GoDaddy Fingers Hacking Campaign for 3-Year Run of BreachesThe Campaign Installed Malware on Internal Systems and Obtained Source Code
Internet domain registrar GoDaddy says it is the victim of a yearslong hacking campaign that installed malware on internal systems and obtained source code.
In an annual disclosure to investors, the publicly traded company says a "sophisticated threat actor group" may be responsible for a run of hacking events.
A number of attacks the company experienced starting in spring 2020 don’t appear to be random, it says. "We believe these incidents are part of a multi-year campaign by a sophisticated threat actor group. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities."
The incidents have "not resulted in any material adverse impact to our businesses or operations."
The company holds nearly one-quarter of the approximately 350 million domain names registered worldwide and hosts approximately 3% of all websites. It ended 2022 with slightly more than $4 billion in revenue.
The most recent incident recounted by the company involves customer complaints made during early December that websites were intermittently redirected to malicious sites. An investigation revealed that an unauthorized third party had gained access to company servers in its cPanel shared hosting environment and installed malware, the company says in a separate statement.
The company previously disclosed that in November 2021 a hacker had used a compromised password to gain access to the provisioning system in GoDaddy's legacy code base for Managed WordPress. The breach exposed the emails of up to 1.2 million active and inactive customers as well as the WordPress admin password set up at the time of provisioning the website.
A threat actor in March 2020 compromised the hosting login credentials of approximately 28,000 hosting customers as well as the login credentials of a small number of company personnel.
The annual disclosure also says it does not know the status of a possible investigation into its data security and privacy practices by the U.S. Federal Trade Commission. GoDaddy has already acknowledged receiving two civil investigative demands for documents pertaining to its data privacy and security practices from the agency.
"The timing of resolution and the outcome of this matter are uncertain," the company says.
Given the amount of time that has passed since the agency issued the administrative subpoenas, it's possible that the FTC has simply decided not to pursue the investigation further, says Megan Gray, a former agency enforcement attorney.
Most investigations don't result in active cases, she tells Information Security Media Group, but the FTC rarely issues letters officially closing them out. Typically, she says, "We did not tell the company; we just stopped talking to them."