GoDaddy’s Latest Breach Affects 1.2M Customers

The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins.

By: Tara Seals


On Monday, the world’s largest domain registrar said in a public filing to the SEC that an “unauthorized third party” managed to infiltrate its systems on Sept. 6 – and that the person(s) had continued access for almost two and a half months before GoDaddy noticed the breach on Nov. 17.


“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Demetrius Comes, GoDaddy CISO, said in the website notice.


Specifically, the attackers compromised GoDaddy’s Managed WordPress hosting environment – a site-building service that allows companies and individuals to use the popular WordPress content management system (CMS) in a hosted environment, without having to manage and update it themselves.


“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress,” according to Comes.


The information the lurking cybercriminal(s) was/were able to purloin is a mixed bag. The Scottsdale, Ariz.-based firm said that it included:

  • Emails and customer numbers for 1.2 million active and inactive Managed WordPress customers

  • sFTP and database usernames and passwords for active customers (passwords are now reset)

  • SSL private keys “for a subset of active customers,” used to authenticate websites to internet users, enable encryption and prevent impersonation attacks. GoDaddy is in the process of issuing and installing new certificates for affected customers.

It didn’t attach numbers as to how many customers are affected by the database log-in or certificate compromises.


“Our investigation is ongoing, and we are contacting all impacted customers directly with specific details,” Comes concluded. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”


Questions also remain as to how the account itself was protected: Was a strong password in use, or multi-factor authentication (MFA)?


“The key question is, ‘was multifactor in use?’ With this breach being caused by a compromised credential, I wouldn’t imagine the login was protected by multi-factor authentication, which is an element that could have caused this breach,” Randy Watkins, CTO at Critical Start, said via email. “Moving forward, key and password management is crucial. Applying least-privilege where applicable can lessen the impact of a compromised credential, but it’s still best to protect every login with MFA and monitor service accounts that don’t support MFA.”


GoDaddy Customers in Cybercriminals’ Sights


When it comes to the ramifications for those affected, follow-on phishing is the obvious thing to watch out for, as flagged by GoDaddy in its announcement. But other issues should also be considered, researchers said.


“This breach could mean a few things for users,” said Watkins. “There is a chance that keys or credentials could be used to gain access or impersonate customer sites. Eit