The Hosting Industry Has a Security Problem
Web hosting providers sit at the foundation of the internet. When they get breached, the fallout reaches every site, business, and customer they serve. Over the past 18 months, the hosting sector has faced a series of high-profile security failures that exposed millions of accounts and triggered regulatory action.
From GoDaddy’s multi-year intrusion drawing an FTC consent order to a critical cPanel vulnerability actively exploited in the wild, the numbers paint a concerning picture. Here is what happened, what the data shows, and what hosting customers should take away from it all.
The Numbers: Data Breach Statistics That Matter
Verizon’s 2025 Data Breach Investigations Report analyzed 22,052 security incidents across 139 countries and confirmed 12,195 data breaches. That is the most extensive caseload the report has ever recorded. Ransomware was present in 44% of those breaches, up from 32% the prior year. Third-party involvement in breaches jumped from 15% to 30%.
The IBM Cost of a Data Breach Report 2025 puts the global average breach cost at $4.44 million. In the United States, that figure climbs to $10.22 million per incident. Supply-chain breaches averaged $4.91 million, while breaches spanning multiple environments hit $5.05 million.
For hosting providers specifically, these numbers carry extra weight. A single compromised hosting environment can cascade across thousands of customer sites simultaneously.
Key Cost Factors
| Breach Type | Average Cost (2025) |
|---|---|
| Malicious insider attacks | $4.92 million |
| Supply-chain breaches | $4.91 million |
| Phishing attacks | $4.80 million |
| Multi-environment breaches | $5.05 million |
| Critical infrastructure breaches | $4.82 million |
Organizations with incident response plans saved an average of $2.66 million per breach, a 61% reduction in total cost. Zero-trust architectures cut costs by $1.76 million compared to environments without them.
GoDaddy: A Case Study in Systemic Security Failure
The most consequential hosting breach of the past two years involves GoDaddy, the company that powers over 84 million domains and serves more than 20 million customers globally. In February 2023, GoDaddy disclosed a breach that had actually begun in March 2020 and persisted undetected for nearly three years.
During that time, attackers compromised GoDaddy’s cPanel shared hosting servers, installed malware, redirected customer websites to malicious domains, and exfiltrated source code, admin credentials, and private SSL keys. More than 1.2 million WordPress hosting customers were affected.
The exposure of SSL private keys is particularly dangerous. It means attackers could impersonate legitimate websites, intercept encrypted traffic through man-in-the-middle attacks, or decrypt sensitive communications.
The FTC Steps In
In January 2025, the Federal Trade Commission took action against GoDaddy, alleging the company misled consumers by claiming it offered “award-winning security” while failing to implement basic protections. According to the FTC, GoDaddy lacked multi-factor authentication for administrators, failed to monitor for security threats, and did not properly secure connections to consumer data.
The FTC finalized its consent order in May 2025, requiring GoDaddy to establish a comprehensive information-security program, hire independent third-party assessors for regular reviews, and stop making misleading claims about its security posture. The 3-0 Commission vote signaled unanimous concern about the hosting giant’s practices.
This was not GoDaddy’s first incident. A November 2021 breach also impacted 1.2 million WordPress users, and a 2019 phishing attack compromised internal employee accounts. The pattern of recurring breaches points to systemic problems rather than isolated mistakes.
The cPanel Crisis: CVE-2026-41940
In April 2026, security researchers disclosed CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel and WebHost Manager (WHM). This bug allows attackers to gain administrative access to cPanel interfaces without credentials, potentially taking over entire servers and every site hosted on them.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Evidence suggests attackers had been exploiting the flaw since at least late February 2026, roughly two months before the public disclosure and patch release on April 28, 2026.
The scope is staggering. cPanel/WHM runs on over a million sites worldwide, including those belonging to banks and healthcare organizations. All supported versions after 11.40 were affected, including DNSOnly and WP Squared configurations.
Hosting Provider Response
Major providers including Namecheap, HostGator, and KnownHost temporarily blocked access to cPanel interfaces while applying patches. This was the right call, but it also meant administrators were locked out of their own control panels during a period of active exploitation.
The incident highlights a structural risk in the hosting industry: heavy reliance on a small number of shared infrastructure components. When cPanel has a vulnerability, a significant portion of the world’s hosting infrastructure is simultaneously at risk.
