The Human Cost

The Non-Financial Ledger: What a Breach Actually Costs a Small Business Owner

Picture a small bakery owner in Ohio. She spent two years building her website, collecting orders online, storing customer emails. She chose GoDaddy because the ads told her an award-winning security team had her back, twenty-four hours a day, seven days a week. She paid for hosting. She paid for the peace of mind. She trusted a company worth billions to do what it promised.

She didn’t know that while she slept, a criminal had been inside GoDaddy’s servers for six months without triggering a single alarm. She didn’t know that GoDaddy’s own security logs were being stored for as little as seven days, in direct violation of GoDaddy’s own internal policies requiring a year. She didn’t know that the employees who could make administrative changes to her server environment were logging in with nothing but a username and password, no second factor, no certificate, just credentials that could be stolen and used without her or GoDaddy ever knowing.

She found out when her website started redirecting her customers to a site that accused them of copyright infringement. Or to pornography. That’s what the FTC complaint documents as the result of the December 2022 breach: real customers, visiting real small business websites hosted on GoDaddy’s servers, being sent to sites chosen by criminals.

For the 28,000 customers whose SSH credentials were stolen in the 2019-2020 breach, the experience was: a notification email, a forced password reset, and a pile of work. The FTC complaint acknowledges that affected customers spent time resetting credentials, restoring compromised websites, restoring certificates, and fielding their own customers’ concerns. None of that time gets reimbursed. None of that trust, once broken with their own customers, gets a credit line on their GoDaddy invoice.

For the 1.2 million customers whose data was pulled through that unsecured API in November 2021, including email addresses, private encryption keys, WordPress admin credentials, database credentials, and file transfer credentials, the damage was invisible and immediate. Those credentials handed criminals the keys to alter website content, steal customer data, or install malware on sites that thousands of ordinary people visit without any idea they are interacting with a GoDaddy-hosted property.

Visitors to compromised GoDaddy customer sites are the most invisible victims in this story. The FTC complaint is explicit: in most cases, consumers who visit a GoDaddy customer’s site have no idea they are interacting with something hosted by GoDaddy. They are unknowing passengers in a vehicle whose brakes GoDaddy quietly decided not to check.

The FTC describes the likely harms bluntly: viruses installed on personal computers, theft of personal and financial information, ransomware attacks, identity theft, and, quote, “at a minimum, significant time spent remediating computer viruses.” That last phrase is doing a lot of work. “At a minimum.” Meaning even in the best case, someone’s grandmother spent hours on the phone with tech support because a bakery website she visited was secretly infected, because GoDaddy didn’t use file integrity monitoring, because that was a cost GoDaddy chose not to incur.

From the FTC Complaint

Legal Receipts: What GoDaddy Said and What the FTC Found

These are verbatim statements pulled directly from the FTC’s complaint, filed before the Federal Trade Commission, Docket No. 202-3133. Read them. Then read what the investigation found underneath them.

“Our award-winning security team monitors your site around the clock to thwart attackers.”

GoDaddy.com Hosting Landing Page, September 2020 (Exhibit A of FTC Complaint)

“Data protection, security and privacy are at the core of everything we do.”

GoDaddy Trust Center, attributed to Scott Wagner, Chief Executive Officer (Exhibit C of FTC Complaint)

“Hackers. Malware. Social engineering. Phishing. There are countless ways your data can end up in the wrong hands — and we built our infrastructure to protect against all of them, from the moment you hit our site.”

GoDaddy Trust Center Landing Page, March 2019 (Exhibit C of FTC Complaint)

“In December 2022, GoDaddy discovered that a threat actor — who GoDaddy believes to be the same threat actor from the 2019-2020 compromise of its cPanel service — had again compromised parts of its cPanel service. The threat actor used a compromised file that GoDaddy had not removed in remediating the previous compromise.”

FTC Complaint, Paragraph 30

The Misconduct

Eight Ways GoDaddy Failed Its Customers: The Full Breakdown

The FTC complaint documents eight distinct categories of security failure spanning at least January 2018 through the filing of the complaint. Each failure on its own would be a serious lapse for a company hosting five million customers’ websites. Together, they describe an environment where basic security hygiene was systematically neglected.

