FTC sues GoDaddy for years of poor hosting security practices

The Federal Trade Commission (FTC) will require web hosting giant GoDaddy to implement basic security protections, such as multi-factor authentication and HTTPS APIs, to settle charges that it failed to secure its hosting services against attacks since 2018.

FTC says the Arizona-based company's claims of reasonable security practices also misled millions of web-hosting customers because GoDaddy was instead "blind to vulnerabilities and threats in its hosting environment" due to its failings to implement standard security tools and practices.

"Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection.

"The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe."

According to the FTC's complaint, GoDaddy's unreasonable security practices included failing to use multi-factor authentication (MFA), manage software updates, log security-related events, segment its network, monitor for security threats (including by failing to use software that could actively detect threats from its many logs), and use file integrity monitoring.

The company also failed to inventory and manage assets, assess risks to its website hosting services, and secure connections to services that provide access to consumer data.

Lax security practices led to multiple breaches

The FTC says that, between 2019 and 2022, these data security failures led to several major security breaches, resulting in threat actors gaining access to customers' websites and data.

For instance, in February 2023, the hosting giant disclosed that unknown attackers stole source code and installed malware on compromised servers after breaching its cPanel shared hosting environment in a multi-year breach.

The company said it only discovered the breach in early December 2022 after receiving customer complaints that their websites were being used to redirect to unknown domains.

GoDaddy also revealed at the time that security breaches disclosed in November 2021 and March 2020 were also linked to this campaign.

The November 2021 breach affected 1.2 million Managed WordPress customers. Attackers hacked into GoDaddy's hosting environment using a compromised password and obtained email addresses, WordPress Admin passwords, sFTP and database credentials, and SSL private keys from some clients.

Following the March 2020 breach, GoDaddy notified 28,000 customers that an attacker used their web hosting credentials to connect via SSH in October 2019.

According to a proposed settlement order, the FTC will require GoDaddy to establish a robust information security program and prohibits the company from misleading customers about its security protections. The order also mandates that GoDaddy hire an independent third-party assessor to conduct biennial reviews of its information security program.

In December, the FTC also ordered Marriott International and Starwood Hotels to implement a robust data security program following failures that led to massive data breaches in 2014 and 2018, exposing over 340 million guest records.

Marriott settled with the FTC in October 2014 and agreed to pay $52 million to 49 states to resolve claims related to these data breaches.