Security firm Defiant, developer of the Wordfence publishing security platform, announced that web hosting firm GoDaddy disclosed that the SSH credentials of 28,000 GoDaddy hosting accounts were stolen by a hacker. This is an especially dangerous condition for potential victims because even if those affected take steps to change their public/private SSH key combinations, which replace usernames and passwords in an SSH environment, the hacker probably installed their own public key on affected servers, meaning that even if passwords and private keys were changed, the hacker would still have access.
The theft seems to have occurred on October 19, 2019 though GoDaddy did not issue a public statement until April 23 of this year. According to a statement from the hosting & domain provider filed with the California Attorney General’s office:
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”
SSH, or Secure Shell is a cryptographic network protocol that allows for secure communications between network resources such as two or more computers. It is commonly used for remote users to securely access a distant IT asset such as a server located in a distant data center. It uses public and private cryptographic keys, or small text files with long character strings that are used to authenticate the connections. They are generally more secure than username & password combinations, but if stolen, they can provide impediment-free access to the thief.
Wordfence offers detailed steps that potential victims may take to mitigate risks in their blog post on the breach.
Image from GoDaddy’s Tempe, AZ offices courtesy of GoDaddy Operating Company, LLC