Corporate Misconduct Accountability Project
GoDaddy Inc. and GoDaddy.com, LLC · FTC Administrative Complaint
GoDaddy Failed to Secure Millions of Customer Websites for Years
The FTC alleges GoDaddy neglected basic security practices from 2018 to 2022, enabling hackers to breach customer websites repeatedly, steal credentials and financial data, and expose millions to malware and fraud.
CRITICAL SEVERITY
TL;DR
GoDaddy, one of the world’s largest web hosting companies with approximately 5 million customers, marketed itself as a secure choice with award-winning security and 24/7 monitoring. The FTC alleges that from 2018 through late 2022, GoDaddy failed to implement standard security measures like consistent software patching, multi-factor authentication, adequate logging, threat monitoring, and network segmentation. These failures allegedly enabled hackers to breach GoDaddy’s systems repeatedly between 2019 and December 2022, compromising approximately 28,000 customer credentials, stealing roughly 1,000 credit card numbers, accessing data for 1.2 million customers, and turning legitimate websites into vectors for malware and fraud. GoDaddy customers and website visitors bore the costs through stolen data, business disruption, remediation expenses, and exposure to identity theft and malware.
This case shows how corporate security promises can ring hollow when profit pressures override investment in protecting customer data.
5M
GoDaddy customers relying on compromised security
28,000
Customer SSH credentials stolen in 2020 breach
1.2M
Customer records accessed via insecure API in 2021
1,000
Credit card numbers captured by hackers
30,000
End-of-life servers running in fall 2019 without patches
6 months
Duration hackers remained undetected in 2019-2020
The Allegations: A Breakdown
Core Allegations
What GoDaddy Failed to Do · 8 points
| 01 | GoDaddy failed to adequately inventory and manage computer assets in its hosting environment. As of September 2020, GoDaddy had visibility into only approximately 15,000 devices out of approximately 450,000 it ultimately identified. The company did not formally define or document its asset management processes and failed to centrally track and inventory software. | high |
| 02 | GoDaddy failed to centrally track whether operating systems and other software were current with necessary security patches until 2022. The company relied on various product teams to install patches with no means to centrally track whether they had done so. As a result, GoDaddy’s installation of patches was inconsistent, and available patches for critical vulnerabilities often went uninstalled. | high |
| 03 | As of fall 2019, GoDaddy had 30,000 end-of-life servers in the Shared Hosting environment with no plan to address them and no central way to track where they were. These servers no longer received security patches from software providers, leaving them vulnerable to known exploits. | high |
| 04 | GoDaddy failed to conduct regular penetration testing for the Shared Hosting environment. Since 2015, GoDaddy conducted a single penetration test for each segment of the Shared Hosting environment, which failed to identify critical vulnerabilities that attackers later exploited. | high |
| 05 | Until at least 2020, GoDaddy’s logging of security events was ad hoc and inconsistent, and its practices did not follow its written policies. GoDaddy failed to consistently store logging data in its central repository and failed to consistently retain logs long enough to enable investigation. In some cases, logs were retained for only seven days or not at all, violating GoDaddy’s own policies requiring at least one year retention. | high |
| 06 | GoDaddy’s security incident and event manager was not set up to detect and alert on potential security events until Spring 2020. Prior to 2020, GoDaddy performed only manual, ad hoc reviews of logs. As of Spring 2022, GoDaddy still had not fully integrated the SIEM’s detection and alerting capabilities across the Shared Hosting environment. | high |
| 07 | GoDaddy does not use file integrity monitoring in the Shared Hosting environment. File integrity monitoring compares operating system and application files against known benchmarks to detect unauthorized changes. This failure allowed attackers to replace legitimate files with malicious versions on tens of thousands of servers without detection. | high |
| 08 | Until after discovering a breach in March 2020, GoDaddy did not require multi-factor authentication for privileged employee administrative logins to the environment. GoDaddy also has not offered MFA as an option to customers for their administrative logins to some services like cPanel. | high |
Regulatory Failures
Broken Promises and False Certifications · 6 points
| 01 | GoDaddy certified its compliance with EU-U.S. Privacy Shield in January 2017 and Swiss-U.S. Privacy Shield in August 2018, and has annually recertified since. These frameworks require organizations to take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorized access. | high |
