GoDaddy source code stolen as part of a multiyear campaign

GoDaddy’s source code was stolen and systems were infected with malware by an unknown threat actor in a breach the web hosting company linked to a multiyear campaign.

The company, responding to customer complaints about intermittent site redirects starting in early December 2022, discovered unauthorized access to its cPanel shared hosting servers.

GoDaddy later determined a threat actor stole code related to some of its services and installed malware on its systems, according to a Thursday filing with the Securities and Exchange Commission.

“Once we confirmed the intrusion, we remediated the situation and implemented security measures in an effort to prevent future infections,” the company said in a statement released Thursday.

An investigation into the root cause of the incident is ongoing.

“We believe these incidents are part of a multiyear campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the company said.

The web hosting provider has disclosed several breaches in the past few years:

• In November 2021, a data breach exposed the emails and customer numbers of up to 1.2 million managed WordPress customers. An unauthorized party used a compromised password as part of that incident to access the provisioning system in GoDaddy’s legacy code base.
• In March 2020, a threat actor compromised the hosting login credentials of about 28,000 hosting customers and the login credentials of some GoDaddy employees.

GoDaddy did not say how many potential customers are impacted nor what type of data might be compromised as a result of the latest breach.

The company said forensics experts and law enforcement agencies are assisting with the investigation as it continues to monitor the behavior of the criminal organization and block attempts to gain further access.

“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the company said.

Information shared with GoDaddy suggests the threat actor group’s goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.

The company declined to answer questions or share additional information. GoDaddy ended 2022 with 20.9 million customers.