back to article GoDaddy hack: Miscreant goes AWOL with 28,000 users' SSH login creds after vandalizing server-side file

Hosting biz GoDaddy has admitted a hacker tampered with an SSH file on its servers, leading to the theft of 28,000 users' SSH credentials. The intrusion, which took place last month, involved one or more malicious persons "alter" an SSH file on GoDaddy's infrastructure, the US giant told The Register. GoDaddy spokesman Nick …

  1. Anonymous Coward
    Anonymous Coward

    How very 1990s

    SSH with passwords rather than keys? How terribly quaint and 1990s.

    A bit short of details in the article - would be interested to know exactly what was exploited and how.

    1. Anonymous Coward
      Anonymous Coward

      Re: How very 1990s

      Indeed, it's a bit confusing. I don't think it's keys either; why would they have their users' private keys?

      1. big_D Silver badge

        Re: How very 1990s

        It sounds like it was a key-file that got altered.

        GoDaddy wouldn't have the private keys, they would have the public keys to check against when logging on. At a guess, the hackers added their own public keys to the affected accounts to enable access.

  2. Ima Ballsy
    IT Angle

    Note the.....

    First time thy have been breached!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Note the.....

      Having worked there a few times, I can say not the "first time". Just first time they made it public.

      1. Anonymous Coward
        Anonymous Coward

        Re: Note the.....

        Well, it's a GDPR requirement nowadays.

        1. robidy

          Re: Note the.....

          Depends on the circumstances.

          1. Anonymous Coward
            Anonymous Coward

            Re: Note the.....

            > Depends on the circumstances.

            Nu… keine Scheiße, Bruder!

            Didn't know the Department of the Obvious was on duty today.

      2. Mike 16

        Re: Worked there a few times

        @AC -- You are Leopold von Sacher-Masoch and I claim my prize.

  3. Anonymous Coward

    Gone Daddy

    When my son, an aspiring writer, built a site 0to post his short stories, He didn't want my help (which IMHO would have helped) so when I suggested he get a domain name, I decided to research his options.

    I eliminated GoDaddy from the list early on. They really haven't seemed to have progressed much from their origins as a slapped together discount provider with a flashy ad campaign. Back when they started this might have been enough, given the limited (and expensive) competition. But now there are a wealth of options and many offer more and seem to be better put together and better run. Among other things, in 2017 we learned that its domain validation system had a serious bug and they had to revoke 9000 SSL certificates. Then there was the authentication weakness which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain. If I wouldn't trust them for a minor site, I can't imagine a company trusting them with their business.

    Shameless plug for my son (please don't tell him:

  4. razorfishsl

    Only an idiot would use "godaddy", once you transfer your domain name in, you cannot get it out again....

    1. Mike 16

      Domain roach-motel

      One _can_ get a domain registered to (and hosted on, the folly of youth) GoDaddy out, but it takes work and perseverance. What I _can't_ apparently do is get them to acknowledge that I haven't had any business relationship with them for years, so bugging me with "Your account is suspended because the credit card we have on file has expired" emails is at best pointless.

      Note the recent story in ElReg about shenanigans in Colombia, where Neustar is reported to be selling (or attempting to sell) their registry business, including .biz, .nyc, and .us to GoDaddy.

    2. Anonymous Coward
      Anonymous Coward

      My domain was originally handled by GoDaddy, and I transferred it in 2017 to 1and1 without any difficulty at all. I like 1and1 (now Ionos) better, being cheaper and letting me update the DNS automatically, but GoDaddy did an ok job at the time.

  5. Sanctimonious Prick

    1990s Ad Campaign

    Even their ads here on AU teevee looks 1990s style... cheap, low budget, "we're the best - Australia's best!"

    Oh, please shoot me.

  6. jvf

    O for the good old days

    Danica! Where are you now that we need you!

  7. Maelstorm Bronze badge

    From the U.S. perspective...

    From the U.S. perspective, you get what you pay for...caveat emptor comes to mind. Now here's an interesting fact that I want to share with you about GoDaddy: They are the registar of choice for fishing and fake web sites. More often than not, if it's a fake web site, then the registar is GoDaddy.

    1. Claverhouse Silver badge

      Re: From the U.S. perspective...

      I dunno, lots of [ much ] cheaper web hosts than GoDaddy offer a much more superior and more ethical service.



      And to be honest, what's with 'GoDaddy' ? It sounds like the personal nick of a less reputable Porn Baron.

      1. Claptrap314 Silver badge

        Re: From the U.S. perspective...

        Did you see their original ad?

  8. Maelstorm Bronze badge

    And why...

    Any why were the passwords not salted and hashed? Like their marketing campaign, their business, and their code, that flaw is so 1990's. It's what, 30 years on and they still haven't learned the lessons of the past?

    1. brotherelf

      Re: And why...

      Hashing doesn't matter if the process of logging in sends the password to the server and you've gained control of the server. The statement is carefully wishy-washy, my guess is the configuration was corrupted and delegated password checking to something under external control.

      1. Maelstorm Bronze badge

        Re: And why...

        The web sites that I develop uses the CHAP protocol so the plaintext password is never sent. The server sends a random binary string, salt, hash method, and hash rounds to the client. The computation is done in the client and that result is sent to the server. If they match then the password is valid. The random binary string changes for *EVERY* login request to thwart playback attacks. So even if SSL isn't used, the password is still protected. In this case, not even the server has the plaintext password stored. Furthermore, the ONLY time the server actually gets the plaintext password is when the user creates a new account, or they change their password. I have a project in the works to change that too.

  9. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like