Data breaches and data leaks seem like a trend nowadays. The latest to be involved in such a situation is GoDaddy. We all know GoDaddy to be the largest domain registrar and the largest web host by market share.

The Cyber Risk Team of UpGuard discovered data exposure of extremely sensitive data on Amazon’s cloud storage service, S3. Chris Vickery, the cyber risk analyst, reported the data leak of over 31,000 GoDaddy systems. You heard it right, 31,000 SYSTEMS!

The data was found on an unsecured S3 bucket. The data file contained 8 different tabs containing information about GoDaddy’s pricing as well as discounts agreed with AWS. This information, in particular, is highly confidential and both parties have a mutual understanding of never revealing such information.

Further, the data included server configuration, storage, CPU settings, hostnames, operating systems and server workloads.

These are 8 tabs that were a part of the leaked data
Image courtesy: UpGuard

The datasheet contained a shocking number of 41 different columns. 41 different columns of data that can give GoDaddy’s competitor a deep insight into their operations.

“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment,” UpGuard stated.

UpGuard notified GoDaddy of the data breach immediately after discovering it. Surprisingly, GoDaddy didn’t pay heed to it for over FIVE weeks. The risk analyst reported that such a delay is normal with GoDaddy following a security report like this one.

On June 19th, 2018, UpGuard found a publicly readable S3 bucket. The bucket was named:

abotthgodaddy

On 20th June, UpGuard reported GoDaddy of the breach and on 26th June, GoDaddy replied with an email.

What Are S3 Buckets?

S3 Bucket is a cloud storage service provided by Amazon. They are private by default and only designated users can access them. This all sounds good until someone messes up with the configurations and makes it accessible to the public. That would mean anyone with the URL can access the data on those buckets.

Companies can either give the public access to everyone, making their buckets public. Anyone with the name can view the data. This is obviously not done on purpose and is a result of misconfiguration.

Or, companies can restrict access to authenticated users only which would mean anyone with a free AWS account can access the data.

Looking at The Bigger Picture

So what does it mean? What could be the consequences of such a mass data breach? Well for a start, 31,000 systems and 41 columns of data can actually hand over a roadmap for hackers on a plate. Since the data included information about server usage, hackers can actually plan their attacks differently for all the 31,000 systems according to their servers and other configurations.

“if you know what of 31,000 servers is interesting, and what’s not, that speeds up an attack plan,” said Vickery, the security risk analyst.

Judging by GoDaddy’s market share and popularity, we could say that GoDaddy powers around a 5th of the entire internet on this planet. This data could be used to launch an attack so massive, that it can disrupt the global internet traffic. This seems like a movie script but it’s true.

The other side of the coin is that competitors can have a detailed insight into GoDaddy. Since the data reflects GoDaddy’s pricing, discounts, finances, and strategies, industry influencers can use this data to design their strategies and use them against GoDaddy. This could be extremely harmful to GoDaddy in the long run. Competitors can actually leverage this data to crack their own deals with GoDaddy.

How Can Companies Prevent Such Breaches?

The first step towards a safer database is realizing that there is a problem that needs resolving. Vickery said,

“The cybersecurity and technology industries need to recognize that they have a problem, and be forthcoming with information about it and be honest with the public and the media about how bad it is.”

On the other hand, users must also be aware of the potential risk and the issues attached to it. Vickery believes that disingenuous discussions should not be relied on when searching for information on cybersecurity. These discussions further deteriorate people’s knowledge of cyber security rather than enhancing it.

Furthermore, contracts between companies often focus on who will be responsible if there is a data breach. The focus should now be shifted on the precautionary measures on how to prevent data leaks. A proactive approach is the need of the time, rather than a reactive approach.