GoDaddy, one of the world’s largest domain registrar and a web hosting company that provides services to roughly 19 million customers around the world, has confirmed a data breach.

According to a BleepingComputer report, GoDaddy notified notified some of its customers that an unauthorized party used their web hosting account credentials to connect to their hosting account via SSH. GoDaddy claims the breach took place on October 19, 2019 and was discovered on April 23, 2020, after the company's security team discovered an altered SSH file in GoDaddy's hosting environment and suspicious activity on a subset of GoDaddy's servers.

GoDaddy's Vice President for Corporate Communications later told BleepingComputer in an official statement that roughly 28,000 customers' hosting accounts were affected in the incident: "On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers’ credentials or modified any customer hosting accounts. To be clear, the threat actor did not have access to customers’ main GoDaddy accounts."

In a notification letter, GoDaddy says that the investigation found that an authorized individual had access to login nformation used to connect to SSH to hosting accounts. "This incident is limited in scope to your hosting account," GoDaddy told its customers. "Your main GoDaddy.com customer account, and the information stored within your customer account, was not accessible by this threat actor."

Matt Walmsley, EMEA Director at Vectra, say, “It’s unclear whether GoDaddy’s reported incident was because of the re-use of previously stolen credentials or from brute force attacks. There have also been recent reports of GoDaddy’s support employees being successfully phished, which might be connected. Regardless of how the unauthorized access was gained, it’s a sharp reminder that the monitoring of how privileged credentials are used, not just granted, can make the difference between detecting an active attack and being blissfully ignorant to a breach.”