GoDaddy Spanked For Massive Security Breach Putting 1.2M WordPress Accounts At Risk
GoDaddy announced yesterday that it had discovered on November 17th there was an unauthorized third-party that had gained access to its Managed WordPress hosting environment. The actual security breach began on September 6, 2021 where the unauthorized party used a vulnerability to gain access to customer information. Once identified, GoDaddy launched an investigation with the help of an IT forensics firm and contacted law enforcement.
The customer information that was compromised included up to 1.2 million active and inactive Managed WordPress customers email addresses and customer numbers. GoDaddy warns that phishing attacks could be possible via these email addresses. Also exposed, the original WordPress Admin password that was used at the time of provisioning.
If any of these passwords were still being used, GoDaddy has already taken steps to reset them. If anyone was an active customer, their sFTP and database usernames and passwords were accessed in the breach. The company has reset the passwords for those as well. Finally, for a subset of active customers, the SSL private key was exposed. GoDaddy is in the process of installing new certificates for any customer that was affected by this.
It is likely that the breach occurred due to GoDaddy storing sFTP credentials as either plaintext, or in a format that could be reversed into plaintext. There is a more secure ways the company could have been storing this data, which would includes using either a salted hash or a public key. It was this practice that gave the attacker access to password credentials without having to break a sweat.
One of the major concerns of this attack comes from the breach of the sFTP and Database passwords. While GoDaddy did reset the passwords for both once it found the breach, the person(s) who committed the attack had around a month and a half where they could have infected a users website with malware or adding a malicious administrative user. This would mean that the attacker could still have control and access to certain websites that were affected even after the passwords were changed by GoDaddy.
Some of the recommended actions are that if you are operating an e-commerce site and GoDaddy informs you that you were part of the breach, you may be required to let your customers know. It may not be a bad idea to go ahead and give your customers a heads up either way. Anyone operating a WordPress account through GoDaddy should change all your passwords, even if GoDaddy has already done so. You should also change any and all passwords associated with your GoDaddy account, including any emails. Enabling two-factor authentication is always a good idea on any site, and if you have not done so yet it is highly recommended you do so now. You also want to check for any unauthorized admin accounts, as these pose malware threats and potential future attacks on your site. Also, keep an eye on your email for phishing.
One final thing to check for is in your site's filesystem. Check for either wp-content/plugins and/or wp-content/mu-plugins, or any unexpected plugins. There is a possibility legitimate plug-ins could be utilized to maintain unauthorized access.
GoDaddy has left a lot of users at risk for not only the time its data was being accessed, but for a long time after with the possibility of continued unauthorized access and email phishing scams and malware. For anyone that could be affected by all this, we encourage you to take all the steps listed above and to keep an eye out for any new information that may surface in the days and weeks to come.
