GoDaddy, one of the domain registrars and web hosting companies in the world, has admitted customer usernames and passwords for connecting remotely to Linux servers via SSH have been compromised, forcing the providers to reset passwords on 28,000 accounts.

“We recently identified suspicious activity on a subset of our servers and immediately began an investigation,” the company said in letters sent to customers, a copy of which was filed with California’s attorney general. “The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”

GoDaddy told Forbes.com that it discovered the compromise on April 23rd, but there are news reports saying the breach occurred last October. If accurate, it took the company some six months to discover.

Reducing the dwell time an attacker is in an environment is vital to reducing the impact of a breach of security controls. The longer an attacker is on a network the more time they have to find and exploit key assets. Some studies suggest the average time to detection of an attack is between 75 and 100 days.

The incident comes after security reporter Brian Krebs reported on March 31 that a GoDaddy staffer had fallen victim to a spear-phishing attack, and that five other customer accounts were “potentially” affected.

Secure Shell (SSH) is a UNIX-based command interface and protocol for securely accessing a remote computer to perform Linux command-line operations. SSH can be performed from a Windows (using a client like PuTTY), Mac, or Linux computer.

In an email, Markku Rossi, CTO of Finland-based security provider SSH.com noted that those signing up for GoDaddy’s web hosting get a Linux operating system account on GoDaddy’s servers for web content.

All GoDaddy plans include FTP (File Transfer Protocol) access to that account for uploading website assets. Administrators can also enable SSH for more secure access. The SSH access, he noted, uses the same username+password authentication used for the FTP access.

GoDaddy hasn’t said how its system was compromised but Rossi offers three possibilities:

  • If GoDaddy’s customers used the FTP protocol login credentials could have been intercepted from the network traffic, since the FTP protocol sends the login credentials in plain text;
  • Customers might have changed their FTP (and SSH) passwords to weak ones (or, GoDaddy’s own default passwords are weak), leaving them open to a brute-force attack;
  • The attacker might have had access to GoDaddy’s servers (if they were a person working for GoDaddy, or one of their web hosting customers, for example) and they might have been able to get password files from the servers. Those passwords are encrypted, but the encryption may not have been strong enough to withstand a brute-force attack.

This breach underscores the importance of hosting providers forcing multi-factor authentication on customers, Rossi said, or disabling password authentication altogether and require strong public-key authentication for all SSH access.

While GoDaddy has enforced password resets for affected accounts, Rossi cautioned that may not be enough. The attacker could have uploaded their SSH public key to the server (add it to the $HOME/.ssh/authorized_keys file). If the public key is added for an account, the attacker can use it to bypass the password authentication, he said. This means that even if the password is reset, the attacker will have SSH access with the rogue SSH public key.

This is a very common process for cyberattacks, Rossi said, where attackers first get a login via password brute-force attacks, phishing attacks, etc. and then once the attacker gets the initial login shell, they will insert their SSH public keys to gain access later.