GoDaddy, a web hosting and internet domain registrar, disclosed a multi-year security breach, where unknown attackers installed malware on the company’s cPanel hosting servers and stole source code related to some of its services.
The breach was spotted in December 2022, following customer complaints about their websites being intermittently redirected. A subsequent investigation showed that the attackers planted malware on cPanel hosting servers, which redirected random customers websites to malicious sites. GoDaddy said it is still investigating the root cause of the breach.
The company also revealed that it experienced several data breaches in March 2020 and in November 2021. In the first case threat actors compromised the hosting login credentials of nearly 28,000 customers to their hosting accounts as well as the login credentials of a small number of GoDaddy’s employees. However, the attackers were not able to gain access to the hosting customers' main GoDaddy account.
In the second breach attackers used a compromised password to access the provisioning system in the company’s legacy code base for Managed WordPress (MWP), which impacted up to 1.2 million active and inactive MWP customers across multiple GoDaddy brands.
According to the company, all the above mentioned breaches were carried out by a by a sophisticated and organized group targeting hosting services like GoDaddy, whose goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.