Cybersecurity pros are coming down hard on GoDaddy after the domain registry company reported that an outsider had accessed customer login credentials possibly affecting all 19 million company accounts.
GoDaddy informed its customers on May 4 of the breach saying an unauthorized individual accessed the login credentials used to connect to SSH on the hosting account. The breach took place in October 2019 but was only discovered on April 23.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, brought up two indicators that indicate the company was at fault for the breach. The first being that GoDaddy is offering free Website Security Deluxe and Express Malware Removal to its customers in response to the incident.
“The second concern is that GoDaddy indicates that the customer accounts were breached in October of 2019, however, has apparently only just now detected the compromise and notified customers. If this is the case it means the attacker had control of GoDaddy customer hosting accounts for about 7 months before they were discovered,” he said.
To Clements it seems “highly implausible” that someone would have access for such a long period without attempting something nefarious.
Demetrius Comes, CISO & VP of Engineering at GoDaddy, said the unauthorized person has been blocked and the company sees no evidence that any files were added or modified.
“This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account was not accessible by this threat actor,” Comes said.
James McQuiggan, security awareness advocate at KnowBe4, pointed out that connections to SSH servers are difficult to protect and susceptible to brute force attacks.
“Unfortunately, while the connection established may be encrypted, the ability to connect is not very secure. A criminal could attack the SSH server using common usernames like ‘admin’ or ‘administrator’ and launch a brute force attack to guess the password to then gain access using an extensive list of common passwords,” he said.
All passwords were reset by the company and GoDaddy is recommending all customers conduct a self-audit of their hosting account, but there are rumblings in the cybersecurity community that GoDaddy response is inadequate.
The fact that GoDaddy has had previous security issues caused by worker error brings up the question what caused this incident.
Matt Walmsley, EMEA Director at Vectra “It’s unclear whether GoDaddy’s reported incident was because of the re-use of previously stolen credentials or from brute force attacks. There have also been recent reports of GoDaddy’s support employees being successfully phished, which might be connected,” he said.