Experts Commentary On GoDaddy Informs Customers Of Data Breach From October

It has been reported that GoDaddy suffered a data breach in October and has notified the Californian authorities, stating that an unauthorised individual was able to access SSH accounts used in its hosting environment.

“We have no evidence that any files were added or modified on your account,” the company said while omitting evidence that files could have been viewed and infiltrated. “The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”

GoDaddy said the breach did not impact the “main GoDaddy.com customer account” and that any information within that account was not accessed. The company said it has reset passwords and would provide impacted customers with a year of its website security and malware removal service for free.

Experts Comments

May 06, 2020
Timothy Chiu
Vice President of Marketing
K2 Cyber Security
Companies continue to get breached with traditional security tools like Web Application Firewalls and Endpoint protection, an indication that we need better security tools. Traditional methods that typically rely on indicators from past attacks just aren’t working. Even NIST realized this – for the first time, they updated their standard to include Runtime Application Self-Protection (RASP) as a requirement for web security. As a protection mechanism, WAF sits on the perimeter, so if .....Read More
Companies continue to get breached with traditional security tools like Web Application Firewalls and Endpoint protection, an indication that we need better security tools. Traditional methods that typically rely on indicators from past attacks just aren’t working. Even NIST realized this – for the first time, they updated their standard to include Runtime Application Self-Protection (RASP) as a requirement for web security. As a protection mechanism, WAF sits on the perimeter, so if that’s all the protection GoDaddy or any other organization is using, then if the attackers did get malware on the servers or manipulated files on the servers, it’s much harder to detect. Security needs to be close to the application and reside on the servers to detect changes in real time, so that we find breaches faster, and we can determine if there’s an issue on the server itself (east-west traffic analysis vs. north-south – looking at traffic on the servers, versus looking at traffic to and from the internet).  Read Less
May 06, 2020
Robert Prigge
CEO
Jumio
GoDaddy’s breach of web hosting account credentials further proves usernames and passwords can’t be trusted to keep accounts secure. As unauthorized parties were able to connect to users’ hosting accounts, it’s clear stronger authentication methods are needed. GoDaddy’s response to reset passwords and provide complimentary web security and malware services is simply not enough. How can GoDaddy ensure these new passwords won’t also result in unauthorized account access once the year.....Read More
GoDaddy’s breach of web hosting account credentials further proves usernames and passwords can’t be trusted to keep accounts secure. As unauthorized parties were able to connect to users’ hosting accounts, it’s clear stronger authentication methods are needed. GoDaddy’s response to reset passwords and provide complimentary web security and malware services is simply not enough. How can GoDaddy ensure these new passwords won’t also result in unauthorized account access once the year ends? GoDaddy was one of the first companies to recognize the potential of the internet in the late '90s and now, as more of our daily interactions move online, they must also recognize the danger of using passwords and multifactor authentication, among other outdated methods of authentication. This is a call to action for GoDaddy and the larger web domain/hosting industry to embrace new technologies to secure their digital ecosystems, and biometric authentication (leveraging a user’s unique biological traits to verify identity) can ensure only authorized users can access their accounts in today’s fraud landscape.  Read Less
May 06, 2020
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
Unauthorized access is a popular culprit behind many data breaches, and this isn’t GoDaddy’s first security issue involving compromised accounts. According to a Ponemon survey, 59 percent of IT security respondents say customer accounts have been subject to an account takeover. Customers put their trust in companies by allowing them to collect and store their information. To keep that trust, organizations must be proactive in ensuring that their data is protected with adequate security.....Read More
Unauthorized access is a popular culprit behind many data breaches, and this isn’t GoDaddy’s first security issue involving compromised accounts. According to a Ponemon survey, 59 percent of IT security respondents say customer accounts have been subject to an account takeover. Customers put their trust in companies by allowing them to collect and store their information. To keep that trust, organizations must be proactive in ensuring that their data is protected with adequate security controls and a robust identity management strategy. To protect data, organizations must follow the principle of least-privileged access in provisioning identity access management (IAM) permissions, by providing checks to restrict identities from being able to do more than they are supposed to, and implement multi-factor authentication (MFA) for all users. By leveraging MFA, an account is 99.9% less likely to be compromised. Additionally, organizations must securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles.  Read Less
May 06, 2020
Dr. Vinay Sridhara
CTO
Balbix
GoDaddy is the largest domain registrar in the world, serving 19 million customers. This breach is yet another example of the importance of basic cyber hygiene, including multifactor authentication (MFA). Since the SSH access in question is typically available only to privileged users, the need for MFA is even more critical. Unfortunately, GoDaddy does not offer MFA for SSH connections, highlighting one of the downsides of using third party services. In the absence of MFA, organizations using.....Read More
GoDaddy is the largest domain registrar in the world, serving 19 million customers. This breach is yet another example of the importance of basic cyber hygiene, including multifactor authentication (MFA). Since the SSH access in question is typically available only to privileged users, the need for MFA is even more critical. Unfortunately, GoDaddy does not offer MFA for SSH connections, highlighting one of the downsides of using third party services. In the absence of MFA, organizations using this service should disable SSH access, enabling only during times when they are using it. Large enterprises, especially those in the IT space, have to make cybersecurity and incident response a top priority to ensure that their customers are proactively protected from all online threats. It is unfortunate in this case that GoDaddy did not report the breach until almost eight months after it had occurred. The unauthorized individual had plenty of time to access login credentials of SSH accounts, and even though GoDaddy has confirmed that the individual is now blocked from their systems, the account credentials have still been compromised. Unfortunately, so many consumers have poor password hygiene and use weak and reused credentials for several of their online accounts – if not all of them. Every GoDaddy customer must make certain that any matching or similar login credentials to personal and/or work accounts have been updated using unique passwords, and be on high alert for forthcoming targeted attacks. This is especially critical to consider amid COVID-19, given that cyberattacks related to the pandemic continue to rise.  Read Less
