GoDaddy Hacked – 1.2 Million Customers Data Breach in Managed WordPress Hosting.
GoDaddy, the world’s largest web hosting company, announced a data breach that resulted in unauthorized access to the data of 1.2 million customers.
GoDaddy announces Security Incident Affecting Managed WordPress Service
On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment.
Here is the background on what happened and the steps we took, and are taking, in response:
We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
Upon identifying this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information:
• Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
• The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
• For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
• For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
“Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help) which includes phone numbers based on country.
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection, said Demetrius Comes, Godaddy’s Chief Information Security Officer.”
What did the cyber attacker have access to?
Wordfence reported, The SEC filing indicates that the attacker had access to user email addresses and customer numbers, the original WordPress Admin password that was set at the time of provisioning, and SSL private keys. All of these could be of use to an attacker, but one item, in particular, stands out:
During the period from September 6, 2021, to November 17, 2021, the sFTP and database usernames and passwords of active customers were accessible to the attacker.
GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.
The GoDaddy Data breach isn’t the first time, in May 2020, a GoDaddy web hosting account were compromised.