An SEC filing has revealed that leading domain name registrar GoDaddy suffered a data breach that impacts some 1.2 million of its current and former managed hosting customers. Wordpress users may have had their email addresses exposed to an unknown third party.
The breach does not appear to impact GoDaddy customers with other products, such as domain name registrations or those with self-hosted plans. Wordpress users with a managed hosting plan (accessed through a GoDaddy control panel) appear to be the only group impacted at this time, with the intruder using stolen login credentials to peruse customer numbers and email addresses. Some customers may have also had their sFTP credentials and SSL private keys exposed.
GoDaddy data breach exposes email addresses, limited admin credentials for managed Wordpress sites
A mandatory SEC notification reveals that the data breach was discovered November 17. Demetrius Comes, Chief Information Security Officer for GoDaddy, says that an unauthorized third party accessed the provisioning system in the legacy code base for Wordpress users with managed accounts. The data breach window apparently began on September 6; GoDaddy says that the hacker was using a compromised password and that the account was blocked immediately upon discovery. The data breach was apparently discovered by Wordfence, a third-party plugin that is popular with Wordpress users for basic automated website security.
Given that the data breach window stretched for over two months, it is reasonable to expect that all the data the attacker had access to was exfiltrated. Fortunately, for many Wordpress users, this appears to be limited to their customer number and email address. However, the attacker apparently had access to former customers as well as current ones.
Some of the Wordpress users are at greater risk. The press release indicates that, for both former and current customers, the original WordPress Admin password that was set at the time of provisioning was exposed. GoDaddy says that it has reset all of these passwords at this point, but password re-use could provide the attacker with further opportunities here.
There are some additional risks to current active customers. GoDaddy says that sFTP and database usernames and passwords were also exposed. Not all Wordpress users will have had this feature set up, but those that did may have copied their main password over to make use of it. GoDaddy also says that a “subset” of additional customers had their SSL private keys (used to enable sites to have a secure https connection) exposed.
Murali Palanisamy, chief solutions officer for AppViewX, elaborates on this particular threat: “With compromised SSL private keys and certificates, hackers can hijack a domain name and use it to extort ransom for its return. They can also redirect users to what appears as an identical website and deploy malware or collect user credentials and credit card information and much more.”
Impacted Wordpress users have been contacted directly
GoDaddy says that it has reached out to its Wordpress users that may have been compromised, and that it is “taking steps to strengthen our provisioning system with additional layers of protection.”
Though the data breach does not appear to impact the majority of the company’s estimated 20 million customers, its shares fell 1.6% after the news and have continued on a downward trend to present.
GoDaddy did not elaborate on the steps it was taking to improve security, but it would be hoped that not continuing to store sFTP passwords in plain text would be the first item on the list. Security experts weighed in on social media to report that this is not a common practice and should be considered a serious failing. SSL certificates are a relatively easy fix, with several ways now available for any site to obtain one for free, but this is another area where the data breach window is very concerning. During the two plus months that the attacker had access, the sites of Wordpress users could have had valid URLs hijacked by impostors, something more likely if the administrator had not been paying careful attention to the site during that period.
Also, given that Wordpress users had their admin and FTP passwords exposed for over two months, one would hope that GoDaddy would offer some sort of assistance with remediating any individual site data breaches experienced due to the lapse. There is no word of this sort of thing as of yet, however.
GoDaddy suffered another data breach in early 2020, one that also impacted its web hosting services. An attacker was able to get into the SSH accounts of over 20,000 customers, but it is unclear if they stole or altered any files before being blocked. GoDaddy sent individual email notifications to impacted customers and offered them a free year’s subscription to the company’s Website Security Deluxe and Express Malware Removal services. Matt Sanders, Director of Security at LogRhythm, points out that GoDaddy’s recent security history prior to 2020 is also somewhat spotty: “Unfortunately, this incident is the fourth time in the last few years GoDaddy has suffered a data breach or cyberattack. This month’s data breach follows the hacking of a cryptocurrency domain managed by GoDaddy last November, an unauthorized user who breached 28,000 accounts last May, and an AWS error that exposed GoDaddy server data in 2018. When an organization experiences a cyberattack, it can signal a lack of proper security controls and policies, making the organization an even more appealing target for cybercriminals. For valuable personal information to be properly protected within these databases, companies must implement dependable security monitoring solutions that enable complete visibility into IT ecosystems.”