| 02 | Since March 2018, GoDaddy has represented to consumers in its privacy policy that it participates in and has certified its compliance with the Privacy Shield frameworks. Since February 2021, GoDaddy has stated publicly that it has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. | medium |
| 03 | The FTC alleges GoDaddy has not adhered to the Security Principle of the Privacy Shield frameworks, making its representations of compliance false or misleading. The Privacy Shield frameworks warn that failure to fully implement the Principles is enforceable under Section 5 of the Federal Trade Commission Act. | high |
| 04 | GoDaddy failed to adequately segment its Shared Hosting environment from less-secure portions of its network. Until at least April 2020, GoDaddy connected its Shared Hosting and Customer-Managed Hosting environments through specialized servers configured to allow bidirectional communication. GoDaddy did not maintain any policy prohibiting this configuration, document its risks, or implement additional security controls. | high |
| 05 | For its Managed WordPress service, GoDaddy created an internet-facing API that enables access to sensitive customer information but does not require multi-factor authentication and is not secured with certificates. Prior to February 2022, the API failed to force connections to encrypt web traffic, meaning login credentials could be transmitted unencrypted. | high |
| 06 | The API used basic authentication, which sends unobscured, plaintext login credentials during the authentication process. GoDaddy failed to implement supplemental security controls for the API, such as restricting access using an application firewall, rate-limiting connections, or alerting on anomalies. | high |
Profit Over People
Security as a Cost Center · 5 points
| 01 | GoDaddy marketed itself since at least 2015 as a secure choice for customers to host their websites, touting its commitment to data security and careful threat monitoring practices. The company used phrases like award-winning security, 24/7 meticulous monitoring, and claimed that data protection, security and privacy are at the core of everything we do. | high |
| 02 | Despite its marketing promises, GoDaddy’s data security program was unreasonable for a company of its size and complexity. GoDaddy was blind to vulnerabilities and threats in its hosting environment because it failed to implement standard security tools and practices. | high |
| 03 | When GoDaddy Inc. acquired European hosting company Host Europe Group, it made GoDaddy.com responsible for HEG’s security. Many of HEG’s servers were no longer receiving security patches for their software, introducing security risks into GoDaddy.com’s Shared Hosting environment that the company failed to adequately address. | medium |
| 04 | GoDaddy did not begin to install endpoint detection and response tools in the Shared Hosting environment until October 2022, years after the first major breaches. As of the complaint date, GoDaddy still has not fully implemented this solution. | medium |
| 05 | GoDaddy has not made it a regular practice to conduct threat hunting as part of its ongoing security program. Threat hunting involves proactively searching for threats that may be undetected in a network, a standard practice for organizations of GoDaddy’s scale. | medium |
Economic Fallout
Who Paid the Price · 7 points
| 01 | GoDaddy’s Shared Hosting customers spent time and effort protecting themselves from the consequences of GoDaddy’s security failures, including time spent resetting account credentials, restoring compromised websites and certificates, addressing their own customers’ concerns, and other remediation efforts. | high |
| 02 | Some customers had payment card data stolen directly. Attackers captured approximately 1,000 card numbers that customers were processing in the Shared Hosting environment, contrary to GoDaddy’s terms of use. | high |
| 03 | Customers faced potential business harm from website downtime, malicious redirects driving traffic away, and damage to their reputation. The typical customers of GoDaddy’s Shared Hosting services are small businesses who rely on their online presence. | high |
| 04 | Visitors to compromised websites were unknowingly exposed to risks. Attackers could install malware to steal visitors’ personal or financial information, potentially leading to identity theft, financial fraud, or costly ransomware attacks. | high |
| 05 | Shared Hosting customers cannot avoid the consequences of GoDaddy’s security failures. Customers do not know detailed information about GoDaddy’s security controls, including which security controls or tools GoDaddy does not use in its Shared Hosting environment. | high |
