GoDaddy has announced in a letter to customers that it suffered a major security incident in October last year after an unauthorised individual used stolen credentials to log in to users’ hosting accounts.
In October, GoDaddy’s security team identified suspicious activity on a subset of the company’s servers. Following an investigation, the company concluded that an unauthorised individual gained access to the login information used to connect to SSH on a large number of hosting accounts.
GoDaddy has, however, stated that it doesn’t have any evidence to confirm if any files were added to or modified in the accounts. The hosting services provider also confirmed that the individual has been blocked from the system and that the investigation continues.
As a precautionary measure, GoDaddy has proactively reset the hosting account login information to help prevent any potential unauthorised access.
“Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor. On behalf of the entire GoDaddy team, we want to say how much we appreciate your business and that we sincerely regret this incident occurred. We are providing you one year of Website Security Deluxe and Express Malware Removal at no cost,” the company said in a letter to customers.
Organisations must replace credential authentication with private-public key cryptography to authenticate users
Commenting on the security incident affecting GoDaddy customers, Matt Walmsley, EMEA Director at Vectra told TEISS that “it’s unclear whether GoDaddy’s reported incident was because of the re-use of previously stolen credentials or from brute force attacks. There have also been recent reports of GoDaddy’s support employees being successfully phished which might be connected.
“Regardless of how the unauthorised access was gained, it’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted can make the difference between detecting an active attack and being blissfully ignorant to a breach,” he added.
According to Yana Blachman, threat intelligence specialist at Venafi, the GoDaddy breach underlines just how important SSH security is. SSH is used to access an organisation’s most critical assets, so it’s vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead. This involves implementing strong private-public key cryptography to authenticate a user and a system.
“Alongside this, organisations must have visibility over all their SSH machine identities in use across the datacentre and cloud, and automated processes in place to change them. SSH automates control over all manner of systems, and without full visibility into where they’re being used, hackers will continue to target them,” she added.