
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Packetlabs

GoDaddy, one of the world's largest domain registrars with more than 19 million customers and approximately 77 million managed domains, recently disclosed a GoDaddy data breach affecting users with web hosting accounts. Although the security incident took place on October 19, 2019, it was only discovered on April 23, 2020. Despite the significant gap between the event and discovery, this is not unusual and is a clear demonstration of the importance of SSH security.
One can read the initial email filed with the California Department of Justice that GoDaddy sent to notify its customers, which also forced a password reset on affected customers.
According to the initial GoDaddy email, the remote access breach only impacted GoDaddy's hosting accounts. Upon further investigation in May 2020, compromised remote access credentials in GoDaddy's hosting environment may affect at least 28,000 customers. The GoDaddy CISO and VP of Engineering, Demetrius Comes, revealed that this incident was a result of suspicious activity on GoDaddy servers. Unauthorized individual(s) obtained access through the SSH service. On Linux systems, this is the predominant protocol administrators use to manage and perform administrative and maintenance-related tasks.
The lesson to be learned from this GoDaddy breach is perhaps best summed up by analysts from Venafi Inc., a privately held cybersecurity company.
The GoDaddy breach underlines just how important SSH security is.
Venafi Inc.
Security for remote access into a company's environment or critical servers is vital. The SSH security service used to remotely access critical servers for an enterprise is no exception. Clients often ask us whether changing the port the remote access protocol runs on would be sufficient. We explain that this information can easily be deduced by a variety of tools. Dedicated attackers can run port scans or review services that collect port scans over time (e.g., Shodan).
We've compiled a concise list to ensure access to your organization's servers is locked down:
Disable root login
Limit max authentication attempts
Block SSH brute force attacks automatically (SSHGuard, Fail2ban, or DenyHosts)
Keep SSH patched and updated
Disable empty passwords
Mandate the use of key over password authentication
Mandate the use of only SSHv2
Expose the SSH service only to the required users
Disable X11Forwarding
Implement multi-factor authentication
Disable weak key exchanges and ciphers
Perform a regular audit of the authorized_keys and SSH logs
This is not meant to be an exhaustive list, but rather the security minimums that network administrators and critical system owners should be aware of.
In the wake of a never-ending stream of security incidents against public and private companies, you must increase efforts to protect your own organization. Another lesson from the GoDaddy breach is that the attackers were in GoDaddy's hosting environment and network for approximately six months. Developing a strong security program for your organization often involves a planned and deliberate patching strategy and process, thorough testing, and active monitoring of critical systems. This can help minimize the risk of a breach and spot attackers lurking in your network before it's too late.
Here at Packetlabs, we specialize in penetration testing. Through the expert utilization of both internal penetration testing and external testing activities, we will perform thorough checks to determine what management access protocols are exposed, and how they can be leveraged by an adversary. This information can then be used to develop a comprehensive security strategy. Contact us today to learn more about SSH security or to engage in a productive discussion on how we can assist your organization's development of a proactive approach to cybersecurity.
Join our newsletter. Uncover exploitable weaknesses before attackers do. Book your discovery call with our team of Offensive Security experts. Contact Us
Question: What happened in the GoDaddy data breach and who was affected?
Short answer: GoDaddy disclosed that attackers gained unauthorized access to its hosting environment via SSH on October 19, 2019, a breach that wasn’t discovered until April 23, 2020. The incident affected hosting accounts (not domain registrar accounts) and ultimately impacted at least 28,000 customers. GoDaddy notified affected users and forced password resets as part of its response.
Question: Why does this incident underscore the importance of SSH security?
Short answer: SSH is the primary protocol administrators use to manage Linux servers and perform maintenance. When attackers obtain SSH access, they can potentially control critical systems. The GoDaddy case shows that such access can remain undetected for months, which is why hardening SSH, limiting exposure, and actively monitoring for suspicious activity are vital.
Question: Is changing the default SSH port enough to secure remote access?
Short answer: No. Attackers can easily discover non-standard ports using port scans or by consulting scan-aggregation services like Shodan. Port changes may reduce noise but are not a security control. Organizations need layered defenses such as strong authentication, access restrictions, and monitoring to meaningfully reduce risk.
Question: What minimum SSH hardening steps should organizations implement?
Short answer: At a minimum, implement the following controls:
Disable root login
Limit maximum authentication attempts
Automatically block brute-force attempts (e.g., SSHGuard, Fail2ban, DenyHosts)
Keep SSH patched and updated
Disable empty passwords
Require keys over passwords
Allow only SSHv2
Expose SSH only to required users (and networks)
Disable X11Forwarding
Implement multi-factor authentication (MFA)
Disable weak key exchanges and ciphers
Regularly audit authorized_keys and SSH logs
Question: Beyond SSH configuration, what proactive steps reduce breach risk, and how can Packetlabs help?
Short answer: Build a strong security program with a deliberate patching and testing process and active monitoring of critical systems to detect intrusions early—GoDaddy’s attackers persisted for about six months before discovery. Packetlabs can help by conducting internal and external penetration testing to identify exposed management access, demonstrate how adversaries could leverage it, and provide guidance for a comprehensive security strategy.