GoDaddy just realised it had a three-year security breach

Breaches from 2020 and 2021 thought to be linked

GoDaddy admits multi-year security breach causing source code theft

Image:

GoDaddy admits multi-year security breach causing source code theft

Domain registrar and web-hosting firm GoDaddy has disclosed a multi-year security breach that enabled cybercriminals to access the company's systems, install malware and steal source code.

The company believes a "sophisticated and organised" group targeting hosting services was responsible for the attack.

GoDaddy is one of the largest domain registrars and web hosting services in the world, with more than 20 million customers worldwide.

The firm said some customers complained about websites being intermittently redirected in early December 2022.

Upon investigation, the company found the issue was affecting random websites hosted on GoDaddy's cPanel shared hosting servers.

GoDaddy found that an unauthorised third party had gained access to its servers in the cPanel shared hosting environment, and had also installed malware causing the intermittent redirection.

As is standard, the company remediated the situation and implemented new security measures.

While it discovered the breach in early December, GoDaddy believes the threat actors had been able to access the company's network for several years.

In an SEC filing, the hosting firm said the cybercriminals had also obtained pieces of source code related to some of its services, among other information.

Previous breaches uncovered in March 2020 and November 2021 are also thought to be linked to this multi-year campaign.

The breach in March 2020 involved the compromise of hosting login credentials for around 28,000 customers, as well as a small number of GoDaddy personnel.

The November 2021 breach exposed emails and customer numbers of as many as 1.2 million of GoDaddy's managed WordPress customers.

GoDaddy hasn't shared the number of customers affected by the latest breach, nor the type of data that may have been compromised.

The company said it is working with "cybersecurity experts and law enforcement agencies." It is also monitoring the activities of the criminal group it believes to be responsible, to block any further unauthorised access to its systems.

The company says it has found evidence linking the threat actor to a wider campaign targeting other hosting companies around the world, over the course of several years.

"According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities," it said.

"We are using lessons from this incident to enhance the security of our systems and further protect our customers and their data," it added.