It's amazing that (approximately) no one cares about stuff like this.
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
>If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Depends on the industry. I'm in healthcare, and our legal department is always reminding the devs that even a small breach can be financially catastrophic for the company, as they are totaled as $xx,000 per person affected.
> As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Honestly, I'm more afraid of reputational loss than government fines. Our customers don't have to use our product. They do because they trust us. Lose that trust and it's awfully hard to get it back.
They are also the worst hosting provider I have ever worked with, multiple times. Awful customer support and high prices. The only reason I work with them anymore is to migrate new customers to a different provider.
GoDaddy had really good marketing at one point and as of the last time I used it, which was years ago, they make it very difficult (I'm pretty sure by design) to leave. Their UX was one of the worst I've ever experienced in my life and they were consistently moving things around to make it worse. They essentially trap you, and someone without either the savvy or diligence will just give up.
If you don't make the fines or whatever substantially more than the profit of the illicit or negligent conduct, it isn't a consequence. It's a budget line-item.
Every regulatory agency in America has been stripped to the bones by decades of budget cuts and never ending accusations of "stifling innovation" and we're shocked now that companies get away with both metaphorical and actual murder.
The sad truth is that for the most part, the web hosting industry has normalized a fairly lax approach to security, and sees settlements like this, and even breaches, as a cost of doing business. Look at Wordpress maintenance, for example.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider, footing their businesses on shaky foundations.
Yeah - selection bias and apathy is the root of it, IMO.
GoDaddy attracts the unwashed masses who don’t care about security, and who remain unphased after learning about breaches. Meanwhile, the tech-savvy crowd who would care about breaches already know to avoid GoDaddy and view the inevitable breaches as the plebs reaping what they’ve sown.
Ergo, no one getting breached by GoDaddy cares, and nobody informed watching it happen feels a need to intervene.
I'd be less amazed if people could articulate why this matters. What is the harm being done here and why is it more costly than GoDaddy raising their prices by a few dollars?
One example: They're selling domain registration privacy, but don't sufficiently secure the private data. The entire Domains by Proxy dataset is available on the dark web.
Most companies are way too incompetent to even know how to secure their own data because it is just too expensive to actually hire someone that knows what they're doing - so most of the "cybersecurity" industry is just grifters talking about buzzwords and building dashboards to show how good they are at patching CVEs.
I have had to tell multiple cybersecurity vendors that brag about working with huge companies and governments that we cannot work with them because of how poor their own cybersecurity practices are (i.e. not using secure compute/hardware crypto when dealing with our private keys).
These are companies that should know better, I have had to stop ADP professional services more than once from disabling certificate validation on critical pipelines pertaining to confidential employee and customer information. I do not want to imagine what happens at 99% of companies with cybersecurity teams that don't even know what certificate validation is.
I worked for a medium sized company. They had a very large commercial e-commerce site for their customers. They used Wordpress sites that were hosted on GoDaddy. I worked there for two years. They never updated any of their passwords for GoDaddy or their Wordpress sites.
Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
I mean, someone gets access to their GoDaddy account and within minutes will have full control of a major bit of their business. Talk about playing with fire.
> Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
... but.. why?
Why let them live rent-free in your mind? Why admit to that in even a pseudonymous space?
I've had a dim view of them ever since my first interaction with Domains by Proxy (At the time, I recall finding that many 'windows support' scam sites and other malware distribution was showing up under their domains, and every attempt to uncover would only lead to a 'oh that account is now banned but we wont tell you thx'.)
... Honestly it reminds me of how some Internet VOIP providers won't tell the name of the business who actually bought the number (Which, of course, complicates the ability to collect on TCPA when it's a number used for spam.)
GoDaddy is one of the sleaziest companies I know of.
I ran a website hosted on GoDaddy for a local business when the server cluster was hacked. GoDaddy admitted it was their fault, but the business ended up having to pay me to fix the site. GoDaddy also managed to convince the business to pay for an additional monthly "security" plan, which included page caching. They set everything up over the phone without talking to me at all.
The next day I notice some odd behavior with the admin pages, then realize they're being cached, not only that but they're now publicly accessible. GoDaddy's improved security plan ended up being responsible for a data leak. They really screwed up twice but there was zero penalty, the only consequence was they made more money. The business chose to stay with GoDaddy, despite my recommendations. They saw the ads on TV and were convinced GoDaddy is the pinnacle of web hosting.
