GoDaddy, the world’s largest domain registrar, has confirmed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in October 2019.
Unfortunately, the web-hosting company only discovered the breach in late April and filed a breach notice with California’s Attorney General’s Office earlier this week.
An “unauthorized individual had access to your login information used to connect to SSH on your hosting account,” said Demetrius Comes, the company’s CISO. “This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor.”
Although the breach is said to be limited to hosting accounts, excluding customer accounts and personal information, GoDaddy also reset passwords and usernames for some of their customers.The company gave no additional details of the incident, so it’s unknown how the bad actor gained access to customer login credentials. However, the cybercriminal may have managed to steal credentials or use brute force attacks to guess the password of customers.
“We have proactively reset your hosting account login information to help prevent any potential unauthorized access,” the company said. After apologizing to customers, GoDaddy pledged to provide website security and malware removal services free of charge.
“On behalf of the entire GoDaddy team, we want to say how much we appreciate your business and that we sincerely regret this incident occurred,” the company said. “We are providing you one year of Website Security Deluxe and Express Malware Removal at no cost. These services run scans on your website to identify and alert you of any potential security vulnerabilities. With this service, if a problem arises, there is a special way to contact our security team and they will be there to help.”
This is not the company’s first security incident this year. In early March, a spear-phishing campaign targeted a GoDaddy employee, leading to the threat actors gaining access to customer records. The attackers were also able to change DNS settings for some hosted websites.
For the moment, the two incidents have not been linked, and users are advised to closely monitor their accounts, making sure not to use recycled passwords.