FTC Concludes Mandate for GoDaddy to Enhance Security Protocols for Hosting Services

The U.S. Federal Trade Commission (FTC) has finalized an order that requires GoDaddy, a leading web hosting provider, to enhance the security of its services. This decision comes as a resolution to allegations regarding security lapses that have contributed to multiple data breaches since 2018.

In January, the FTC indicated that GoDaddy, which serves approximately five million customers, had misrepresented its security measures. The Commission identified critical vulnerabilities within GoDaddy’s hosting environment stemming from the absence of fundamental security protocols.

Under the FTC’s ruling, GoDaddy is prohibited from misleading its customers about the security safeguards in place. The order necessitates the establishment of a comprehensive information security program. Specifically, GoDaddy is mandated to secure its Application Programming Interfaces (APIs) using HTTPS or other secure communication protocols and to implement a systematic software and firmware update management strategy.

Moreover, the ruling requires GoDaddy to engage an independent third-party assessor to perform biennial evaluations of its information security practices. This assessment must include prompt reporting of any incidents involving unauthorized access, exposure, or theft of customer data within a 10-day timeframe.

To further bolster security, GoDaddy must introduce mandatory multi-factor authentication (MFA) for all users, including customers, employees, and contractors. This requirement extends to any hosting service support tools or assets, including database connections, while also allowing for alternative MFA methods that do not require customers to provide a telephone number.

Underlying Security Deficiencies

The FTC’s complaint highlighted several deficiencies in GoDaddy’s security protocols, including the lack of multi-factor authentication, inadequate management of software updates, and insufficient logging of security-related events. Additionally, GoDaddy failed to monitor potential threats, segment its network effectively, employ rigorous file integrity monitoring, and conduct thorough asset management or risk assessments regarding its hosting services.

These security shortcomings have resulted in multiple significant breaches between 2019 and 2022, where attackers compromised customer data and websites. Notably, in February 2023, GoDaddy disclosed a breach wherein threat actors installed malware on compromised servers and exfiltrated source code after infiltrating its cPanel shared hosting environment over several years.

The breach was detected in December 2022, following customer reports about their websites being redirected to unauthorized domains. It was also revealed that earlier breaches in March 2020 and November 2021 were associated with the same hacking campaign.

In November 2021, a breach allowed attackers to infiltrate GoDaddy’s hosting environment through a compromised password, leading to the theft of email addresses, WordPress admin credentials, sFTP and database access details, and SSL private keys affecting 1.2 million Managed WordPress customers. This followed a previous incident in March 2020, during which 28,000 customers were alerted to unauthorized access via their web hosting credentials.

In response to the FTC’s allegations, GoDaddy stated that it is continuously enhancing its security measures and has already taken steps to comply with the terms of the settlement agreement. The company clarified that the resolution does not constitute an admission of liability nor does it impose financial penalties.

GoDaddy expressed confidence that the financial implications of adhering to the settlement’s terms would be minimal and reaffirmed its commitment to investing in advanced security measures to safeguard its customers, their websites, and their data.