They seem to park so many domains it wouldn't surprise me if they park new domains based on domain searches. There is a clear motivation there so I always run whois in the terminal instead of searching on any domain registrar with the exception of cloud providers who don't make much of their money from domains.
I've definitely heard stories of people saying GoDaddy grabbed their domain right after they searched it. There's almost always someone following those stories saying that it was just coincidental.
I have zero trust in GoDaddy. I remember when I was kid using their service because my grandparents had bought a website and hosting services through them and they wanted me to create the site. Their interface was so confusing and I felt like I suddenly had no understanding of how computers work.
Fast forward to today, and yes, past me was not very knowledgeable, but not to the degree their site made me feel. They use custom terminology for industry standard things, group things together in weird locations, and have so many dark patterns.
My point: sleazy tactics like domain front-running would honestly be on brand. I tell people not to use GoDaddy and definitely not for domain searching.
I was shocked when I purchased a domain recently on GoDaddy (I normally use Cloudflare or AWS) and noticed that they have an 'upsell' with more security options (MFA and some other features) for something like $10/yr. Why wouldn't they want their customers to be more secure by default? To me it just reeks of money-grabbing for people that are none the wiser.
If every stolen or potentially stolen credential was billed to the breached provider at even $100/account*, SSO would become free so fast your head would spin.
Every credential in the provider's DB would be correctly seen as a liability.
* Arguably the number should be higher and contribute to a infosec response, detection, and preventative measures warchest. Though, ultimately, this would probably just enrich cybersecurity insurance firms.
SendGrid, pre IPO, had a GoDaddy security incident: someone social engineered one of the GoDaddy support reps into giving them control of our domain. We were able to re-secure the domain before the attacker fully locked us out. They could have powned all of our email links.
GoDaddy will have known of this investigation since it began—probably for years. So it’s 90 days from now(ish), but they (should) have gotten a head start.
I can't pass by this comment about Network Solutions without an enthusiastic second. Several times per month I help various customers with their domains, and when I see that one is with Network Solutions, I know I'm going to have to waste a bunch of time with their terrible DNS editor and will have to wait around for at least 20 minutes before their own editor reflects the changes I've made.
The worst part is that when replacing an A record with a CNAME, it lets you delete the A record but then blocks you from adding the CNAME, because "a record with that name already exists" (referring to the one that was just deleted). This is where the 20+ minute wait changes from "inconvenient" to "downtime". It's been like this for at least 15 years.
You just brought back a fifteen year old memory. I have used a lot of hosting services but have always avoided GoDaddy. The name sounded too playful...and that was after being a Host Gator customer for years. They were decent back in the day and let me serve rediculous amounts of data from a shared hosting tier that always performed well...I was probably the noisy neighbor.
Years ago, before I was very computer literate, my friend turned me onto Network Solutions for hosting.
Long story short I got locked out of my account. It truly seemed like the support didn't want to help me get back in. This went for what felt like forever but was probably just a few weeks. I never got a resolution and was never able to log back in to my account.
I eventually did a chargeback because I couldn't use a service that I was paying for. They were all of a sudden proactive about reaching out - with an accusatory email nonetheless. In their view, the chargeback was fraudulent.
Readit News
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Depends on the industry. I'm in healthcare, and our legal department is always reminding the devs that even a small breach can be financially catastrophic for the company, as they are totaled as $xx,000 per person affected.
We get training on it every six months.
Honestly, I'm more afraid of reputational loss than government fines. Our customers don't have to use our product. They do because they trust us. Lose that trust and it's awfully hard to get it back.
Dead Comment
Every regulatory agency in America has been stripped to the bones by decades of budget cuts and never ending accusations of "stifling innovation" and we're shocked now that companies get away with both metaphorical and actual murder.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
If it wasn't for those old Super Bowl ads, GoDaddy wouldn't exist today.
Sex sells.
GoDaddy attracts the unwashed masses who don’t care about security, and who remain unphased after learning about breaches. Meanwhile, the tech-savvy crowd who would care about breaches already know to avoid GoDaddy and view the inevitable breaches as the plebs reaping what they’ve sown.
Ergo, no one getting breached by GoDaddy cares, and nobody informed watching it happen feels a need to intervene.
