The Federal Trade Commission (FTC) has finalized a settlement requiring GoDaddy to implement sweeping security reforms after multiple data breaches exposed customer data between 2018 and 2022. The order follows allegations that the web hosting giant misrepresented its security practices while failing to implement basic protections like multi-factor authentication (MFA) and network segmentation1.
TL;DR: Key Takeaways for Security Professionals
- FTC Findings: GoDaddy falsely advertised “award-winning security” while lacking MFA, threat monitoring, and patch management for 30,000 servers2.
- Breach Impact: 1.2 million WordPress users’ emails and private keys leaked via unencrypted API endpoints in 20213.
- Settlement Terms: Mandates HTTPS APIs, universal MFA, and biennial third-party audits through 20304.
Technical Breakdown of GoDaddy’s Security Failures
The FTC complaint reveals systemic gaps in GoDaddy’s infrastructure. Only 15,000 of 450,000 devices were properly inventoried in 2020, leaving unmanaged assets vulnerable to exploitation1. The 2021 WordPress API breach occurred due to unencrypted credential transmission, allowing interception of:
| Compromised Data | Volume |
|---|---|
| Email addresses | 1.2 million |
| SSH private keys | 28,000 |
| Employee credentials | 199 |
Redirection attacks in 2022 exploited poor domain validation, hijacking customer sites to malicious domains. Forensic analysis showed threat actors leveraged:
“Default cPanel configurations with unchanged SSH credentials, allowing lateral movement across shared hosting environments”3.
Remediation and Operational Impact
The FTC’s 2025 order requires GoDaddy to implement NIST-aligned controls including:
- Network segmentation for shared hosting environments
- Automated patch management with 72-hour SLA for critical vulnerabilities
- Third-party penetration testing every six months
For security teams managing GoDaddy-hosted assets, immediate actions include:
- Rotate all API keys and SSH credentials
- Audit domain DNS records for unauthorized changes
- Enable MFA for all administrative interfaces
Regulatory Precedents and Industry Implications
This case mirrors FTC actions against Marriott (2024) and Zoom (2023), establishing a pattern of holding service providers accountable for security claims5. The settlement specifically prohibits:
“Misrepresentations about Privacy Shield compliance or data protection measures”4
Security teams should review vendor contracts for similar clauses requiring:
- Transparent breach notification timelines
- Right-to-audit provisions
- Penalties for security misrepresentations
Conclusion
The GoDaddy settlement underscores regulators’ increasing focus on holding infrastructure providers to advertised security standards. With the FTC mandating technical controls like MFA and encryption, this case provides a blueprint for evaluating vendor security postures. Organizations using shared hosting should treat this as a case study in third-party risk management.
References
- FTC Complaint, Case No. 202-3133. (2025).
- “FTC Orders GoDaddy to Fix Poor Web Hosting Security Practices”. BleepingComputer. (2025).
- “FTC Takes Action Against GoDaddy for Alleged Lax Data Security”. FTC Press Release. (2025).
- “GoDaddy Faces FTC Scrutiny Over Alleged Lax Data Security Practices”. ZwillGen Analysis. (2025).
- “FTC Finalizes GoDaddy Data Security Order”. Phoenix Business Journal. (2025).
