GoDaddy notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH.
The security incident took place on October 19, 2019, after the company’s security team discovered suspicious activity on a subset of GoDaddy’s servers.
GoDaddy is the world’s largest domain registrar and a web hosting company that provides services to roughly 19 million customers around the world.
Hosting account passwords reset
“The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account,” GoDaddy revealed in the notification letter sent to affected customers.
The company says that it has not yet found any evidence of the attackers adding or modifying any files on the impacted accounts’ hosting.
Additionally, the company assured the affected users that only their hosting accounts were affected as part of the incident, while their main GoDaddy account was not accessible to the attackers.
“We have proactively reset your hosting account login information to help prevent any potential unauthorized access,” GoDaddy added.
Customers are also advised to conduct an audit of their hosting accounts to make sure that everything is in order.
This incident is limited in scope to your hosting account. Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor. – GoDaddy
Even though the breach notification letter’s wording doesn’t point to the exact reason behind this incident, GoDaddy’s message and offer of free services show that this was not likely the customers’ fault.
“On behalf of the entire GoDaddy team, we want to say how much we appreciate your business and that we sincerely regret this incident occurred. We are providing you one year of Website Security Deluxe and Express Malware Removal at no cost,” the letter reads.
“These services run scans on your website to identify and alert you of any potential security vulnerabilities. With this service, if a problem arises, there is a special way to contact our security team and they will be there to help.”
More reports of GoDaddy issues and compromised accounts
Last year, scammers used hundreds of compromised GoDaddy accounts to create 15,000 subdomains, some of them attempting to impersonate popular websites, to redirect potential victims to spam pages that were pushing snake oil products.
That script was used to monitor websites for internal bottlenecks, and to collect data on connection time and page load times — so-called Real User Metrics (RUM) — from U.S. customers using cPanel Shared Hosting or cPanel Business hosting.
BleepingComputer has reached out to GoDaddy for more details but had not heard back at the time of this publication.
GoDaddy notifies users of breached hosting accounts – BleepingComputer