I have had to tell multiple cybersecurity vendors that brag about working with huge companies and governments that we cannot work with them because of how poor their own cybersecurity practices are (i.e. not using secure compute/hardware crypto when dealing with our private keys).
These are companies that should know better, I have had to stop ADP professional services more than once from disabling certificate validation on critical pipelines pertaining to confidential employee and customer information. I do not want to imagine what happens at 99% of companies with cybersecurity teams that don't even know what certificate validation is.
Deleted Comment
I worked for a medium sized company. They had a very large commercial e-commerce site for their customers. They used Wordpress sites that were hosted on GoDaddy. I worked there for two years. They never updated any of their passwords for GoDaddy or their Wordpress sites.
Its been almost ten years since I've worked there and I occasionally log on just to see if they've updated anything. Nope. Last time I checked was early 2024. Still nothing was updated.
I mean, someone gets access to their GoDaddy account and within minutes will have full control of a major bit of their business. Talk about playing with fire.
... but.. why?
Why let them live rent-free in your mind? Why admit to that in even a pseudonymous space?
GoDaddy CEO's graphic elephant hunt video sends his clients flocking to competitors, and helps raise $20,000 for elephant charity:
https://www.dailymail.co.uk/news/article-1374679/GoDaddy-CEO...
GoDaddy CEO Kills Elephant:
https://www.youtube.com/watch?v=YnM5yTW2B3g
... Honestly it reminds me of how some Internet VOIP providers won't tell the name of the business who actually bought the number (Which, of course, complicates the ability to collect on TCPA when it's a number used for spam.)
I ran a website hosted on GoDaddy for a local business when the server cluster was hacked. GoDaddy admitted it was their fault, but the business ended up having to pay me to fix the site. GoDaddy also managed to convince the business to pay for an additional monthly "security" plan, which included page caching. They set everything up over the phone without talking to me at all.
The next day I notice some odd behavior with the admin pages, then realize they're being cached, not only that but they're now publicly accessible. GoDaddy's improved security plan ended up being responsible for a data leak. They really screwed up twice but there was zero penalty, the only consequence was they made more money. The business chose to stay with GoDaddy, despite my recommendations. They saw the ads on TV and were convinced GoDaddy is the pinnacle of web hosting.
Also, check this out: https://www.butterflyave.com/
Those assholes have parked my old business name, and want to sell it back to me for $1,499.
I have zero trust in GoDaddy. I remember when I was kid using their service because my grandparents had bought a website and hosting services through them and they wanted me to create the site. Their interface was so confusing and I felt like I suddenly had no understanding of how computers work.
Fast forward to today, and yes, past me was not very knowledgeable, but not to the degree their site made me feel. They use custom terminology for industry standard things, group things together in weird locations, and have so many dark patterns.
My point: sleazy tactics like domain front-running would honestly be on brand. I tell people not to use GoDaddy and definitely not for domain searching.
It show a cavalier attitude toward the greater security of the internet.
If every stolen or potentially stolen credential was billed to the breached provider at even $100/account*, SSO would become free so fast your head would spin.
Every credential in the provider's DB would be correctly seen as a liability.
* Arguably the number should be higher and contribute to a infosec response, detection, and preventative measures warchest. Though, ultimately, this would probably just enrich cybersecurity insurance firms.
Subtle but important difference.
Also the remedies include having a complete security program within 90 days IIRC, on what world would anyone think that’s remotely possible?
They wouldn’t even have an RFP drafted in 90 days.
GoDaddy is big, safe and terrible. Network Solutions is big, safe and even worse.
The worst part is that when replacing an A record with a CNAME, it lets you delete the A record but then blocks you from adding the CNAME, because "a record with that name already exists" (referring to the one that was just deleted). This is where the 20+ minute wait changes from "inconvenient" to "downtime". It's been like this for at least 15 years.
Long story short I got locked out of my account. It truly seemed like the support didn't want to help me get back in. This went for what felt like forever but was probably just a few weeks. I never got a resolution and was never able to log back in to my account.
I eventually did a chargeback because I couldn't use a service that I was paying for. They were all of a sudden proactive about reaching out - with an accusatory email nonetheless. In their view, the chargeback was fraudulent.
Crazy.
FWIW we've used Gandi for years and very happy with it.
After that I've used spaceship.com, NameCheap's rebrand, without complaint and most recently porkbun.com due to support in dnscontrol.