| 06 | Consumers who visit GoDaddy customers’ sites are unaware that they are interacting with a site or service hosted by GoDaddy. In most cases, they have no way to avoid the consequences of GoDaddy’s security failures. | medium |
| 07 | The harm that GoDaddy’s security failures have caused or are likely to cause is not offset by countervailing benefits to consumers or competition. GoDaddy could have remediated its failures using well-known and low-cost technologies and techniques. | high |
Public Health and Safety
Digital Risks to Everyday Users · 5 points
| 01 | The compromises left consumers vulnerable to having attackers alter GoDaddy customers’ websites in ways that harm their businesses, install malware to steal sensitive information, and implant malicious code on websites that harms consumers visiting those sites. | high |
| 02 | Malicious code on compromised websites is likely to subject visitors to viruses or other compromises of their personal computers. This in turn is likely to lead to theft of consumers’ personal or financial information and other harm, such as ransomware attacks and identity theft. | high |
| 03 | Threat actors can redirect unsuspecting website visitors to malicious websites, as they did in the December 2022 compromise. These sites can be set up to steal personal or financial information, leading to identity theft or financial fraud. | high |
| 04 | In the December 2022 breach, attackers redirected some visitors to customers’ websites to sites of the attacker’s choosing, including websites claiming the customer had committed copyright infringement and websites featuring pornography. | medium |
| 05 | The threat actors who compromised the Shared Hosting environment had access to any confidential information that GoDaddy’s affected customers maintained in the environment, including any personally identifiable information they maintained on or on behalf of their own customers. | high |
Community Impact
Polluting the Digital Commons · 5 points
| 01 | Small businesses, which form the backbone of local economies and increasingly rely on online platforms, were directly harmed by GoDaddy’s security failures. Their ability to operate securely and maintain customer trust was undermined. | high |
| 02 | The compromises risked turning legitimate websites into vectors for malware and fraud, polluting the broader internet ecosystem and eroding user trust. When a major hosting provider fails to secure its infrastructure, it impacts not just its direct customers but potentially millions of internet users. | high |
| 03 | In the November 2021 breach, a threat actor queried an insecure API for 1.2 million customers’ data, including data of nearly 700,000 customers in the United States. The attacker accessed email addresses, private encryption keys, and multiple types of login credentials. | high |
| 04 | The threat actor in the November 2021 breach used stolen credentials to commit search engine optimization fraud by installing a webshell to some customers’ WordPress websites. The webshell allowed the attacker to implant code that falsely told search engines that clicks on the compromised site were for a different website. | medium |
| 05 | The cumulative effect of GoDaddy’s security failures is a less safe, less reliable online environment for everyone. The compromises treat the digital commons as insecure territory. | high |
Corporate Accountability Failures
Repeat Breaches and Inadequate Response · 8 points
| 01 | In October 2019, a threat actor gained access to the Shared Hosting environment and remained undetected for six months. The attacker likely exploited an unpatched vulnerability in the customer-managed environment, then moved laterally into shared hosting through poorly segmented servers. GoDaddy lacked the monitoring to detect this intrusion proactively. | high |
| 02 | In April 2020, a security firm discovered that application files in approximately 45,000 cPanel servers had been replaced with malicious versions that recorded customer login information. The threat actor compromised approximately 28,000 customer SSH credentials and 199 employee SSH credentials. | high |
| 03 | As GoDaddy attempted to remove the threat actor’s access during the 2020 breach, the attacker pivoted techniques and began replacing a different type of server file. The malicious version scanned traffic for credit or debit card information, ultimately capturing approximately 1,000 card numbers. | high |
| 04 | In December 2022, GoDaddy discovered that a threat actor, believed to be the same one from 2019-2020, had again compromised parts of its cPanel service. The attacker used a compromised file that GoDaddy had not removed when remediating the previous compromise, demonstrating inadequate cleanup. | high |
| 05 | Due to insufficient security monitoring, GoDaddy failed to proactively detect the December 2022 compromise and was instead alerted by customer inquiries. This was the third time GoDaddy failed to detect a breach through its own monitoring systems. | high |