May 06, 2020
James Carder
Chief Information Security Officer & Vice President
LogRhythm Labs
It is astonishing that GoDaddy was unable to detect unauthorized access to SSH account credentials for about eight months. With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised. The GoDaddy data breach showcases how so many large enterprises still lack a comprehensive approach to detecting and combating threats. It is easy to assume that.....Read More
It is astonishing that GoDaddy was unable to detect unauthorized access to SSH account credentials for about eight months. With this particular incident, there are further unknowns such as whether sensitive files were exfiltrated from the accounts, and exactly how many accounts from GoDaddy’s hosting environment were compromised. The GoDaddy data breach showcases how so many large enterprises still lack a comprehensive approach to detecting and combating threats. It is easy to assume that GoDaddy, as the world’s largest domain registrar, would have proper security in place to prevent, detect, and respond to these types of threats. GoDaddy should have had stricter SSH security measures in place rather than just a simple username and password. Strong SSH key management is critical in protecting internet accessible SSH. In this case, fundamental controls for properly securing and managing SSH should have been implemented. It is important to ensure that SSH keys are associated with an individual user and are continuously rotated. Additionally, the principle of least privilege should be utilized for the account authorized to SSH and an organization should conduct thorough auditing and monitoring of all privileged sessions and key usage. If such controls were implemented, then the likelihood that GoDaddy would have suffered a breach, leveraging stolen or acquired username and passwords, would have been minimal. Of course, no incident is 100% preventable, yet, this particular breach reflects how GoDaddy overlooked simple security controls and left low hanging fruit for the attacker to exploit.  Read Less
May 13, 2020
Grant McCormick
CIO
Exabeam
Hostile cyber actors are targeting user credentials at rapid rates, as evidenced by this latest breach. To remediate incidents involving user credentials and respond to adversaries, organisations must move fast and consider an approach that is closely aligned with monitoring user behaviour - to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when abnormal.....Read More
Hostile cyber actors are targeting user credentials at rapid rates, as evidenced by this latest breach. To remediate incidents involving user credentials and respond to adversaries, organisations must move fast and consider an approach that is closely aligned with monitoring user behaviour - to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when abnormal events have occurred. Individual account owners should practice effective password management as well: by establishing different passwords for all of their accounts, immediately changing passwords on sites that have been breached and using multi-factor authentication wherever it is available. Credential-based attacks and digital privacy issues will remain prevalent risks for the foreseeable future. Thus, these practices should remain top of mind year-round in 2020 and beyond.  Read Less
May 13, 2020
Anurag Kahol
CTO
Bitglass
This security incident impacting GoDaddy customers underscores why organisations need to have full visibility and control over their data. While the web hosting giant confirmed that the breach only affected hosting accounts and not customer accounts or the personal information stored within them, hackers can still leverage the database of login credentials and commit account takeover. According to Verizon, 80% of hacking-related breaches involve compromised or weak login credentials, and 29% .....Read More
This security incident impacting GoDaddy customers underscores why organisations need to have full visibility and control over their data. While the web hosting giant confirmed that the breach only affected hosting accounts and not customer accounts or the personal information stored within them, hackers can still leverage the database of login credentials and commit account takeover. According to Verizon, 80% of hacking-related breaches involve compromised or weak login credentials, and 29% of all breaches, regardless of attack type, involve the use of stolen credentials. While it’s ill-advised, people commonly reuse passwords across multiple accounts, meaning attackers can potentially gain access to a number of accounts across multiple services that a victim uses to gather more sensitive information and leverage the data for financial fraud or identity theft for years to come. Additionally, this incident comes just two years after GoDaddy had its cloud configuration information exposed after an Amazon employee left an AWS S3 bucket open. The very different nature of these two security incidents underscores the importance of the shared responsibility model when it comes to the cloud. To prevent similar incidents and thwart unauthorised access to customer information, organisations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. Organisations must also authenticate their users to validate who they are, before granting them access to their systems. Fortunately, multi-factor authentication (MFA) and user and entity behaviour analytics (UEBA) are tools that can help companies protect their data.  Read Less
May 06, 2020
Tim Callan
Chief Compliance Officer
Sectigo
While there is a great deal of focus on x.509 certificates for providing identity authentication, it’s valuable to remember that PKI takes other forms as well, including SSH keys. These keys need to be protected and managed just as certificate keys do. In fact, since standalone public-private key pairs lack the built-in lifecycle functionality that certificates enjoy—such as expiration and the ability to revoke them—the risks for SSH keys are arguably greater than for certificates.
May 06, 2020
Trevor Morgan
Product Manager
comforte AG
The good news is that GoDaddy was proactive in blocking the unauthorized individual, resetting passwords, and continuing to search for any further impact across the compromised environment. Another advisable strategy to complement this appropriate response from GoDaddy would be to perform an audit of their entire data environment to find ways to implement data-centric security methods. A method such as tokenization, which would replace any sensitive data with meaningless and benign tokens.....Read More
The good news is that GoDaddy was proactive in blocking the unauthorized individual, resetting passwords, and continuing to search for any further impact across the compromised environment. Another advisable strategy to complement this appropriate response from GoDaddy would be to perform an audit of their entire data environment to find ways to implement data-centric security methods. A method such as tokenization, which would replace any sensitive data with meaningless and benign tokens within files, would head off any possible negative effect of a security breach. Any information obtained through an intrusion would be rendered useless because the sensitive data would be indecipherable to the threat agent. Hopefully, GoDaddy is already in the process of exploring ways to implement or expand their data-centric security posture as a means to further their mitigation efforts.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.