GoDaddy, the world’s largest web domain registrar, has suffered from a breach that saw a bad actor gain login information for the hosting accounts of 28,000 customers.

GoDaddy’s VP of Software, Demitrius Comes, said in a customer notification filed to the Californian Attorney General’s office that a hacker had broken into some of their servers and could access secure shell (SSH) logins.

“We recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the notification said.

“The investigation found that an unauthorised individual had access to your login information used to connect to SSH on your hosting account.

“We have no evidence that any files were added or modified on your account.

“The unauthorised individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”

According to GoDaddy’s breach notification, the incident occurred on October 19, 2019 – yet a statement from a GoDaddy spokesperson confirmed it took the US tech company six months to notice.

“On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment,” a GoDaddy spokesperson said.

“This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers’ credentials or modified any customer hosting accounts.

“To be clear, the threat actor did not have access to customers’ main GoDaddy accounts.”

Domain hijackers

GoDaddy boasts hosting 78 million domain names for its 19 million customers and reported revenue of $5 billion in 2019.

Its size has made GoDaddy a target for spammers and hackers who hijack GoDaddy domains for distributing spam or malware.

Early last year, cyber researchers reported that a group of Russian spammers nicknamed ‘Spammy Bear’ were creating free accounts that were assigned the same DNS as legitimate but dormant websites hosted through GoDaddy.

The company said it fixed its DNS in an effort to stop the hijacking attempts.

A month later domain hijhackers were back to spamming users from GoDaddy domains – except this time they were distributing the GandCrab ransomware.

GoDaddy once again said it fixed the DNS flaw, but in December last year, anti-spamming organisation Spamhaus noticed that domains registered through GoDaddy were once again being used to send out potentially malicious spam, phishing attacks, or business email compromises scams.

“Since that time, we have seen up to 100 newly hijacked domains daily, all pointing to Russian space,” Spamhaus said.

“This information has been reported to GoDaddy multiple times, but we have received no response or acknowledgement that an issue has been identified or resolved.”