If you’re a GoDaddy customer, you’ll know if you were on the list of affected accounts if you see a message like this:
“Subject: Security Incident Impacting Your GoDaddy Web Hosting Account
We need to inform you of a security incident impacting your GoDaddy web hosting account credentials. We recently identified suspicious activity on a subset of our servers and immediately began an investigation.
The investigation found that an unauthorized individual had access to your login information used to connect to SSH on your hosting account. We have no evidence that any files were added or modified on your account. The unauthorized individual has been blocked from our systems, and we continue to investigate potential impact across our environment.”
There’s more, including a warning that your account information was reset and how to get back into your account, but from a technical point of view – what actually happened and how the breach was detected – there is only the above text to go on.
Clearly, this isn’t just a case of credential stuffing, where accounts were accessed because their passwords were the same as the passwords used on other services that had already been breached, or GoDaddy wouldn’t have filed a breach notification.