| 06 | Because of its limited logging practices during the November 2021 breach, GoDaddy was unable to determine which data elements the threat actor accessed for each of the 1.2 million customers whose records were queried. | medium |
| 07 | During the 2019-2020 investigation, GoDaddy’s security team discovered that over one-third of the 254 specialized servers connecting different environments were running software with known vulnerabilities. The threat actor had exploited these vulnerabilities to replace server files with malicious versions on seventeen of them, exactly the type of activity that file integrity monitoring is designed to detect. | high |
| 08 | Due to insufficient logging and monitoring during the 2019-2020 breach, GoDaddy was unable to determine how the threat actor initially gained entry to the environment. This prevented the company from fully understanding and closing the attack vector. | medium |
The PR Machine
Promises That Rang Hollow · 6 points
| 01 | GoDaddy marketed its services with claims of award-winning security and stated that its security team is on the job 24/7 to meticulously monitor, thwart suspicious activity and deflect DDoS attacks. The company promised 24/7 network security monitored around the clock. | high |
| 02 | GoDaddy’s Trust Center featured a quote attributed to its Chief Executive Officer stating that data protection, security and privacy are at the core of everything we do. The company claimed it was committed to security and built its infrastructure to protect against all threats. | high |
| 03 | GoDaddy represented that its monitoring and detection mechanisms are built to prevent threats before they ever impact you or your customers. The company marketed itself as seriously secure and ridiculously fast. | high |
| 04 | GoDaddy stated that hackers, malware, social engineering, and phishing are countless ways your data can end up in the wrong hands, and claimed we built our infrastructure to protect against all of them, from the moment you hit our site. | high |
| 05 | The FTC alleges these representations were false or misleading. GoDaddy lacked the robust monitoring, patching, access controls, and overall security maturity claimed in its marketing and policies. | high |
| 06 | The gap between GoDaddy’s external messaging and internal practice is central to the allegations of deceptive practices under Section 5 of the Federal Trade Commission Act. | high |
Exploiting Delay
How Time Worked Against Customers · 5 points
| 01 | The threat actor in the 2019-2020 breach remained in GoDaddy’s Shared Hosting environment for six months before being discovered. During this time, GoDaddy was not alerted by any of its security tools or monitoring systems despite the attacker being actively present. | high |
| 02 | GoDaddy was only prompted to search for compromise in March 2020 when a threat actor’s actions caused GoDaddy’s front page website to go down. This website interruption, not GoDaddy’s monitoring systems, led the company to hire an outside security firm. | high |
| 03 | The installation of software that would enable GoDaddy to centrally view and manage patch status across the majority of the environment was not complete until December 2021, more than a year after discovering the major 2020 security compromise. | medium |
| 04 | From 2020 to the present, GoDaddy reduced its number of end-of-life systems and acquired extended patch support for a third of those, but as of the complaint date it has not entirely resolved the issue of running unsupported systems. | medium |
| 05 | In the November 2021 breach, GoDaddy was alerted to a compromise of its WordPress Managed Hosting service by a spike in customer inquiries, not by its own security monitoring systems. This reactive discovery delayed response and remediation. | high |
The Bottom Line
A Systemic Betrayal of Trust · 5 points
| 01 | Even after the compromises of its environment between 2019 and December 2022, GoDaddy continues to struggle to gain visibility into its hosting environment and adequately monitor it for threats. The systemic nature of the security failures suggests deep-rooted organizational problems. | high |
| 02 | GoDaddy’s security failures enabled threat actors to gain a level of access to the Shared Hosting environment that they are likely to use to harm consumers in the future, regardless of the specific mode they choose. The underlying vulnerabilities create ongoing risk. | high |
| 03 | The FTC alleges that since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats. | high |
| 04 | The acts and practices of GoDaddy alleged in the complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. | high |
| 05 | GoDaddy’s failure to employ reasonable and appropriate measures to protect the Shared Hosting environment from unauthorized access has caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits and is not reasonably avoidable by consumers. | high |
