Web hosting giant GoDaddy says it was breached when unknown attackers stole source code and installed malware on its servers after breaching the cPanel shared hosting environment in an attack that lasted many years.
Although GoDaddy discovered the vulnerability after customers reported in early December 2022 that their websites were being used to redirect to random domains, the attackers had the right to access to the corporate network for several years.
“Based on our investigation, we believe these incidents were part of a multi-year campaign by a sophisticated group of malicious actors who, among other things, installed malware into our systems and obtain code snippets related to certain services within GoDaddy,” said the host, the company said in a filing with the SEC”.
The company said previous breaches disclosed in November 2021 and March 2020 were also related to this multi-year campaign.
The November 2021 issue resulted in a data leak affecting 1.2 million managed WordPress customers after attackers compromised GoDaddy’s WordPress hosting environment with compromised passwords. They had access to the email addresses of all affected customers, WordPress admin passwords, database and sFTP credentials, and SSL private keys of a small group of customers.
Following the March 2020 breach, GoDaddy warned 28,000 customers that an attacker used their web hosting account credentials in October 2019 to log into their hosting account. them over SSH.
GoDaddy is currently working with external cybersecurity experts and law enforcement agencies around the world as part of an ongoing investigation into the root cause of the breach.
Links to attacks targeting other hosting companies
GoDaddy says it has also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies around the world for several years.
“We have evidence and law enforcement has confirmed that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said in a statement. An announcement. “According to the information we have received, their apparent purpose is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities. “
GoDaddy is one of the largest domain name registrars and also provides hosting to over 20 million customers worldwide.
A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.