IOTW: GoDaddy breach affects 1.2 million customers

GoDaddy, a domain registrar and web hosting company, has confirmed that an unknown attacker had gained unauthorized access to its Managed WordPress hosting environment.

The breach has affected up to 1.2 million Managed WordPress customers who’s email addresses and customer numbers exposed.

In a statement to the US Securities and Exchange Commission on 17 November, the company said the attacker gained access to the system as early as 6 September.

Since the 17 November statement the breach has widened to now encompass a number of brands that resell GoDaddy Managed WordPress according to a post by WordFence, a WordPress security plugin provider.

WordFence published a statement from Dan Rice, VP of Corporate Communications at GoDaddy which confirmed that the GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.

WordFence also published the notice of security incident emails that were sent to Media Temple and tsoHost.

Plaintext issues

According to WordFence CEO, Mark Maunder, the breach was likely caused because GoDaddy was storing secure file transfer protocol (sFTP) credentials as either plaintext or in a format that could be reversed into plaintext. However, this has not been confirmed by GoDaddy.

The GoDaddy statement noted that for active customers, sFTP and database usernames and passwords were exposed.
The secure sockets layer (SSL) private key was also exposed for a subset of active customer and the original WordPress Admin password that was set at the time of provisioning was also exposed.

GoDaddy said it was resetting those passwords that were impacted and in the case of the SSL private key the company is issuing and installing new certificates for customers.

Maunder noted in his article that the data breach is likely to have “far-reaching” consequences and said that anyone using GoDaddy’s Managed WordPress offering should assume their sites have been compromised until further information becomes available.

His article lays out a number of actions that should be taken in light of the breach including notifying customers, especially for e-commers sites, change all WordPress passwords, enable 2-factor authentication where possible, scan for malware using a security scanner and be on the lookout for suspicious emails as phishing is still a high risk.

Not the first incident

Demetrius Comes, CISO at GoDaddy, said: “We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

In 2020, GoDaddy notified customer that it has found that an unauthorized individual had access to login information used to connect to Secure Shell (SSH) on customer’s hosting accounts. According to BleepingComputer, the security incident took place on 19 October 2019 and was discovered on 23 April 2020.