• Asset blindness: As of September 2020, GoDaddy’s asset tracking database had visibility into only approximately 15,000 of the roughly 450,000 devices it ultimately identified. The company had no formal documented asset management process and spread its tracking across multiple tools with no unified view.
• Patch management collapse: Prior to 2020, patching was delegated to individual business unit staff with no central mechanism to verify compliance. As a result, available security patches were frequently not installed, leaving known critical vulnerabilities open across the environment for extended periods.
• 30,000 end-of-life servers: By fall 2019, GoDaddy had 30,000 servers in the Shared Hosting environment running software that vendors had stopped patching entirely. GoDaddy had no plan to address these servers and no central system to track where they were located. Some of these servers were inherited when GoDaddy acquired a European hosting company called Host Europe Group and made its subsidiary responsible for their security.
• No proactive threat monitoring: Until Spring 2020, GoDaddy only performed manual, ad hoc reviews of server logs. Its Security Incident and Event Manager was not configured to detect or alert on security events until Spring 2020, and as of Spring 2022 had still not been fully integrated across the Shared Hosting environment.
• No file integrity monitoring: File integrity monitoring detects when server files are replaced with malicious versions. GoDaddy did not use it. This is the exact mechanism the 2019-2020 threat actor exploited to replace application files on 45,000 servers and implant credential-harvesting code.
• No multi-factor authentication: Until after the March 2020 breach discovery, GoDaddy did not require multi-factor authentication for privileged employee logins to the hosting environment. When the 2019-2020 threat actor stole 199 employee SSH credentials, those credentials were all that was needed to make administrative changes to the entire environment. GoDaddy also never offered MFA as an option to customers for their own administration logins.
• Network segmentation failure: Until at least April 2020, GoDaddy connected its Shared Hosting environment to its Customer-Managed Hosting environment through a type of specialized server configured to allow bidirectional communication. Customer-Managed Hosting customers are responsible for their own patching, meaning GoDaddy had no control over their security posture. GoDaddy documented no policy against this configuration, no risk assessment, and no compensating controls. The 2019 threat actor exploited exactly this pathway to move from the Customer-Managed environment into the Shared Hosting environment.
• Unsecured API with plaintext credentials: GoDaddy built an internet-facing API for its Managed WordPress service that could return customer email addresses, private encryption keys, WordPress admin passwords, database credentials, and file transfer credentials. This API transmitted login credentials in unencrypted plaintext before February 2022, used sequential customer ID numbers, required no multi-factor authentication, had no application firewall, no rate-limiting, and no anomaly detection.

Who Gets Hurt

Societal Impact: The Full Radius of Damage

Public Health and Digital Safety

The harms documented in this case extend far beyond GoDaddy’s direct customers. Every person who visited any website hosted on GoDaddy’s compromised Shared Hosting environment was potentially exposed without any knowledge or consent.

• Visitors to compromised customer websites were exposed to malicious code that the FTC says is “likely to subject visitors to viruses or other compromises of their personal computers.” The FTC describes this as a documented, probable outcome, not a hypothetical one.
• Visitors redirected by the December 2022 breach were sent to sites featuring pornography or false copyright infringement accusations. These redirects happened silently, with no warning to the visitor and no way to avoid them.
• Credit and debit card numbers were actively captured during the 2019-2020 breach. The FTC documents that a threat actor replaced server files with versions that scanned transaction traffic for card data, capturing approximately 1,000 card numbers from transactions processed through the Shared Hosting environment.
• The FTC explicitly lists ransomware attacks and identity theft as likely downstream consequences of the environment access these threat actors obtained, harms that could affect individuals for years and are extremely difficult to reverse.
• GoDaddy’s own 2018 blog post, cited in the complaint, describes “mailer script infections” that expose contact form data and “user authentication” vulnerabilities as known threats. GoDaddy was publicly documenting threats it was simultaneously failing to protect against.

Economic Inequality

GoDaddy’s Shared Hosting service is specifically described in the FTC complaint as targeted at small businesses. This is a critical detail. The customers with the least capacity to absorb a breach, to hire IT response teams, or to rapidly restore their digital presence are the ones GoDaddy failed hardest.

