It has been reported that GoDaddy suffered a data breach in October and has notified the Californian authorities, stating that an unauthorised individual was able to access SSH accounts used in its hosting environment.
“We have no evidence that any files were added or modified on your account,” the company said while omitting evidence that files could have been viewed and infiltrated. “The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”
GoDaddy said the breach did not impact the “main GoDaddy.com customer account” and that any information within that account was not accessed. The company said it has reset passwords and would provide impacted customers with a year of its website security and malware removal service for free.
A breach at GoDaddy compromised usernames and passwords of approximately 28,000 customers https://t.co/wplJtBphX9
— Bloomberg (@business) May 6, 2020
Hostile cyber actors are targeting user credentials at rapid rates, as evidenced by this latest breach. To remediate incidents involving user credentials and respond to adversaries, organisations must move fast and consider an approach that is closely aligned with monitoring user behaviour – to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when abnormal events have occurred.
Individual account owners should practice effective password management as well: by establishing different passwords for all of their accounts, immediately changing passwords on sites that have been breached and using multi-factor authentication wherever it is available.
Credential-based attacks and digital privacy issues will remain prevalent risks for the foreseeable future. Thus, these practices should remain top of mind year-round in 2020 and beyond.
This security incident impacting GoDaddy customers underscores why organisations need to have full visibility and control over their data. While the web hosting giant confirmed that the breach only affected hosting accounts and not customer accounts or the personal information stored within them, hackers can still leverage the database of login credentials and commit account takeover.
According to Verizon, 80% of hacking-related breaches involve compromised or weak login credentials, and 29% of all breaches, regardless of attack type, involve the use of stolen credentials. While it’s ill-advised, people commonly reuse passwords across multiple accounts, meaning attackers can potentially gain access to a number of accounts across multiple services that a victim uses to gather more sensitive information and leverage the data for financial fraud or identity theft for years to come.
Additionally, this incident comes just two years after GoDaddy had its cloud configuration information exposed after an Amazon employee left an AWS S3 bucket open. The very different nature of these two security incidents underscores the importance of the shared responsibility model when it comes to the cloud.
To prevent similar incidents and thwart unauthorised access to customer information, organisations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. Organisations must also authenticate their users to validate who they are, before granting them access to their systems. Fortunately, multi-factor authentication (MFA) and user and entity behaviour analytics (UEBA) are tools that can help companies protect their data.
Companies continue to get breached with traditional security tools like Web Application Firewalls and Endpoint protection, an indication that we need better security tools. Traditional methods that typically rely on indicators from past attacks just aren’t working. Even NIST realized this – for the first time, they updated their standard to include Runtime Application Self-Protection (RASP) as a requirement for web security.
As a protection mechanism, WAF sits on the perimeter, so if that’s all the protection GoDaddy or any other organization is using, then if the attackers did get malware on the servers or manipulated files on the servers, it’s much harder to detect. Security needs to be close to the application and reside on the servers to detect changes in real time, so that we find breaches faster, and we can determine if there’s an issue on the server itself (east-west traffic analysis vs. north-south – looking at traffic on the servers, versus looking at traffic to and from the internet).
GoDaddy’s breach of web hosting account credentials further proves usernames and passwords can’t be trusted to keep accounts secure. As unauthorized parties were able to connect to users’ hosting accounts, it’s clear stronger authentication methods are needed. GoDaddy’s response to reset passwords and provide complimentary web security and malware services is simply not enough. How can GoDaddy ensure these new passwords won’t also result in unauthorized account access once the year ends? GoDaddy was one of the first companies to recognize the potential of the internet in the late \’90s and now, as more of our daily interactions move online, they must also recognize the danger of using passwords and multifactor authentication, among other outdated methods of authentication. This is a call to action for GoDaddy and the larger web domain/hosting industry to embrace new technologies to secure their digital ecosystems, and biometric authentication (leveraging a user’s unique biological traits to verify identity) can ensure only authorized users can access their accounts in today’s fraud landscape.
Unauthorized access is a popular culprit behind many data breaches, and this isn’t GoDaddy’s first security issue involving compromised accounts. According to a Ponemon survey, 59 percent of IT security respondents say customer accounts have been subject to an account takeover. Customers put their trust in companies by allowing them to collect and store their information. To keep that trust, organizations must be proactive in ensuring that their data is protected with adequate security controls and a robust identity management strategy.
To protect data, organizations must follow the principle of least-privileged access in provisioning identity access management (IAM) permissions, by providing checks to restrict identities from being able to do more than they are supposed to, and implement multi-factor authentication (MFA) for all users. By leveraging MFA, an account is 99.9% less likely to be compromised. Additionally, organizations must securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles.