Key Takeaways
- The Federal Trade Commission (FTC) has officially slammed the door on GoDaddy for years of security failures that exposed millions of users’ data.
- GoDaddy must now undergo a 20-year independent security review and meet several other order requirements by the FTC.
- This isn’t unique: Other top hosts have suffered major breaches due to lax security, which have unsurprisingly only raised consumer privacy concerns.
The Federal Trade Commission (FTC) is cracking down on GoDaddy after years of security failures that have led to multiple data breaches.
The proposed order was announced in January, when the FTC accused GoDaddy of being “blind to vulnerabilities and threats” and endangering its approximately 21 million registered users.
The investigation found that GoDaddy has repeatedly failed to implement standard security measures since 2018.
The FTC said GoDaddy has also been misrepresenting its security practices, especially with claims like “providing award-winning security.”
The FTC finalized its order on May 21, which now will require GoDaddy to:
- Stop making false claims about its security practices or compliance with security programs and regulations
- Implement a comprehensive information security program, including asset management, software updates, risk assessments, MFA, and network augmentation
- Hire an independent third-party assessor to immediately review GoDaddy’s security program and conduct reviews every two years for the next 20 years
- Report any and all security incidents to the FTC within 10 days of notifying other government entities
Inside the Security Claims
Millions of people rely on web hosting providers like GoDaddy to keep their websites and businesses secure.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, noted these orders are necessary to protect those very people.
“The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe,” he said.
Specifically, here’s what GoDaddy was cited for:
- Failing to enforce multifactor authentication (MFA)
- Inadequate software update management
- Lack of threat monitoring and network segmentation
- Failure to secure service connections to customer data
As a result of these failings, GoDaddy has experienced several breaches over the years:
- October 2019: A hacker found a vulnerability that led to a breach, which lasted until April 2020. About 28,000 customer and employee SSH credentials were compromised, along with 1,000 customer credit card numbers.
- November 2021: About 1.2 million customers’ data of GoDaddy’s Managed WordPress product were exposed when an attacker gained access via an unsecured API.
- December 2022: The same actor from a previous breach hit GoDaddy yet again. Some website visitors were also redirected to malicious sites, which directly impacted the trust of many small businesses.
By January this year, GoDaddy said it had already complied with several of the FTC’s requirements.
“We plan to continue to invest in our defenses to address evolving threats and help keep our customers, their websites and their data safe,” a GoDaddy spokesperson told BleepingComputer.
GoDaddy also noted that it has not admitted any wrongdoing and is relieved that the order has no financial penalties.
It’s Not Just GoDaddy
GoDaddy’s mishandling is far from an isolated incident.
Several web hosting providers have failed at properly securing their hosting services through the years.
In 2019, Hostinger suffered a data breach in which an unauthorized third party accessed one of its servers. It gained entry to client and account data, putting about 14 million customers at risk.
The same year, ethical hacker Paulos Yibelo found vulnerabilities across Bluehost, DreamHost, HostGator, OVH, and iPage.
The video below is an example of what Yibelo found:
Most of the threats involved flaws that would allow hackers to modify user data, including email addresses, that could be used for password resets.
Unfortunately, security concerns have not abated for consumers in the years since. In fact, it looks like they’ve only gotten worse.
One study shows that 73% of survey participants said they are more concerned about data privacy now than they were before.
And if consumers had it their way, they wouldn’t share any data at all. According to the survey, 37% of respondents said they only shared their personal data because it was the only way to access a product or service.
This should tell providers that when security protocols are neglected — or not regularly audited, tested, or updated — there are lasting consequences that are far worse than just paying a fine.
