FTC finalizes security order against GoDaddy over data breach failures

The U.S. Federal Trade Commission (FTC) has finalized a sweeping enforcement order requiring web hosting company GoDaddy to bolster its cybersecurity measures, following a series of data breaches linked to longstanding security lapses.

The order, issued in response to a complaint filed by the FTC, addresses multiple security failures at GoDaddy that allegedly persisted for years and exposed millions of users to cyber threats. The agency found that the company lacked critical safeguards, such as multi-factor authentication, proper threat monitoring, secure software update protocols, and effective logging of security events. These deficiencies, according to the FTC, contributed to a string of serious breaches that occurred between 2019 and 2022.

As part of the finalized order, GoDaddy is now prohibited from misrepresenting the security of its services. The company must implement a comprehensive information security program and ensure the use of secure communication protocols, such as HTTPS, for all API connections. It is also required to establish a formal software and firmware update management system.

In addition, the FTC mandates that GoDaddy retain an independent third-party assessor to conduct biennial reviews of its security program. The company must report any incidents involving unauthorized access to, or theft of, customer data within 10 days of discovery.

Among other obligations, GoDaddy is required to enforce multi-factor authentication (MFA) for all employees, contractors, and customers accessing hosting tools or connected databases. The order specifies that at least one MFA method must be available that does not rely on a customer’s phone number, such as authentication apps or security keys.

The FTC’s investigation revealed that GoDaddy’s inadequate cybersecurity infrastructure left it vulnerable to multiple breaches. In one major incident, discovered in December 2022, attackers installed malware on compromised servers and stole proprietary source code after infiltrating GoDaddy’s cPanel shared hosting environment. The breach, part of a broader multi-year intrusion campaign, was uncovered only after customers reported that their websites were being redirected to unfamiliar domains.

Further examination linked this event to earlier breaches disclosed by the company in March 2020 and November 2021. In the November 2021 incident, intruders exploited a compromised password to access the hosting environment, exfiltrating sensitive customer data—including email addresses, WordPress admin credentials, sFTP and database logins, and SSL private keys—affecting approximately 1.2 million Managed WordPress accounts. In the March 2020 case, the company informed 28,000 customers that their hosting credentials had been used to access services via SSH in a breach dating back to October 2019.

In a statement issued in January, GoDaddy emphasized that the FTC settlement involves no admission of wrongdoing or financial penalties. “We are constantly improving our security capabilities and have already implemented a number of the requirements in the settlement agreement with the FTC,” a company spokesperson stated. “We expect minimal financial impact associated with complying with the terms of the agreement with the FTC. We plan to continue to invest in our defenses to address evolving threats and help keep our customers, their websites, and their data safe.”