Adnan Shah
Adnan Shah Adnan Shah is an Appsec Engineer and a passionate adventurer.

GoDaddy: Hackers stole customer information, installed malware in multi-year breach

GoDaddy: Hackers stole customer information, installed malware in multi-year breach

Web hosting provider GoDaddy recently disclosed a multi-year(possibly since 2020) security breach, which enabled attackers to install malware and steal source code related to some of its services. The company attributed the attack to a “sophisticated and organized group targeting hosting services.”

According to the company, it received several customer complaints in December 2022 about their websites getting redirected to malicious sites. It later found out that an unauthorized third party had gained access to servers hosted in its cPanel environment and installed malware that caused the intermittent redirection of customer websites.

GoDaddy says the ultimate objective of the intrusion was to “infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities.” The company also revealed that the breach was part of a broader campaign targeting other hosting companies worldwide over the years.

Godaddy Past Breaches

The incident is connected to two other security breaches that GoDaddy experienced in March 2020 and November 2021.

In the 2020 breach, the hosting company alerted 28,000 customers that an attacker had used their web hosting account credentials to connect to their hosting account via SSH.

In the 2021 breach, a rogue actor used a compromised password to access a provisioning system in GoDaddy’s legacy code base for Managed WordPress, affecting approximately 1.2 million active and inactive MWP customers across multiple GoDaddy brands.

As a result of the March 2020 breach, GoDaddy informed 28,000 customers that an attacker had leveraged their web hosting account credentials from October 2019 to gain access to their hosting account via SSH.

GoDaddy is now working with external cybersecurity forensics experts and law enforcement agencies worldwide to investigate the root cause of the breach. The company is also taking steps to strengthen its security measures and protect its customers’ data.

Opportunities that were overlooked

It is evident from the available information that the threat actor had been operating within GoDaddy’s infrastructure for an extended period, and the company itself has stated that the recent breach may be linked to previous data breaches spanning several years.

The apparent duration of the attack raises concerns that GoDaddy may have overlooked opportunities to identify and address vulnerabilities or to remove any installed malware at an earlier stage.

Had the company taken action sooner, the potential harm to customers might have been minimized or even prevented altogether.

Therefore, the ongoing breach highlights the need for companies to adopt proactive measures to identify and address security risks as soon as possible to avoid prolonged exposure to threats.

How can data breaches of this kind be prevented?


Every data breach starts with a single vulnerability

Every data breach is like a domino effect, it starts with a single vulnerability and progresses from there. As such, identifying and addressing vulnerabilities is a critical aspect of any effective cybersecurity program.

One effective approach to preventing data breaches of this kind is to conduct regular security assessments of the organization’s IT systems and networks. These assessments can help identify vulnerabilities and gaps in security controls that may be exploited by threat actors to gain unauthorized access to sensitive data or systems. The assessments can also help prioritize the vulnerabilities and develop a plan to remediate them based on the level of risk they pose.

It is crucial to note that data breaches typically begin with a single vulnerability that is exploited by attackers to gain a foothold in the target environment. Performing continuous security assessments can help detect and address vulnerabilities at an early stage, minimizing the chances of them being exploited by threat actors.

Regular security assessments should be part of a comprehensive cybersecurity program that includes implementing appropriate security controls, training employees on security best practices, and establishing an incident response plan to mitigate the impact of a breach if it occurs. By taking these steps, organizations can reduce the risk of a data breach and protect their sensitive data from being compromised.


The GoDaddy breach is a reminder of the importance of regularly reviewing and updating cybersecurity practices to prevent unauthorized access to sensitive data. Customers should also be vigilant about monitoring their accounts for any suspicious activity and changing their passwords regularly.

In conclusion, the GoDaddy security breach is a concerning incident that has compromised the security of millions of customers. The company’s ongoing investigation into the incident will provide valuable insights into how the attackers were able to breach the system and how the company can prevent similar incidents from happening in the future. In the meantime, customers are advised to take extra precautions to protect their data and monitor their accounts for any signs of unauthorized access.

About us

Snapsec is a team of security experts specialized in providing pentesting and other security services to secure your online assets. We have a specialized testing methodology which ensures indepth testing of your business logic and other latest vulnerabilities.

If you are looking for a team which values your security and ensures that you are fully secure against online security threats, feel free to get in touch with us

comments powered by Disqus