• Small business customers spent uncompensated hours resetting credentials, restoring compromised websites, rekeying SSL certificates, and managing their own customers’ concerns after GoDaddy’s breaches. The FTC acknowledges this time and effort cost directly.
• The search engine optimization fraud enabled by the November 2021 breach directly attacked the economic visibility of small business websites. Attackers installed code that hijacked their search rankings, redirecting search engine credit to third-party sites, potentially destroying months of organic SEO work that small businesses cannot afford to rebuild with paid advertising.
• The asymmetry of information is a documented harm in this case. The FTC states explicitly that “Shared Hosting customers do not know detailed information about GoDaddy’s security controls.” GoDaddy held all the information and all the power. Small business owners had no way to audit or verify GoDaddy’s security claims. They could only trust the advertising.
• GoDaddy certified Privacy Shield compliance to the U.S. Department of Commerce in January 2017 and annually recertified thereafter, a process that reassured European customers their data met EU-level protections. The FTC’s complaint establishes this certification was false, meaning European small businesses and individuals who relied on those protections to do business with GoDaddy’s customers were also deceived.
• The November 2021 breach exposed nearly 700,000 U.S. customers’ credentials. For each of those customers, the remediation cost: changing WordPress admin passwords, database passwords, SFTP credentials, rekeying SSL certificates, and reviewing whether their own customer data had been accessed. None of this labor was borne by GoDaddy’s executives. It was borne by the small businesses and individuals who trusted them.

The Numbers

The “Cost of a Life” Metric: Putting the Scale in Perspective

The Resistance

What Now? How to Hold GoDaddy Accountable and Protect Yourself

The FTC has filed this complaint, but a complaint is the beginning of a process, not the end of one. Here is who holds power here and what you can do with yours.

GoDaddy Leadership on Record

• GoDaddy’s CEO made the public statement that “data protection, security and privacy are at the core of everything we do,” a claim the FTC’s complaint directly contradicts with documented evidence. The complaint names GoDaddy Inc. and GoDaddy.com, LLC, both headquartered at 100 South Mill Avenue, Suite 1600, Tempe, Arizona 85281.
• GoDaddy Inc. is the parent corporation. Its leadership made the decision to acquire Host Europe Group and assign GoDaddy.com responsibility for HEG’s server security, directly introducing 30,000 unpatched servers into the Shared Hosting environment.

Regulatory Watchlist

• Federal Trade Commission (FTC): The agency that filed this complaint. They accept consumer complaints at ReportFraud.ftc.gov. If you are a GoDaddy customer and believe you were harmed by their security failures, filing a consumer complaint directly feeds the FTC’s enforcement record.
• U.S. Department of Commerce: Administers the Privacy Shield self-certification program. GoDaddy certified compliance annually since 2017 with the EU-U.S. framework and since 2018 with the Swiss-U.S. framework. The FTC’s complaint establishes these certifications were false.
• State Attorneys General: Many states have their own consumer protection and data breach notification laws. If your state was among the nearly 700,000 U.S. customers exposed in the 2021 breach, your state AG’s office may have jurisdiction to act independently of the FTC.
• Internet Crime Complaint Center (IC3): The FBI’s cybercrime reporting portal at ic3.gov. If your business was directly impacted by credential theft, website compromise, or financial fraud traceable to these incidents, a federal cybercrime report creates a paper trail that supports broader investigation.

What You Can Do Right Now

• If you are a current GoDaddy Shared Hosting customer: Audit your current credentials. Change your WordPress admin password, database password, and SFTP credentials. Enable any available MFA options on your account. Check whether your SSL certificate was issued or reissued after November 2021. Do not assume GoDaddy’s remediation was complete.
• If you were a GoDaddy customer between 2019 and 2022: You may be entitled to participate in any settlement or enforcement action that results from the FTC complaint. Monitor the FTC’s public docket at ftc.gov for case updates under Docket No. 202-3133.
• If you are a small business owner: Treat your hosting provider’s security claims as advertising, not as guarantees. Ask any provider directly: Do you use multi-factor authentication for employee admin access? Do you deploy file integrity monitoring? How long do you retain security logs? If they cannot answer clearly, that tells you something.
• Organize with other affected business owners: Small business associations, local chambers of commerce, and sector-specific trade groups are pressure points. Collective public statements from affected small businesses carry weight that individual consumer complaints often do not.
• Support data security advocacy organizations: Groups pushing for stronger mandatory security standards for large hosting providers, not voluntary certifications that companies can claim without enforcement, need public support to build legislative pressure for binding minimum standards.