Web hosting giant GoDaddy said it suffered a breach where unknown attackers stole source code and installed malware on its servers after it breached its cPanel shared hosting environment in a multi-year attack.

While GoDaddy discovered the security flaw in early December 2022 following customer reports that their sites were being used to redirect to random domains, the attackers had access to the company’s network for several years.

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated group of malicious actors who, among other things, installed malware on our systems and obtained pieces of code related to certain services within GoDaddy,” the host said. business said in a filing with the SEC.

The company says previous breaches disclosed in November 2021 and March 2020 are also related to this multi-year campaign.

THE November 2021 incident led to a data breach affecting 1.2 million managed WordPress customers after attackers breached GoDaddy’s WordPress hosting environment using a compromised password.

They gained access to the email addresses of all affected customers, their WordPress admin passwords, sFTP and database credentials, and SSL private keys of a subset of customers. assets.

After the March 2020 breachGoDaddy alerted 28,000 customers that an attacker used their web hosting account credentials in October 2019 to log into their hosting account via SSH.

GoDaddy is now working with external cybersecurity experts and law enforcement agencies around the world as part of an ongoing investigation into the root cause of the breach.

Links to attacks targeting other hosting companies

GoDaddy says it has also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies around the world over the years.

“We have evidence, and law enforcement has confirmed, that this incident was committed by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said. said in a press release.

“According to information we have received, their apparent purpose is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

GoDaddy is one of the largest domain registrars and also provides hosting services to over 20 million customers worldwide.

A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Updated February 17, 12:59 PM EST: Added more information on violations related to multi-year campaign targeting GoDaddy and other hosting companies.