Hosting company giant GoDaddy has disclosed that its cPanel shared hosting infrastructure was the objective of a multi-year cyberattack that ended in a security breach.
The hackers stole source code and implant malware on the company’s servers after gaining access to the system.
Although GoDaddy identified the security breach after getting complaints from users at the beginning of December 2022 that their websites were being exploited to divert to inappropriate sites, the attackers had entry to the corporate servers for many years before it was discovered.
“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the hosting firm said in an SEC filing.
The firm believes that other security breaches, including the ones that were detected in November 2021 and March 2020, were also related to this current multi-year operation.
Attackers got into GoDaddy’s WordPress hosting infrastructure using a leaked credential, which resulted in a security breach that impacted 1.2 million Managed WordPress clients in November 2021. The leak was initiated by an incident that took place in November 2021.
They were able to obtain the email addresses of all current users who were compromised by the attack, in addition to their WordPress Admin passwords, sFTP and database credentials, and SSL private keys for a portion of those users.
Following the data breach that happened in March 2020, GoDaddy notified 28,000 of its clients that a hacker had misused the passwords for their web hosting accounts in October 2019 to gain access to their hosting account through SSH.
As a part of the ongoing inquiry into the fundamental reasons behind the data breach, GoDaddy is currently collaborating with respected cybersecurity forensics professionals and law enforcement organisations from all over the world.
Links to attacks targeting other hosting companies:
GoDaddy alleges it uncovered more evidence that links the malicious actors to a larger effort that attacked other hosting providers across the world over several years.
“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said in a statement.
“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”
In contrast to being among the most frequently used domain registrars, GoDaddy offers more than 20 million clients all over the world with its web hosting.
When BleepingComputer tried to get in reach with a representative for GoDaddy earlier today, they were not immediately available to answer questions.