Timeline of Events
2015
GoDaddy begins marketing itself as a secure choice for hosting, touting commitment to data security and careful monitoring
January 2017
GoDaddy provides EU-U.S. Privacy Shield certification to U.S. Department of Commerce
August 2018
GoDaddy provides Swiss-U.S. Privacy Shield certification
October 2019
Threat actor gains access to Shared Hosting environment through unpatched vulnerability and poor network segmentation
Fall 2019
GoDaddy has 30,000 end-of-life servers in Shared Hosting environment with no plan to address them
Late March 2020
Threat actor’s actions cause GoDaddy’s front page website to go down, prompting company to hire outside security firm
April 2020
Security firm discovers malicious files on approximately 45,000 cPanel servers; 28,000 customer SSH credentials and 199 employee credentials compromised
April 2020
As GoDaddy remediates, threat actor pivots to capture approximately 1,000 credit card numbers
Spring 2020
GoDaddy first creates SIEM alerts to detect threat actor activities; begins requiring MFA for privileged employee access
September 2020
GoDaddy has visibility into only approximately 15,000 devices out of approximately 450,000 total
November 2021
Spike in customer inquiries alerts GoDaddy to compromise of WordPress Managed Hosting service via insecure API
November 2021
Threat actor queries API for 1.2 million customers’ data, including nearly 700,000 U.S. customers
December 2021
Installation of patch management software across majority of environment finally complete
February 2022
GoDaddy finally forces WordPress API to encrypt web traffic
Spring 2022
GoDaddy still has not fully integrated SIEM detection and alerting capabilities across Shared Hosting environment
October 2022
GoDaddy begins installing endpoint detection and response tools in Shared Hosting environment
December 2022
GoDaddy discovers threat actor (believed to be same as 2019-2020) has again compromised cPanel service using file missed in previous remediation
December 2022
Threat actor redirects visitors from customer websites to malicious sites; GoDaddy again alerted by customer complaints rather than monitoring
Direct Quotes from the Legal Record
QUOTE 1
GoDaddy’s Marketing Promise
pr_machine
“Award-winning security. It’s hard to believe anyone would want to harm your website, but they do. Thankfully, our security team is on the job 24/7 to meticulously monitor, thwart suspicious activity and deflect DDoS attacks.”
💡 This marketing claim of meticulous 24/7 monitoring directly contradicts the reality that GoDaddy failed to detect breaches for months and was repeatedly alerted by customer complaints
QUOTE 2
CEO’s Public Commitment
pr_machine
“Data protection, security and privacy are at the core of everything we do.”
💡 This statement from GoDaddy’s CEO appears in the Trust Center but is contradicted by years of alleged failures in basic security practices
QUOTE 3
GoDaddy’s Proactive Security Claim
pr_machine
“Our monitoring and detection mechanisms are built to prevent threats before they ever impact you or your customers.”
💡 This promise of prevention was allegedly false as GoDaddy failed to detect any of the major breaches proactively and threat actors remained in systems for months
QUOTE 4
Blind to Vulnerabilities
allegations
“Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment.”
💡 The FTC’s characterization shows GoDaddy lacked basic visibility into its own systems despite operating hundreds of thousands of servers
QUOTE 5
Scope of Asset Management Failure
allegations
“As of September 2020, GoDaddy only had visibility into approximately 15,000 devices, out of approximately 450,000 it ultimately identified when it fully populated its CMDB over 2020 and 2021.”
💡 GoDaddy could only see 3% of its actual infrastructure as late as September 2020, explaining how attackers could operate undetected
QUOTE 6
Patching Failure
allegations
“Prior to 2020, GoDaddy’s security policy required critical security patches to be installed within 30 days. But, up until 2022, it relied on various product teams to install patches with no means to centrally track whether they had done so.”
💡 Having a policy is meaningless without enforcement; GoDaddy’s failure to track compliance left systems vulnerable to known exploits for years
QUOTE 7
End-of-Life Server Crisis
allegations
“As of the fall of 2019, GoDaddy had 30,000 end-of-life servers in the Shared Hosting environment, with no plan to address them, and no central way to track where they were.”
💡 30,000 servers no longer receiving security patches represents a massive attack surface that GoDaddy allowed to persist
QUOTE 8
Six Months Undetected
accountability
“At this point, the initial threat actor had been in the Shared Hosting environment for six months, yet GoDaddy had not been alerted by any of its security tools or monitoring systems.”
