On February 17th, 2023, one of the world’s largest domain registrars, and by extension, third-party to more than 21 million organizations worldwide, GoDaddy, suffered a security breach. But what’s different about this breach is that it was the third breach in three years and it hit a web hosting service. That means that all customers of GoDaddy—and all customers of those customers—were at risk regardless of the product or services in use. In essence, any organization whose third parties were using GoDaddy as a piece of their infrastructure were also at risk.

What exactly happened during the GoDaddy breach, and how is it relevant for organizations today?

What is the GoDaddy Breach and How Did It Infect Websites?

GoDaddy reported that in early December 2022, an unauthorized third party breached their shared hosting environment, compromising their cPanel management technology. The attackers then stole source code and installed malware on their servers in what appears to be the latest iteration of a multi-year breach. Let me repeat that: GoDaddy believes this attack has been going on for years by the same organization.

The breach became apparent when the hosting company noticed that its websites were being intermittently redirected to other domains. Further investigation and customer complaints revealed that malware had been distributed on the hosting servers to redirect the domains to malicious sites.

A sophisticated threat actor group took responsibility for the breach, which, according to the Securities and Exchange Commission (SEC), was the same group responsible for the attack in 2020. Less than a year later, the group used a compromised password to gain access to 1.2 million current and inactive managed WordPress customers’ email addresses, usernames, passwords, and even their SSL private keys. They also succeeded in stealing source code, which allowed them to regain access to Godaddy’s infrastructure.

The goal of the hacking group was to “infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

Why Do Attackers Target a Web Hosting Company?

Web hosting companies are an attractive target for hackers since they allow hackers to infect websites and servers across the entire supply chain. A web host like GoDaddy, which is a managed WordPress provider, allows hackers to easily scale their attacks and infiltrate organizations and companies they may not have been able to with a less sophisticated attack.

With the opportunity for such an impact, you’re probably concerned with how your organization could be impacted. That depends on how your organization—and how your third parties—utilize GoDaddy.

For example, if you were using GoDaddy as a DNS Provider, email provider or host for WordPress at the time of the breach, the impact was more severe. Access to your DNS records could be used to redirect visitors and customers of your domains to malicious websites. If you were using GoDaddy for email, the attacker(s) may have access to your email accounts. The impact may have been especially severe if you’re holding sensitive customer information or PII, and thus subject to various data privacy regulations. Some GoDaddy customers complained the attackers redirected their domains to malicious websites.

How to Protect Your Business From a Similar Third-Party Attack

The multi-year breach continues to concern organizations and WordPress customers—and rightly so. Despite GoDaddy’s best attempts, hackers may still have access to GoDaddy’s customer websites. Or they may be able to regain access through vulnerabilities in the stolen source code. After all, there were multiple attacks over a three-year period.

What can we learn from this attack, and how can we protect ourselves from this or any other similar third-party breach? The GoDaddy breach underscores the importance of ongoing monitoring of third parties for risk and having robust protective measures in place that start with an information security management system (ISMS), a set of controls and adherence to one of the many NIST or ISO frameworks. Following these frameworks in a disciplined way could have acted as a kill chain, a way to trace the steps a hacker took and stop him in his tracks.

Here are a few additional steps you can take:

1) Identify

Use a Third-Party Security Risk Management platform like Panorays to confirm whether you or your third-party suppliers are using the suspected vendor, and how. Panorays also identifies which of your third parties pose the highest cybersecurity risk to your organization and prioritizes collaborative remediation.

2) Protect

If you are using the GoDaddy services, enable multi-factor authentication, change your login credentials, and create new SSL private keys if possible. Check DNS records to ensure domains have not been redirected. Keep an eye out for signs of compromised credentials. and if you see any suspicious behavior, take immediate proactive measures.

Communicate to any of your third parties you suspect are using the vendor services to determine if there were any impact notices on the services they are providing to your organization. If there were, ascertain what actions were taken to mitigate these issues. It’s also a good idea to recommend that they take the same precautions we recommended for you.

3) Respond

Refer to Panorays’ Third-Party Incident Response Playbook to help you prepare for and respond to incidents like these with your third parties. A third-party risk management solution such as Panorays can help you verify if you are impacted by this or any other third-party breach. The platform automatically identifies your third parties, such as GoDaddy, as well as their third parties (your fourth parties). As always, we recommend vigilance and a proactive approach.

How Panorays Can Help

Panorays automates, accelerates, and scales your third-party management through automated security questionnaire results with external attack surface evaluations, taking into consideration the business context. Panorays’ Risk Insights and Response Portal allows organizations to manage the entire process of identifying and mapping third-party breaches across your company’s supply chain. Together with the platform, organizations can streamline the entire process of interacting with third parties and ensure that they respond to any security incidents immediately.

Want to learn more about how you can better manage risk with your third parties? 

Get started with a Free Account today to help you easily manage and remediate third-party risk in your organization.


How did GoDaddy get hacked?

The Web hosting company GoDaddy was hacked multiple times in a multi-year breach. The first time, a hacker gained access to its servers and installed malware that directed the domains of its customers to malicious sites. The second time, hackers regained access through a stolen password, allowing them to gain access to hosting login credentials, SSL keys, and source code. The hack impacted 1.2 million current and inactive managed WordPress customers.

When did GoDaddy get hacked?

GoDaddy was hacked in 2020, 2021 and again in 2022. In 2020, an attacker successfully acquired the login details for several employees and 28,000 hosting customers. In 2021, hackers were able to successfully infiltrate its network and access the login credentials and SSL keys of 1.2 million current and inactive managed WordPress customers. In 2022, another attack installed malware on the hosting servers, redirecting websites from their intended domains to malicious sites.

What is the GoDaddy source code breach?

In February 2023, GoDaddy reported that a sophisticated and organized group had successfully stolen source code and malware had been installed to launch phishing attacks and distribute malware across the network. The company currently hosts over 84 million domains through its services.

This post was originally published on February 22, 2023, and has been updated to include fresh content.