A few years ago, hackers broke into one of the world’s largest domain registrars, GoDaddy, which serves 84 million domains, 22 million users, and hosts millions of websites. The hack became public only in December 2022, and all this time before that, hackers had access to millions of users’ data, including their email addresses, WordPress passwords, database access, encryption keys, and more. The hack occurred due to a vulnerability in cPanel, a hosting management system, which is one of several major similar systems used by millions of websites.
Web hosting giant GoDaddy claims it suffered a breach when unknown attackers stole source code and installed malware on its servers after breaking into its cPanel hosting management system in a multi-year attack.
While GoDaddy discovered the security hole after customers reported in early December 2022 that their sites were being used to redirect to random domains, the attackers had actually had access to the company’s network for several years.
Based on our investigation, we believe that these incidents are part of a multi-year campaign by a sophisticated attack group that, among other things, installed malware on our systems and obtained code snippets related to certain services at GoDaddynoted in a statement by the hosting
The company says that previous hacks detected in November 2021 and March 2020 are also linked to this multi-year campaign.
An incident in November 2021 led to the data breach of 1.2 million SMS WordPress customers after attackers hacked into the GoDaddy WordPress hosting environment using a compromised password.
They gained access to the email addresses of all affected customers, their WordPress admin passwords, sFTP and database credentials, and the private keys of an SSL subset of active customers.
Following the March 2020 leak, GoDaddy warned 28,000 customers that an attacker had used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.
GoDaddy is currently working with external cybersecurity experts and law enforcement agencies around the world as part of an ongoing investigation into the root cause of the breach. GoDaddy says it has also found additional evidence linking the threats to a broader campaign targeting other hosting companies around the world over the years.
We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to the information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activitiesThe hosting company said in a statement.