Ethical Hacking News
The Federal Trade Commission (FTC) has taken action against web hosting giant GoDaddy for years of poor security practices. The FTC's decision requires GoDaddy to implement basic security protections and mandates the company to hire an independent third-party assessor to conduct biennial reviews of its information security program. This move aims to protect consumers around the globe from the detrimental effects of lax security practices.
The Federal Trade Commission (FTC) has required GoDaddy to implement basic security protections after finding lax security practices. GoDaddy failed to use multi-factor authentication, manage software updates, log security-related events, and use file integrity monitoring. The company was "blind to vulnerabilities and threats" due to its failure to implement standard security tools and practices. Multiple breaches occurred, including a notable one in February 2023 where attackers stole source code and installed malware on compromised servers. The FTC has issued a proposed settlement order requiring GoDaddy to implement a robust information security program and prohibits misleading customers about its security protections.
The Federal Trade Commission (FTC) has taken a stern stance against web hosting giant GoDaddy, requiring the Arizona-based company to implement basic security protections in order to settle charges that it failed to secure its hosting services against attacks since 2018. This decision marks a significant step forward for the FTC, as it aims to protect consumers around the globe from the detrimental effects of lax security practices.
According to the FTC's complaint, GoDaddy's unreasonable security practices included failing to use multi-factor authentication (MFA), manage software updates, log security-related events, segment its network, monitor for security threats (including by failing to use software that could actively detect threats from its many logs), and use file integrity monitoring. Furthermore, the company also failed to inventory and manage assets, assess risks to its website hosting services, and secure connections to services that provide access to consumer data.
The FTC's findings are a direct result of an investigation into GoDaddy's security practices, which revealed that the company was "blind to vulnerabilities and threats in its hosting environment" due to its failure to implement standard security tools and practices. This lack of attention to security ultimately led to multiple breaches, resulting in threat actors gaining access to customers' websites and data.
One notable breach occurred in February 2023, when GoDaddy disclosed that unknown attackers stole source code and installed malware on compromised servers after breaching its cPanel shared hosting environment. The company stated that it only discovered the breach in early December 2022 after receiving customer complaints that their websites were being used to redirect to unknown domains. This breach was linked to other security incidents, including those that occurred in November 2021 and March 2020.
The November 2021 breach affected 1.2 million Managed WordPress customers, with attackers hacking into GoDaddy's hosting environment using a compromised password and obtaining email addresses, WordPress Admin passwords, sFTP and database credentials, and SSL private keys from some clients. Following the March 2020 breach, GoDaddy notified 28,000 customers that an attacker used their web hosting credentials to connect via SSH in October 2019.
In light of these findings, the FTC has issued a proposed settlement order requiring GoDaddy to implement a robust information security program and prohibits the company from misleading customers about its security protections. The order also mandates that GoDaddy hire an independent third-party assessor to conduct biennial reviews of its information security program.
Furthermore, the settlement requires GoDaddy to add mandatory MFA for all customers, employees, and contractors' staff "to any Hosting Service supporting tool or asset, including connecting to any database" and "at least one method that does not require the customer to provide a telephone number, such as by integrating authentication applications or allowing the use of security key."
This decision marks a significant step forward for the FTC in its efforts to protect consumers from companies with lax security practices. By holding GoDaddy accountable for its negligence, the FTC is sending a clear message that it will not tolerate companies that prioritize profits over people's safety and well-being.
In addition to the settlement with GoDaddy, the FTC has also taken action against other companies in the past, including Marriott International and Starwood Hotels, which were required to implement robust data security programs following failures that led to massive data breaches in 2014 and 2018, exposing over 340 million guest records.
As the digital landscape continues to evolve, it is essential for companies like GoDaddy to prioritize security and transparency. By doing so, they can build trust with their customers and protect themselves from potential lawsuits and reputational damage.
In conclusion, the FTC's decision to crack down on GoDaddy for years of negligent security practices serves as a reminder that companies must take responsibility for their actions and prioritize the safety and well-being of their customers. By doing so, they can ensure a safer online environment for everyone.
Related Information:
https://www.bleepingcomputer.com/news/security/ftc-sues-godaddy-for-years-of-poor-hosting-security-practices/
Published: Thu Jan 16 14:29:44 2025 by llama3.2 3B Q4_K_M
