On November 22, GoDaddy said it was the victim of a data breach that exposed the email addresses and customer numbers of up to 1.2 million active and inactive Managed WordPress users. The breach also exposed the original admin-level WordPress passwords for those accounts that were created when WordPress was first installed. The passwords could have allowed access to customers’ WordPress servers.
Active customers also had their sFTP credentials exposed, which are used for file transfers, along with the usernames for WordPress databases where site content is stored. Certain customers also had their SSL (HTTPS) private keys exposed. In those cases, an attacker could impersonate the customers’ websites and services.
According to a filing with the Securities and Exchange Commission (SEC), the breach was discovered on November 17, 2021, when suspicious activity was identified in its Managed WordPress hosting environment. An unauthorized individual had used a compromised password to access the system. GoDaddy said WordPress passwords and private keys were reset, and new SSL certificates are in the process of being issued.
GoDaddy said it is still investigating the hack and a third-party computer forensics firm has been engaged to assist with the investigation. The investigation has confirmed the attacker first used the compromised password on September 6, 10 weeks before the security breach was detected.
According to Wordfence, GoDaddy was storing sFTP passwords in plaintext, which means they could easily be retrieved. The best practice is to store salted hashes of passwords. That was a serious security failure considering sFTP passwords are used for uploading and downloading files from hosting servers.
“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection,” said GoDaddy’s Chief Information Security Officer, Demetrius Comes.
Several GoDaddy brands that sell managed WordPress services have also been affected by the incident, including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost.
“A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action,” said Dan Rice, GoDaddy’s VP of corporate communications.
GoDaddy has warned customers that the exposure of their email addresses could place them at risk of phishing attacks, although the breach could have more serious implications. While a password reset has been performed, that would do nothing to protect customers if their websites have already been compromised. Given the length of time between initial access, the discovery of the breach, and the password reset, it is possible that attackers may have accessed customers’ managed WordPress service and made changes, including altering content on the sites or uploading malicious files.
Scans should therefore be conducted on websites to check whether content has been changed and the sites are free of malicious files, Trojans, and backdoors. Wordfence also warned that if business websites have been compromised, the attackers could access website databases and obtain sensitive customer information, such as stored credit card numbers on eCommerce websites.