Web hosting behemoth GoDaddy just filed a data breach notification with the US state of California.
The breach letter that’s now part of the public record is just a template, with blanks for the name of the recipient and for a phone number relevant to their region, but it sets out what’s known so far.
If you’re a GoDaddy customer, you’ll know if you were on the list of affected accounts if you see a message like this:
Subject: Security Incident Impacting Your GoDaddy Web Hosting Account
[…]
We need to inform you of a security incident impacting your GoDaddy web hosting account credentials. We recently identified suspicious activity on a subset of our servers and immediately began an investigation.
The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.
There’s more, including a warning that your account information was reset and how to get back into your account, but from a technical point of view – what actually happened and how the breach was detected – there is only the above text to go on.
Clearly this isn’t just a case of credential stuffing, where accounts were accessed because their passwords were the same as the passwords used on other services that had already been breached, or GoDaddy wouldn’t have filed a breach notification.
Also, what’s not obvious from the breach letter (though it is stated on the State of California’s website), is that the breach dates back to October 2019.
In other words, even though resetting your account at this stage was something that GoDaddy needed to do, any crook or crooks who knew your login details could, in theory, have been riffling through your stuff for more than six months.
That’s why GoDaddy also “recommend[s] you conduct an audit of your hosting account”.
That should include looking through your logs for modifications you didn’t expect, especially changes to or additions of files such as PHP scripts, HTML pages, JavaScripts and server plugins.
(When you’re doing an audit for one reason, you might as well be on the lookout for trouble that could have started for other reasons while you’re about it – such as unpatched software or incorrectly configured server options.)
What we can’t tell you is how the “unauthorized individual” mentioned above got access to the illicit data, what that “login information” actually entailed, and what sort of access they actually effected, if any.
We are assuming that GoDaddy’s suggestions that no files “were added or modified” is reasonable – no matter how little else is known as this stage of the investigation, we suspect that unlawful alterations would have been detectable in some way, somewhere in the company’s logs.
We don’t know how many files, if any, the intruder was able to riffle through and perhaps even to make off with, but we’re assuming that GoDaddy may have more findings to reveal in the future.
Figuring out all the many things that could have happened but didn’t is often the hardest part of any follow-up, and GoDaddy’s investigation is still going on.
What next?
GoDaddy is offering affected customers access to some of its add-on services for free, namely the products it calls Website Security Deluxe and Express Malware Removal.
You might as well try them out – if you end up not using them you have lost nothing, but you might find that they find problems you would otherwise have missed, such as long-outdated web server plugins or software that you forgot to patch.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
David
Thanks. I just want to be clear whether this affects customers of GoDaddy who only use them as a domain registrar?
Paul Ducklin
I assume not – the document linked to and quoted above specifically talks about SSH logins and their hosting service.
Amanda Mendoza
According to some other news sources, this GoDaddy incident is being misreported:
https://www.theregister.co.uk/2020/05/05/godaddy_ssh_login_details_compromised/
Paul Ducklin
That article claims more detail (perhaps GoDaddy should have put that in its breach notice?) but is commensurate with this report. It’s still not clear whether the hacker overwrote SSH login data in order to replace existing password hashes or public keys with ones for which they had the corresponding private data or what, but it’s definitely “unauthorised access to login info”…
a reader
I think you should fix the english here : somwhere
Paul Ducklin
Fixed, thanks.
Bryan
*grumble*
Lately I’m less than thrilled with GoDaddy aside this anyway. Length-limited passwords, changeable solely through the web UI, ALL (ALL) passwordless sudo. This story does not improve my standing bleak assessment. I’ve not received such a message just yet–which hopefully means something.
Maybe this explains why recent support for the intermittent WHM is (how shall we say…?) less than attentive:
they’ve been preoccupied with other customers’ security issues.
Curious, this: no evidence that any files were added or modified
Intriguing that a [form letter] would acknowledge shell access yet blanket-assert no alteration. I wonder if a support employee was caught randomly snooping while idle, and then access logs were resurrected to find out how often it had happened?
Thanks for the heads-up Duck.
Bryan
PS: Typo in
somwhere in the company’s logs
Paul Ducklin
Fixed, thanks.
Paul Ducklin
To be fair, if they know someone got at (or modified so they knew passwords for) authentication data but couldn’t find any file modifications against affected accounts that logged in after the “login info” SNAFU, then they would have reason to assume no changes were made because of this hack.
Bryan
Of course you’re right.
However, not even a single altered file strikes me as odd. Or as though GD applied a very cursory “altered file” scan, akin to peeking in the front door to confirm burglars took nothing. With passwordless sudo as the default, 28k counts of unauthorized access leaving it all alone is just exceedingly unlikely.
Unless…
Aside my (admittedly quite time-consuming) “bored employees” scenario:
Maybe it was a mass test of compromised/illicitly-acquired credentials*, the planning stage of some wide-scope endeavor. That would certainly align with “the unauthorized individual has been blocked from our systems, if they were silly enough to test all 28,000 logins from the same host.”
* From a yet-to-be-announced database breach? Yet-to-be-unearthed?
Bryan
To further illustrate how I can overthink and second guess myself with the best of ’em…
I concede I made the assumption this form letter applies to all the affected accounts.
It’s certainly possible that altered files were found in 527 of the accounts, and those customers received a personally-tailored variant of the notification.
That’s probably more probable. Probably.
Paul Ducklin
If there were two breach letters with different content I think that GoDaddy would have had to lodge two letters with the State of California.