GoDaddy suffered a huge hack that saw criminals steal source code and install malware

(Image credit: Godaddy)

An unknown threat actor was sitting in GoDaddy’s systems for several years, installing malware, stealing source code, and attacking the company’s customers, the web hosting giant has confirmed. 

The company's SEC filing (via BleepingComputer), the attackers breached GoDaddy’s cPanel shared hosting environment and used that as a launch pad for further attacks. The company described the hackers as a “sophisticated threat actor group”.

The group was eventually spotted in late 2022 when customers started reporting that traffic coming to their websites was being redirected elsewhere.

TechRadar Pro needs you!

We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

GoDaddy now believes that the data breaches that were reported in March 2020 and November 2021 were all linked.

"Based on our investigation," it wrote in the filing, "we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,"

During the November 2021 incident, the user data of some 1.2 million of its customers were accessed by the attackers. This included both active and inactive users, with email addresses and customer numbers being exposed. 

The company also said that the original WordPress admin password, created once a new install of WordPress has completed, was also exposed, giving attackers access to those installations.

GoDaddy also revealed that active customers had their sFTP credentials and the usernames and passwords for their WordPress databases, that are used to store all of their content, exposed in the breach. 

However, in some cases, customer's SSL private keys were exposed and if abused, this key could allow an attacker to impersonate a customer's website or other services. 

While GoDaddy has reset customer WordPress passwords and private keys, it is currently in the process of issuing them new SSL certificates.

In a statement published in February 2023, the web hosting giant claims to have employed an external cybersecurity forensics team, and brought in law enforcement agencies from all over the world to investigate the matter further. 

It's also clear, now, that attacks on GoDaddy were part of a wider campaign on web hosting companies around the world.

"We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,"

"According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities."

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.