I don't think this is so much a question of liability as it is one of customer perception. If 'GoDaddy Secured' sites aren't really secure and start getting hacked, then 'secured by GoDaddy' signs will mean no more than "hackable in 10 minutes or it's free". We'll see how GoDaddy squirms when that happens.
I think that beyond customer perception, there is an actual question of legal liability here. If GoDaddy is purporting to be an expert in security and selling a service, that is supposed to ensure security, then they should be found liable for some degree malpractice.
I'd love to get a real lawyer's opinion on this...
Hacking a server is a very specific act, different from hacking a website. One exploits weaknesses in the underlying OS - the other exploits weaknesses in the publicly exposed software running on the server. To the end viewer, there may be no difference, but the "how they got in" would determine the liability.
If anon breached the OS, then common sense would say GoDaddy is somewhat responsible. Otherwise, it pretty much falls on the client. All the hardening in the world can't patch for stupid.
The "Hacker Proof" badges are supposed to verify your web application as well, but this attack could have been entirely non-technical social engineering to get access to the cart admin account or MySQL username/password. We don't have any details right now at all as far as I know and I tend to doubt they will be forthcoming.
In fact, I doubt that specialforces.com will even inform users of this breach. They don't seem to be especially security-savvy and the initial reaction of secuirty-naive businesses is to keep something like this under wraps so it doesn't hurt their reputation.
Of course, this is just idle speculation and they could have already informed users. I have no malintent. That's just how I read the situation and the likelihoods involved.
