Web hosting giant GoDaddy has confirmed that it suffered a security breach in early December 2022 that compromised its cPanel shared hosting environment. Unknown attackers breached the system and installed malware on the servers, and reportedly had access to the company’s network for multiple years. The attackers stole source code and “obtained pieces of code related to some services within GoDaddy,” according to an SEC filing by the company.
GoDaddy disclosed previous breaches in March 2020 and November 2021, which are now believed to be linked to the same group responsible for the recent breach. The November 2021 breach resulted in a data breach affecting 1.2 million Managed WordPress customers, where the attackers gained access to customer email addresses, WordPress admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.
GoDaddy says it is working with cybersecurity forensics experts and law enforcement agencies worldwide to investigate the root cause of the breach. It has also found evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years. The apparent goal of the group is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.
As one of the largest domain registrars, GoDaddy provides hosting services to over 20 million customers worldwide. The company’s statement on the breach recommends that all users change their passwords and enable two-factor authentication to secure their accounts. It also advises customers to monitor their accounts for any suspicious activity and report any unauthorized access.