GoDaddy scam doing the rounds currently.
More on SSH
SSH creates a safe way to interact with remote systems and exchange files over the network. With a company like GoDaddy, SSH keys are used from the customer's side to connect to their hosting accounts, transfer or upload files, and run commands through a command line.
In its published notification, the company stated that it did not find any evidence that any files had been added or modified for the accounts affected. However, it continued to examine the potential impact. The event was confined to user hosting accounts and did not affect actual customer accounts. Since then, the person identified in the violation has been blocked from GoDaddy's systems.
GoDaddy has advised users to inspect their hosting accounts. The company also stated that it would provide any of its affected customers with one free year of "Express Malware Removal" and "Website Security Deluxe" services that will inspect customer webpages for any vulnerabilities.
The GoDaddy Breach
Godaddy did not disclose the actual cause of the breach, but in March, one of the company's customer service representatives was trapped by a phishing email. The attacker was able to access and alter several customer records, which included the domain settings for several GoDaddy customers, such as the transaction brokering site escrow.com. In a follow-up notification, escrow.com CEO Matt Barrie stated that his corporation regained full control of his DNS entries.
In the event of a data breach, the identified system vulnerability or error is generally blamed for unauthorized access. Knowledgeable hackers are continually hunting for weaknesses and flaws within an organization's network, especially when it comes to user's mobile security. That's why businesses need to make a conscious effort to preserve and reinforce their data protection measures, especially when they retain keys to confidential customer information.
It is not clear if GoDaddy's data breach was due to the re-use of earlier stolen data or to brute-force attacks. Many believe it may have originated via the published incident of the support employee that was successfully phished.
Irrespective of how the unauthorized access was achieved, it is a strong reaffirmation that monitoring how privileged logins are used, not just accepted, can be the difference between identifying an active attack or being utterly unaware of an intrusion.
This specific breach of data should be a significant concern for GoDaddy's existing customers. Any unauthorized access to SSH accounts would not have occurred if the company used multi-factor authentication (MFA) or privileged access management (PAM) for remote access accounts.
Data breaches like this one on a sizable web hosting provider concern because they open the doors to almost all of their customers' businesses through the unauthorized modifications to their websites. And GoDaddy isn't alone. A recent report by London-based database administrator Alex Williams found that 17 of 33 of the top UK hosting providers had been victim to a data breach within the last year. What's worse, these breaches allow hackers to make adjustments to the existing web services on the affected websites, exposing customer information like credit card details and passwords.
SSH keys are widely used to securely and remotely connect cloud-based systems, VPNs, and any suitable connected devices. An SSH key in the hands of the wrong people has the potential to decimate an organization. These keys can be used to override data, install malware, access critical systems, install malware, and bypass data encryption software.
Although this was previously a niche choice for well-funded, malicious hackers who were disrupting governments and vital service providers, companies of all sizes could be on the losing end of such cyber-warfare.
It is possible to ruin a hacker's day by protecting SSH keys from their prying eyes. Prevention, like any cyber-threat, is better than cure. Visibility and transparency are crucial factors if the possibility of SSH being compromised is to be minimized.
It is vital to have a robust public key infrastructure. Encryption keys and their safe storage are incredibly significant. If these are broken, it will weaken the whole organization's infrastructure. Any company that uses SSH keys should have a secure, up-to-date log of every active key throughout the company, endpoint protection implemented on server-based workloads, and VPN connections for any related cloud services. Businesses should also consider encryption brokers for cloud access to handle the SSH keys.
What Customers Can Do
Customers and users should always apply the appropriate and suggested safety measures to safeguard their online accounts. It is still worth reiterating the following guidelines:
- Have a strong password. Managing all of the passwords you use online can be a challenge. But you still have to develop and implement a reliable password methodology to keep your accounts as safe as possible from cybercriminals. If you don't know how to create or remember secure passwords, your best option is to make use of a password manager. Most antivirus software, as well as some browsers such as Chrome and Safari, now include the technology as part of their service offering.
- Use two-step (or multi-factor) verification. By using a verification code that gets sent to your mobile phone or email, you are providing a secondary layer in verifying your credentials. Even if a malicious attacker had access to your login details, that person would not be able to sign in to your account without having the corresponding code.
How To Report and Online Scammer
Make your family and friends know about this article by sharing it on social media using the buttons provided. You can also officially report the scammers to the Federal Trade Commission using the link below:
How To Prevent Identity Theft and More
If you want to be the first to find out the most notorious scams every week, feel free to subscribe to the Scam Detector newsletter here. You'll receive periodic emails – we promise not to spam. Last but not least, use the Comments section below to expose other scammers.
Verify a website below
Are you just about to make a purchase online? See if the website is legit with our validator: