Hosting biz GoDaddy has admitted a hacker tampered with an SSH file on its servers, leading to the theft of 28,000 users’ SSH credentials.
The intrusion, which took place last month, involved one or more malicious persons “alter” an SSH file on GoDaddy’s infrastructure, the US giant told DigiTheWeb.
GoDaddy spokesman Nick Fuller sent us a statement: “On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment. This affected approximately 28,000 customers.”
He continued: “We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers’ credentials or modified any customer hosting accounts.”
The security breach was reported widely on other news websites as affecting 19 million customers, which appears to be the global total of GoDaddy’s customer base. Other reports also wrongly linked the break-in to an October 2019 incident that was reported to authorities in the US state of California in March.
“To be clear,” said GoDaddy’s Fuller, “the threat actor did not have access to customers’ main GoDaddy accounts.”
Nonetheless, a good thing for customers to do now would be to change the login credentials for their GoDaddy SSH accounts. A look at their main account to ensure all is as it should be wouldn’t hurt, either.
SSH is a rather useful and widespread protocol that can be used to securely connect to remote machines to run commands, transfer files and other data, and so on.
GoDaddy did not immediately elaborate on the October 2019 incident when The Register asked for more information about it.
Yana Blachman, a threat intelligence specialist from machine identity solutions biz Venafi, described the breach as highlighting the importance of SSH security. She said in a statement: “SSH is used to access an organisation’s most critical assets, so it’s vital that organisations stick to the highest security level of SSH access and disable basic credential authentication, and use machine identities instead.”
A publicly listed American company, GoDaddy Inc’s quarterly earnings call is scheduled to take place tomorrow. More details may be revealed on the call, which is scheduled to take place at 5pm US Pacific Time.