GoDaddy is a web hosting company with millions and millions of users across the internet. Many websites, big and small, use the company to host their WordPress sites. Today, GoDaddy announced that they suffered a data breach that affected 1.2 million users and websites.
Estimated reading time: 4 minutes
According to Wordfence, the attacker is unknown and gained unauthorized access to the system used to provision the company’s Managed WordPress sites. Wordfence also notes that the 1.2 million number “does not include the number of customers of those websites affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.”
According to the report filed by GoDaddy with the SEC [1], the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on November 17, 2021 at which point their access was revoked. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.
It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.
According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”
Wordfence
The hackers had access to user email addresses and customer numbers, the original WordPress Admin password that was set at the time of provisioning, and SSL private keys. From September 6, 2021, to November 17, 2021, the sFTP and database usernames and passwords of active customers were accessible to the attacker.
Wordfence has a comprehensive write-up of the whole incident on its website; if you want to dive deeper, it’s worth checking out. For now, here’s what Wordfence says you should do if you have a website hosted by GoDaddy:
- If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach. Please research what the regulatory requirements are in your jurisdiction, and make sure you comply with those requirements.
- Change all of your WordPress passwords, and if possible force a password reset for your WordPress users or customers. As the attacker had access to the password hashes in every impacted WordPress database, they could potentially crack and use those passwords on the impacted sites.
- Change any reused passwords and advise your users or customers to do so as well. The attacker could potentially use credentials extracted from impacted sites to access any other services where the same password was used. For example, if one of your customers uses the same email and password on your site as they use for their Gmail account, that customer’s Gmail could be breached by the attacker once they crack that customer’s password.
- Enable 2-factor authentication wherever possible. The Wordfence plugin provides this as a free feature for WordPress sites, and most other services provide an option for 2-factor authentication.
- Check your site for unauthorized administrator accounts.
- Scan your site for malware using a security scanner.
- Check your site’s filesystem, including
wp-content/pluginsandwp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorized access. - Be on the lookout for suspicious emails – phishing is still a risk, and an attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.
What do you think of this? Please share your thoughts on any of the social media pages listed below. You can also comment on our MeWe page by joining the MeWe social network.