💡 Despite promises of 24/7 meticulous monitoring, GoDaddy’s systems provided no alert during a six-month active intrusion
QUOTE 9
No File Integrity Monitoring
accountability
“The threat actor had exploited these vulnerabilities to replace server files with malicious versions on seventeen of them, exactly the type of activity that file integrity monitoring is designed to detect.”
💡 GoDaddy’s failure to implement a standard security control allowed attackers to replace legitimate files with malware on thousands of servers undetected
QUOTE 10
Scale of 2020 Compromise
accountability
“The threat actor was able to replace one type of file with a malicious version on approximately 45,000 cPanel servers. The threat actor compromised approximately 28,000 customer SSH credentials and 199 employee SSH credentials.”
💡 The massive scale of compromise demonstrates both the depth of access attackers gained and the failure of GoDaddy’s security monitoring
QUOTE 11
Credit Card Theft
accountability
“The malicious version of the new file type scanned traffic to the server for credit or debit card information, ultimately capturing approximately 1,000 card numbers that customers were processing in the Shared Hosting environment, contrary to GoDaddy’s terms of use.”
💡 Attackers pivoted to financial theft when GoDaddy attempted remediation, and customers were processing card data against terms of service
QUOTE 12
API Security Failure
allegations
“The API does not require MFA, and GoDaddy has not secured connections to the API with certificates, which is a standard practice to ensure that only authorized users or services connect to it.”
💡 An internet-facing API providing access to sensitive customer data lacked multiple layers of standard security controls
QUOTE 13
Plaintext Credentials
allegations
“The API used an authentication method called basic authentication, which sends unobscured, plaintext login credentials during the authentication process.”
💡 Sending login credentials in plaintext over the internet is a fundamental security failure that exposes credentials to interception
QUOTE 14
1.2 Million Records Accessed
community
“The threat actor queried the API for 1.2 million customers’ data, including data of nearly 700,000 customers in the United States.”
💡 The insecure API allowed a single attacker to access data for over a million customers because GoDaddy used sequential customer IDs
QUOTE 15
Inadequate Logging Prevents Investigation
accountability
“Because of its limited logging practices, GoDaddy was unable to determine which data elements the threat actor accessed for each customer.”
💡 Poor logging meant GoDaddy couldn’t tell 1.2 million customers exactly what data was stolen about them, leaving them unable to properly protect themselves
QUOTE 16
Same Attacker Returns
accountability
“In December 2022, GoDaddy discovered that a threat actor—who GoDaddy believes to be the same threat actor from the 2019-2020 compromise of its cPanel service—had again compromised parts of its cPanel service.”
💡 The return of the same attacker using a file missed during remediation shows GoDaddy failed to adequately clean up after the first breach
QUOTE 17
Customer Complaints Reveal Breach
accountability
“Due to its insufficient security monitoring, GoDaddy again failed to proactively detect this compromise, and was instead alerted by customer inquiries.”
💡 For the third time, GoDaddy’s monitoring systems failed and the company learned of a breach from customers, not its security tools
QUOTE 18
Privacy Shield Violation
regulatory
“SECURITY [Principle 4]: (a) Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.”
💡 GoDaddy certified compliance with this principle while allegedly failing to implement reasonable security, making its certification false
QUOTE 19
Unavoidable Consumer Harm
economic
“GoDaddy’s customers and other consumers could not avoid this harm, and it is not outweighed by benefits to consumers or competition.”
💡 Consumers had no way to protect themselves from GoDaddy’s security failures because they lacked visibility into GoDaddy’s practices
QUOTE 20
Ongoing Struggle
conclusion
“Even after these compromises of its environment, GoDaddy continues to struggle to gain visibility into its hosting environment and adequately monitor it for threats.”
💡 As of the complaint date, GoDaddy still had not fully resolved the fundamental security deficiencies that enabled the breaches
Frequently Asked Questions
What exactly did GoDaddy do wrong according to the FTC?
