Skip to main content
close search
site logo

For GoDaddy customers, a long dwell time means all could be victims

The web hosting provider has not shared additional details outlining the extent of the breach, but experts are highlighting the incident’s multiple red flags.

Published Feb. 23, 2023
Matt Kapko's headshot
Senior Reporter
GoDaddy logo depicted on the floor of the New York Stock Exchange
Traders work on the floor of the New York Stock Exchange as the website hosting service GoDaddy makes its initial public offering on April 1, 2015 in New York City. Spencer Platt/Getty Images via Getty Images

For GoDaddy, past breaches went from bad to worse.

Source code was stolen. Malware was installed on servers running the web hosting control panel customers use to manage their sites and shared servers. Customer websites were randomly redirected to malicious sites.

GoDaddy hasn’t revealed the potential impact of a multiyear intrusion of its systems the company disclosed last week, but there's a poor prognosis for the web hosting giant and its customers.

“Multiyear dwell times are a huge red flag,” Zane Bond, head of product at Keeper Security, said via email.

“With an attack lasting multiple years, it would be safe to assume that all customers are potential victims,” Bond said.

GoDaddy disclosed several data breaches in 2020 and 2021, including an incident that impacted up to 1.2 million customers. Details on those attacks and this latest incident were lumped together in a filing with the Securities and Exchange Commission.

Upon further inquiry into this matter, a spokesperson reiterated a key statement in the filing: “Based on our investigation, we believe these incidents are part of a multiyear campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.”

The company declined to answer questions about how many customers are impacted nor what type of data might be compromised. GoDaddy ended last year with 21 million customers.

GoDaddy was tipped off to the latest malicious activity when customers complained about intermittent site redirects starting in early December. An investigation into the root cause of the incident is ongoing, GoDaddy said last week.

​​“We’ve been given concerning information, but also very little information, which indicates that the company may not know the full scope of the breach just yet,” Bond said.

Repeat attacks are common

GoDaddy isn’t the first major company to experience a multiyear breach or subsequent cyberattacks and it won’t be the last. Cyberthreat actors can and will hit the same digital targets multiple times.

“Follow-on attacks are very common,” Andrew Barratt, VP of technology and enterprise accounts at the cybersecurity advisory Coalfire, said via email.

Sometimes organizations are targeted multiple times by different threat actors, using different techniques, but often at the same time, he said.

“With adversaries, there is a concept of blood in the water when a company or industry is successfully breached. Threat actors tend to swarm with similar, repeat attacks,” Bond said.

GoDaddy, in a statement released alongside its SEC filing, said it’s monitoring the threat actor’s behavior and blocking attempts from the criminal organization.

“I can’t speak to this specific breach as the details are not yet known but when we see recurring attacks on the same firm, it typically indicates that the original threat actor was not fully ousted from the environment,” Jess Burn, senior analyst at Forrester, said via email.

“This lack of confidence in eradication may also explain the delays we see in breach disclosure,” which damages trust among customers, employees, partners, insurers and regulators, Burn said.

The random site redirects discovered by customers in this latest incident provide further evidence GoDaddy doesn’t yet know how the threat actor got into its systems or the full extent of damage caused.

When attacks share identical characteristics, “it’s typically down to poor remediation of the initial root cause, or perhaps even that the initial root cause wasn’t fully understood,” Barratt said.

GoDaddy, in its 10-K filing, said the resolution and outcome of the 2020 and 2021 incidents remain uncertain.

“To date, these incidents as well as other cyberthreats and attacks have not resulted in any material adverse impact to our business or operations,” the company said. “But such threats are constantly evolving, increasing the difficulty of detecting and successfully defending against them.”

Filed Under: Breaches, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Why Cybersecurity Leaders Trust the MITRE ATT&CK Evaluations
From Cynet Security
December 05, 2024
Chemonics International Data Breach Investigation
From Migliaccio & Rathod LLP
December 04, 2024
DigiCert Releases First-of-Its-Kind Open-Source DCV Library to Elevate Industry Standards
From DigiCert
December 18, 2024
Migliaccio and Rathod Investigates Byte Federal Data Breach
From Migliaccio and Rathod
December 12, 2024
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.