FTC Enforces 20-Year Monitoring on GoDaddy for Security Compliance Failures

Posted:
Godaddy Faces 20 Years Of Ftc Monitoring For Security Compliance Failures
Jordan Sprogis

Writer: Jordan Sprogis

Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 200 articles geared toward industry pros and newcomers alike.

See Full Bio »
Close
Lillian Castro

Editor: Lillian Castro

Lillian Castro

Lillian Castro, Senior Editor

Lillian brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

See Full Bio »
Close
Cristian Lopez

Reviewer: Cristian Lopez

Cristian Lopez

Cristian Lopez, Contributing Expert

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

See Full Bio »
Close
Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.

Key Takeaways

The Federal Trade Commission (FTC) is cracking down on GoDaddy after years of security failures that have led to multiple data breaches.

The proposed order was announced in January, when the FTC accused GoDaddy of being “blind to vulnerabilities and threats” and endangering its approximately 21 million registered users.

The investigation found that GoDaddy has repeatedly failed to implement standard security measures since 2018.

The FTC said GoDaddy has also been misrepresenting its security practices, especially with claims like “providing award-winning security.”

Person holding smartphone with website of American web hosting company GoDaddy Inc. on screen in front of logo
Credit: T. Schneider/Shutterstock

The FTC finalized its order on May 21, which now will require GoDaddy to:

  • Stop making false claims about its security practices or compliance with security programs and regulations
  • Implement a comprehensive information security program, including asset management, software updates, risk assessments, MFA, and network augmentation
  • Hire an independent third-party assessor to immediately review GoDaddy’s security program and conduct reviews every two years for the next 20 years
  • Report any and all security incidents to the FTC within 10 days of notifying other government entities

Inside the Security Claims

Millions of people rely on web hosting providers like GoDaddy to keep their websites and businesses secure.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, noted these orders are necessary to protect those very people.

“The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe,” he said.

Sign on Doorway for the Federal Trade Commission in Washington D.C. in raised lettering.
Credit: lucasImages/Shutterstock

Specifically, here’s what GoDaddy was cited for:

  • Failing to enforce multifactor authentication (MFA)
  • Inadequate software update management
  • Lack of threat monitoring and network segmentation
  • Failure to secure service connections to customer data

As a result of these failings, GoDaddy has experienced several breaches over the years:

  • October 2019: A hacker found a vulnerability that led to a breach, which lasted until April 2020. About 28,000 customer and employee SSH credentials were compromised, along with 1,000 customer credit card numbers.
  • November 2021: About 1.2 million customers’ data of GoDaddy’s Managed WordPress product were exposed when an attacker gained access via an unsecured API.
  • December 2022: The same actor from a previous breach hit GoDaddy yet again. Some website visitors were also redirected to malicious sites, which directly impacted the trust of many small businesses.

By January this year, GoDaddy said it had already complied with several of the FTC’s requirements.

“We plan to continue to invest in our defenses to address evolving threats and help keep our customers, their websites and their data safe,” a GoDaddy spokesperson told BleepingComputer.

GoDaddy also noted that it has not admitted any wrongdoing and is relieved that the order has no financial penalties.

It’s Not Just GoDaddy

GoDaddy’s mishandling is far from an isolated incident.

Several web hosting providers have failed at properly securing their hosting services through the years.

In 2019, Hostinger suffered a data breach in which an unauthorized third party accessed one of its servers. It gained entry to client and account data, putting about 14 million customers at risk.

The same year, ethical hacker Paulos Yibelo found vulnerabilities across Bluehost, DreamHost, HostGator, OVH, and iPage.

The video below is an example of what Yibelo found:

Most of the threats involved flaws that would allow hackers to modify user data, including email addresses, that could be used for password resets.

Unfortunately, security concerns have not abated for consumers in the years since. In fact, it looks like they’ve only gotten worse.

One study shows that 73% of survey participants said they are more concerned about data privacy now than they were before.

And if consumers had it their way, they wouldn’t share any data at all. According to the survey, 37% of respondents said they only shared their personal data because it was the only way to access a product or service.

This should tell providers that when security protocols are neglected — or not regularly audited, tested, or updated — there are lasting consequences that are far worse than just paying a fine.

About the Author

Jordan Sprogis
Jordan Sprogis
Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 200 articles geared toward industry pros and newcomers alike.

View Jordan Sprogis's Full Profile »