Full Report
A proposed settlement order from the FTC will require GoDaddy to strengthen its security practices following multiple data breaches at the web hosting giant
Analysis Summary
# Incident Report: Multiple Data Breaches at GoDaddy Due to Security Failures
## Executive Summary
GoDaddy suffered multiple significant data breaches occurring between 2019 and 2022, stemming from systemic failures in asset management, patching, monitoring, and network segmentation, as determined by the FTC. These incidents resulted in the compromise of customer SSH credentials, credit card numbers, and WordPress customer data, leading to website manipulation and malware installation on customer sites. In response, the US FTC proposed a settlement order mandating GoDaddy implement a robust information security program, including mandatory MFA and asset management improvements.
## Incident Details
- Discovery Date: Varies (e.g., October 2019 compromise discovered April 2020; November 2021 breach announced)
- Incident Date: Multiple incidents between 2019 and 2022
- Affected Organization: GoDaddy
- Sector: Web Hosting / Internet Services
- Geography: Global (Affecting international customers)
## Timeline of Events
### Initial Access
- **October 2019:** Threat actor gained unauthorized access to GoDaddy’s Shared Hosting environment.
- **Vector:** Exploitation of an unpatched vulnerability in the Customer-Managed Hosting environment.
- **Details:** Attackers compromised approximately 28,000 customer SSH credentials and 199 employee SSH credentials, none protected by MFA.
### Lateral Movement
- **Indicated (Oct 2019):** Compromised SSH credentials were used to move within the hosting environment, leading to the capture of customer credit card numbers.
- **November 2021:** Threat actor used previously compromised credentials to access an internet-facing API used by customer service staff to retrieve customer data (up to 1.2 million WordPress customers).
- **December 2022:** Shared Hosting environment was compromised again to steal customer SSH credentials.
- **Vector (Dec 2022):** Attackers utilized a compromised file that GoDaddy had failed to remove during remediation from the prior compromise (suspected same actor).
### Data Exfiltration/Impact
- Compromise resulted in:
- Theft of approximately 1000 customer credit card numbers (2019).
- Exposure of data belonging to up to 1.2 million WordPress customers (2021).
- Threat actors altering customers’ websites.
- Installation of malware to steal sensitive information related to site owners' customers.
- Implanting malicious code on websites affecting consumers.
### Detection & Response
- **Detection:** Incident disclosure timing varied; the 2019 breach was not discovered until April 2020. The 2021 breach was revealed in November 2021.
- **Response (Statutory):** FTC proposed a settlement order requiring GoDaddy to implement a comprehensive information security program, mandate MFA, improve asset management, and undergo mandatory testing.
## Attack Methodology
- **Initial Access:** Exploitation of unpatched software vulnerability (2019); Use of previously compromised credentials against APIs (2021); Re-use of artifacts (compromised file) from previous incidents (2022).
- **Persistence:** Suspected persistence maintained through residual compromised artifacts (compromised file in 2022).
- **Privilege Escalation:** Not explicitly detailed, but high-level access seems to have been achieved via credential theft on the shared hosting environment.
- **Defense Evasion:** Failure to adequately log and monitor security-related events likely aided evasion.
- **Credential Access:** Theft occurred via exploitation of shared hosting environment, targeting SSH credentials (employee and customer).
- **Discovery:** Reconnaissance was implicit in the ability to locate and exploit unpatched vulnerabilities and access internal APIs.
- **Lateral Movement:** Use of stolen SSH credentials to move within the hosting environment.
- **Collection:** Gathering of customer credit card numbers and customer PII/account details related to WordPress sites.
- **Exfiltration:** Data transfer resulting from access to APIs and compromised hosting environments.
- **Impact:** Modification of business websites, installation of user-facing malware, theft of financial and customer relationship data.
## Impact Assessment
- **Financial:** Not explicitly disclosed in the context of fines, but implementation costs for the required security overhaul are expected to be high.
- **Data Breach:** SSH credentials (customer and employee), ~1000 customer credit card numbers, and data for up to 1.2 million WordPress customers.
- **Operational:** Customer websites were altered and maliciously modified (business harm).
- **Reputational:** Investigation and enforcement action by the US Federal Trade Commission (FTC) regarding "unreasonable security practices."
## Indicators of Compromise
*(Note: Specific IoCs are sparse in the text, focusing instead on systemic weakness)*
- **Network indicators:** Access to internet-facing API via compromised customer service credentials. Infiltration of Shared Hosting environment.
- **File indicators:** Remnants of compromised files left unremoved post-remediation (2022 incident).
- **Behavioral indicators:** Unauthorized use of SSH protocols/credentials against customer environments.
## Response Actions
The response detailed is primarily regulatory, focusing on systemic future corrections:
- **Containment:** Implied remediation of vulnerabilities and removal of the compromised file by GoDaddy after initial discoveries, though remediation was insufficient (as evidenced by the 2022 recurrence).
- **Eradication:** (Not detailed, assumed to include credential rotation following each breach).
- **Recovery:** Forced recovery driven by the FTC settlement, including:
- Implementation of a robust information security program.
- Requirement to disconnect unsupported, respondent-managed software assets.
- Mandating MFA for all employees and third parties with access to hosting tools.
- Implementation of automated tools for near real-time security event analysis.
## Lessons Learned
- Failure to maintain an adequate inventory of assets and timely software updates directly enabled initial access.
- Inadequate network segmentation allowed broader compromise from a single entry point (Shared Hosting).
- Insufficient security logging and monitoring hindered timely detection of malicious activity.
- Reliance on weak authentication (lack of MFA for high-privilege accounts like SSH) created critical pathways for attackers.
- Incomplete remediation (leaving behind a previously compromised file) allowed for repeat exploitation by the same actor.
## Recommendations
- Establish and enforce a formal, continuous asset management and zero-trust patching program across all environments.
- Immediately enforce Multi-Factor Authentication (MFA) for all employee and third-party access, especially for administrative access (e.g., SSH) and internal systems.
- Implement strict network segmentation between customer-facing services, shared hosting environments, and internal administration tools.
- Deploy automated security monitoring and logging solutions capable of near real-time analysis of security-related events specific to hosting infrastructure.
- Conduct recurring, thorough security validation testing following incidents to ensure all remnants of compromise are eradicated before declaring remediation complete.