Web hosting provider and domain registrar GoDaddy was hit by a data breach that compromised the account credentials of around 28,000 customers. In a Submitted Breach Notification to the California Attorney General’s office, the company revealed that the suspicious activity occurred on some of its servers on Oct. 19, 2019. Following an investigation, GoDaddy learned that an unauthorized individual had gained access to the login credentials of customers who use SSH (Secure Shell) to connect to their hosting accounts.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium download)

The company provided further details in the following statement shared with TechRepublic:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

SSH offers a secure way to work with remote systems and transfer files over a network. With a company such as GoDaddy, SSH is used by customers to connect to their hosting accounts to upload or move files and run commands via a command line.

In its notification, the company said it found no evidence that any files were added or modified for the affected accounts, though it’s continuing to investigate the potential impact. The incident was limited to the hosting accounts of users and didn’t affect actual customer accounts. The person identified in the breach has since been blocked from GoDaddy’s systems.

GoDaddy has also been advising users to conduct an audit of their hosting accounts. Further, the company said that it will provide affected users with a free year of Website Security Deluxe and Express Malware Removal, services that scan customer websites for any potential security issues.

GoDaddy didn’t reveal the exact cause of the data breach. But in March, a customer service rep at the company was ensnared by a phishing email, according to security news site KrebsOnSecurity. The attacker was able to view and change several customer records, including domain settings for a few GoDaddy customers such as transaction brokering site escrow.com. In a follow-up notice, escrow.com CEO Matt Barrie said that his company managed to regain control of its DNS entries, as reported by Chris Duckett at ZDNet.

In data breaches, some vulnerability or mistake is typically to blame for the unauthorized access. Savvy cybercriminals are continually hunting for weaknesses and flaws within an organization’s network. That’s why businesses must make a concerted effort to maintain and strengthen their security measures, especially when they hold the keys to private customer data.

“It’s unclear whether GoDaddy’s reported incident was because of the re-use of previously stolen credentials or from brute-force attacks,” Matt Walmsley, EMEA director at security company Vectra, told TechRepublic. “There have also been recent reports of GoDaddy’s support employees being successfully phished, which might be connected. Regardless of how the unauthorized access was gained, it’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach.”

The data breach should be a large concern for GoDaddy customers, according to Joseph Carson, chief security scientist and Advisory CISO at Thycotic. Any unauthorized access using SSH accounts should not have happened if the company was using multifactor authentication (MFA) or privileged access management (PAM) for remote access accounts.

“A data breach such as this on a large hosting provider is a significant issue as it could unlock the doors to many of their customers’ businesses via unauthorized configuration changes to their websites,” Carson said. “Even worse, it could allow the cybercriminal to make modifications to web services that could steal data, credit card information, or account passwords.”

Businesses that use SSH as does GoDaddy need to make sure that their SSH keys are protected.

“SSH keys are commonly used to remotely and securely access cloud based systems, VPNs, and connected devices,” Caitlin Egen, cybersecurity specialist at data protection firm HewardMills, said. “An SSH key in the wrong hands has the potential to cripple an organization. The keys can be used to access critical systems, install malware, override data, and bypass encryption software.

“Worryingly, SSH exploits are becoming more common as the tech to carry out the attacks becomes easier to replicate with each iteration. Whereas previously this was a niche option for well-funded cyber criminals targeting governments and key service providers, now companies of all sizes could potentially be on the receiving end of such cyber-warfare.”

To protect your SSH keys from being compromised, Egen offers the following advice:

“As with any cyberthreat, prevention is better than a cure,” Egen said. “Visibility and accountability are key aspects when minimizing the risk of SSH becoming compromised. A solid Public Key Infrastructure is essential. Encryption keys and where you store them are hugely important. If these are compromised your infrastructure is compromised. Every company utilizing SSH keys should have a protected and up-to-date log of every active key across the business, endpoint security deployed on server-based workloads, and VPN connections for remote cloud access. Businesses can also explore Cloud Access Security Brokers to manage SSH keys.”

Of course, customers and users must also follow proper and recommended security guidelines to protect their online accounts. The following tips are always worth repeating:

Create a strong password. Juggling all the passwords you use online is challenging. But you still must devise a strong password for your accounts to keep them as safe as possible from hackers. If you can’t create or remember secure passwords, your best bet is to use a password manager to do the hard work.

Use two-step verification (or two-factor authentication). Using the verification code sent to your mobile phone or email provides a secondary means of confirming your logins. Even if a cybercriminal were to gain access to your login credentials, that person could not sign into your account without knowing the accompanying code.

Image: Getty Images/iStockphoto