Every major registrar data breach, and what they told you too late

The GoDaddy 2020–2023 timeline

Three separate breaches, four years, same company. Timeline assembled from GoDaddy's 2022 10-K filing and BleepingComputer coverage:

The February 2023 disclosure is the alarming one: GoDaddy revealed in its 10-K that the attackers had been in their systems continuously since at least March 2020. That is the same "incident" that was disclosed as resolved three separate times.

This matters because GoDaddy hosts ~21 million domains and is the world's largest registrar. An attacker with sustained access to GoDaddy has access to WHOIS contact data, registration payment records, nameserver configurations, and in the Managed WordPress case, the source of the actual websites.

The Epik leak — 180GB in the open

On September 13, 2021, the group Anonymous released a 180GB torrent labeled as Epik's internal data. Coverage: Krebs on Security.

The dump contained:

• Every WHOIS record for every domain Epik had registered since 2011 — including records for customers who had paid for WHOIS privacy
• Customer usernames, passwords (some hashed with outdated algorithms), and SSH keys
• Payment card data in partially redacted form
• Internal support tickets revealing customer disputes
• API keys for third-party services Epik used

The political context of the Epik leak (the provider hosted a number of controversial far-right sites and had attracted attention) is separate from the mechanics of what was exposed. For any customer whose data was in that dump — regardless of the site they ran — the privacy loss was permanent. The torrent is still indexed.

Epik subsequently rebranded and was acquired, but the data is out. A customer who paid for WHOIS privacy and had their real name and home address in the leak cannot un-leak it.

Network Solutions: twice and counting

Network Solutions has a long history predating most of its competitors, and correspondingly a longer breach history. Notable incidents:

• July 2019: unauthorized third-party access to a subset of customer accounts. Name, address, phone, email exposed. BleepingComputer coverage.
• 2015 (earlier breach): customer records and payment data compromised in an attack traced to the then-parent company Web.com Group.

Network Solutions, Register.com, and Web.com are all operated by Newfold Digital (the same parent as Bluehost, HostGator, and Domain.com). A breach at one brand means the entire customer database across brands is at risk.

What a registrar breach actually exposes

Most people underestimate what registrars know about them. A full customer profile at a mass-market registrar typically includes:

• Legal name, home address, phone, email — the ICANN-required WHOIS record, including entries paid to be "private"
• Credit card on file — often tokenized, but the token is compromised if the internal API is breached
• Government ID — for certain TLDs (.bank, .gov, .us) or for resolved disputes
• Authentication secrets — passwords (hopefully hashed), 2FA backup codes, API keys
• Site contents or backup archives — for hosted customers, full site code and database
• DNS configuration — nameserver records, TXT records including email-auth secrets
• Payment history — can be used to approximate revenue for business customers

A WHOIS record alone allows automated scraping into a marketable list: "founders of businesses registered in [month, year] in [geography]." That list is bought and sold. Once a breach dumps the source data, every subsequent list-builder has the raw material.

How to minimize your exposure

Structural habits that limit what any single breach can cost you:

1. Use a registrar that collects minimally. Privacy-forward registrars (Njalla, 1984, LaunchPad Host) either register domains in their own name or use structured privacy so the WHOIS record is not your identity. Even if their database leaks, the linkage to you is indirect.
2. Use a mailbox you can rotate. SimpleLogin, AnonAddy, iCloud Hide My Email, or a dedicated domain with catch-all forwarding. Each registrar gets a unique alias. When one leaks, rotate that alias.
3. Pay with virtual cards or crypto. Privacy.com, Capital One Eno, or Monero. The payment token is per-vendor; breach of one vendor does not reveal your banking relationship.
4. Never reuse passwords. Registrar accounts are high-value targets because they control DNS. A stolen password from a 2018 breach of some unrelated service is how a DNS hijack starts.
5. Enable hardware 2FA. YubiKey or equivalent. SMS 2FA is bypassable via SIM-swap; app-based TOTP is acceptable; hardware tokens are best.

We run LaunchPad Host with deliberately minimal customer data collection. Only what is required to register the domain and bill you. No marketing profile, no "partner" sharing, no optional data fields. Less to leak if we are ever breached.