Cloud Hosting: Not Immune
According to the IBM report, 45% of all data breaches now occur in cloud environments. Breaches in hybrid-cloud setups averaged $3.80 million, roughly $440,000 less than private-cloud incidents. But compliance failures added another $1.22 million to breach costs on average.
Shadow AI, the use of unauthorized AI tools within organizations, added approximately $670,000 to the average breach cost in 2025, pushing affected incidents to $4.74 million. As hosting providers rush to integrate AI features into their platforms, this risk is likely to grow.
Financial gain motivated 95% of data breaches tracked by Verizon, with credential theft and exploitation of known vulnerabilities remaining the top initial access vectors.
What Reduces Breach Impact: The Data
Not all the news is bad. The research identifies clear factors that reduce both the likelihood and cost of breaches.
| Mitigation Factor | Cost Reduction |
|---|---|
| AI and automation in security | 70% lower cost ($3.05M avg) |
| Incident response plan | 61% savings ($2.66M saved) |
| Zero-trust architecture | $1.76 million saved |
| Resolution under 200 days | $3.87M vs $4.95M+ for longer |
| Hybrid cloud vs private cloud | $440,000 lower cost |
Organizations using AI-powered security tools and automation detected breaches in an average of 249 days, compared to 321 days without them. That 72-day difference translates directly into lower costs and reduced data exposure.
Lessons for Hosting Customers
These incidents carry practical implications for anyone running a website on shared, VPS, or managed hosting.
1. Evaluate Your Provider’s Security Track Record
Past breaches are the strongest predictor of future ones. Before signing up with a host, search for their breach history. Look at how they responded: did they disclose promptly? Did they take meaningful corrective action? A provider that has been breached multiple times without fundamentally changing its security posture is a liability.
2. Enable Multi-Factor Authentication Everywhere
The FTC specifically cited GoDaddy’s failure to require MFA for administrators. If your hosting provider offers MFA for your control panel, SSH access, and billing account, enable it. If they do not offer it, consider that a red flag.
3. Keep Your Own Backups
When a hosting provider gets compromised, your data is in someone else’s hands. Maintain independent, off-site backups that you control. Test restoration regularly. Your hosting provider’s backup system may itself be compromised in a breach scenario.
4. Monitor for Unauthorized Changes
GoDaddy’s breach went undetected for nearly three years. File integrity monitoring, regular malware scans, and alerts on unexpected DNS changes can catch problems that your host may miss. Tools like Wordfence, Sucuri, or simple checksum monitoring scripts add a layer of detection independent of your provider.
5. Assume Shared Infrastructure Is a Shared Risk
The cPanel vulnerability affected everyone running on the platform simultaneously. If you are on shared hosting, you share the attack surface with every other customer on that server. For sites handling sensitive data or processing transactions, dedicated or isolated environments reduce this exposure.
What Hosting Providers Must Do Better
The FTC’s order against GoDaddy reads like a baseline security checklist that any hosting company should already have in place: MFA, threat monitoring, secure connections, third-party audits. The fact that a major provider lacked these controls for years is telling.
Hosting providers need to treat security as infrastructure, not marketing copy. That means regular penetration testing, bug bounty programs, mandatory MFA for all administrative access, network segmentation between customer environments, and transparent incident disclosure.
The cPanel incident also shows the industry needs to reduce single points of failure. When one management platform can expose a million sites simultaneously, the concentration of risk is unacceptable. Providers should evaluate whether their dependency on specific control panel software creates systemic vulnerability.
Looking Ahead
The hosting security situation in 2025-2026 is a turning point. Regulatory bodies are now actively enforcing security standards on hosting providers. Customers have access to more breach data than ever to inform their purchasing decisions. And the financial case for strong security is clear: the cost difference between prepared and unprepared organizations runs into millions of dollars per incident.
The lesson from GoDaddy, cPanel, and the broader breach statistics is straightforward: security in hosting is not a feature. It is the product. Providers that treat it as an afterthought will face regulatory consequences, customer defections, and eventually existential risk to their businesses.
For customers, the takeaway is equally direct. Verify your provider’s security claims. Add your own layers of protection. And never assume that because you are paying for hosting, someone else is handling security on your behalf. In 2026, that assumption can cost you everything.