GoDaddy Spanked For Massive Security Breach Putting 1.2M WordPress Accounts At Risk
It would seem that not even GoDaddy can keep all the children of the internet behaving as they should. The very popular internet domain registrar and web hosting giant announced yesterday that its security was compromised last week.
GoDaddy announced yesterday that it had discovered on November 17th there was an unauthorized third-party that had gained access to its Managed WordPress hosting environment. The actual security breach began on September 6, 2021 where the unauthorized party used a vulnerability to gain access to customer information. Once identified, GoDaddy launched an investigation with the help of an IT forensics firm and contacted law enforcement.
The customer information that was compromised included up to 1.2 million active and inactive Managed WordPress customers email addresses and customer numbers. GoDaddy warns that phishing attacks could be possible via these email addresses. Also exposed, the original WordPress Admin password that was used at the time of provisioning.
If any of these passwords were still being used, GoDaddy has already taken steps to reset them. If anyone was an active customer, their sFTP and database usernames and passwords were accessed in the breach. The company has reset the passwords for those as well. Finally, for a subset of active customers, the SSL private key was exposed. GoDaddy is in the process of installing new certificates for any customer that was affected by this.
GoDaddy apologized in a filing with the SEC saying, "We are sincerely sorry for this incident and the concern it causes for our customers." The apology may come as little consolation for the 1.2 million customers whose data has been placed at risk due to the security breach. Especially since the attack went unnoticed for more than two months before GoDaddy was able to identify it and take action. Anyone who was using GoDaddy's Managed WordPress product during the time of the breach should consider their data as being part of what was exposed until they are notified differently.
It is likely that the breach occurred due to GoDaddy storing sFTP credentials as either plaintext, or in a format that could be reversed into plaintext. There is a more secure ways the company could have been storing this data, which would includes using either a salted hash or a public key. It was this practice that gave the attacker access to password credentials without having to break a sweat.
One of the major concerns of this attack comes from the breach of the sFTP and Database passwords. While GoDaddy did reset the passwords for both once it found the breach, the person(s) who committed the attack had around a month and a half where they could have infected a users website with malware or adding a malicious administrative user. This would mean that the attacker could still have control and access to certain websites that were affected even after the passwords were changed by GoDaddy.
Some of the recommended actions are that if you are operating an e-commerce site and GoDaddy informs you that you were part of the breach, you may be required to let your customers know. It may not be a bad idea to go ahead and give your customers a heads up either way. Anyone operating a WordPress account through GoDaddy should change all your passwords, even if GoDaddy has already done so. You should also change any and all passwords associated with your GoDaddy account, including any emails. Enabling two-factor authentication is always a good idea on any site, and if you have not done so yet it is highly recommended you do so now. You also want to check for any unauthorized admin accounts, as these pose malware threats and potential future attacks on your site. Also, keep an eye on your email for phishing.
One final thing to check for is in your site's filesystem. Check for either wp-content/plugins and/or wp-content/mu-plugins, or any unexpected plugins. There is a possibility legitimate plug-ins could be utilized to maintain unauthorized access.
GoDaddy has left a lot of users at risk for not only the time its data was being accessed, but for a long time after with the possibility of continued unauthorized access and email phishing scams and malware. For anyone that could be affected by all this, we encourage you to take all the steps listed above and to keep an eye out for any new information that may surface in the days and weeks to come.