The FTC alleges GoDaddy failed to implement basic security practices from 2018 through 2022, including: not tracking which of its 450,000 devices had security updates, letting 30,000 servers run outdated software with no security patches, not using multi-factor authentication for employee admin accounts until 2020, failing to monitor logs for suspicious activity, not using file integrity monitoring to detect unauthorized file changes, and creating an insecure internet-facing API that sent login credentials in plaintext. These failures enabled hackers to breach GoDaddy’s systems repeatedly.
How many people were affected by GoDaddy’s security failures?
The breaches impacted massive numbers: approximately 28,000 customers had their SSH login credentials stolen in 2020, roughly 1,000 customers had credit card numbers captured, and data for 1.2 million customers (including nearly 700,000 in the U.S.) was accessed through an insecure API in 2021. Beyond GoDaddy’s direct customers, potentially millions of people who visited compromised websites were exposed to malware and fraud risks.
What kind of harm did customers and website visitors experience?
Customers spent time and money resetting credentials, restoring compromised websites and security certificates, and addressing concerns from their own customers. Some had payment card data stolen. Visitors to compromised websites were exposed to malware that could steal personal or financial information, leading to identity theft, financial fraud, or ransomware attacks. Some visitors were redirected to malicious sites claiming copyright infringement or featuring pornography.
Did GoDaddy know about these security problems?
The complaint suggests GoDaddy should have known. The company had written security policies requiring practices like one-year log retention and 30-day patching that it failed to follow. GoDaddy conducted only a single penetration test per hosting segment since 2015, which failed to identify critical vulnerabilities. After the first major breach in 2020, attackers returned in December 2022 using a file GoDaddy missed during cleanup, suggesting inadequate remediation.
Why didn’t GoDaddy detect these breaches themselves?
GoDaddy allegedly lacked effective monitoring tools. The company didn’t set up its security event manager to automatically detect and alert on threats until Spring 2020. It didn’t use file integrity monitoring, which would have detected unauthorized file changes. Its logging was inconsistent and sometimes retained for only seven days. As a result, GoDaddy failed to proactively detect any of the major breaches and was instead alerted by website outages or customer complaints.
What was GoDaddy telling customers about security during this time?
GoDaddy marketed itself with claims of award-winning security and 24/7 meticulous monitoring. The company stated that its security team monitors around the clock to thwart suspicious activity, and that monitoring and detection mechanisms are built to prevent threats before they ever impact customers. GoDaddy’s CEO was quoted saying data protection, security and privacy are at the core of everything we do. The FTC alleges these representations were false or misleading.
Is this a criminal case or a civil case?
This is a civil administrative complaint filed by the Federal Trade Commission under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices affecting commerce. The FTC is a regulatory agency, not a criminal prosecutor. The complaint seeks to hold GoDaddy accountable through administrative proceedings rather than criminal prosecution.
What could happen to GoDaddy as a result of this complaint?
The complaint initiates FTC administrative proceedings. Potential outcomes could include orders requiring GoDaddy to implement specific security measures, prohibitions on making misleading security claims, civil monetary penalties, and requirements to establish comprehensive information security programs subject to third-party assessments. The exact remedies will be determined through the FTC’s administrative process.
Can I get compensation if I was a GoDaddy customer during this time?
This FTC complaint is a regulatory action, not a class action lawsuit seeking damages for consumers. While the FTC sometimes obtains consumer redress in settlements, that is not guaranteed. Affected customers may have separate legal options, including potential private lawsuits or joining class actions if any are filed. Customers should consult with attorneys about their specific situations and document any losses or time spent on remediation.
What should I do if I’m a current or former GoDaddy customer?
If you were a GoDaddy customer during 2018-2022, take these steps: Change all passwords and login credentials associated with your GoDaddy account and websites. Enable multi-factor authentication wherever possible. Check your credit card statements for unauthorized charges. Monitor your credit reports for signs of identity theft. Review your website for any unauthorized changes or malicious code. Consider whether sensitive customer data may have been exposed and take appropriate notification steps. Document any time or money spent on remediation.
The FTC has a press release about this scandal involving GoDaddy on their website: https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-godaddy-alleged-lax-data-security-its-website-hosting-services
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
