GoDaddy (GDDY), the world’s largest domain name registrar has disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of those websites that are affected by this breach.
The company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.
GoDaddy resellers also compromised
On Tuesday (11/23/2021) GoDaddy confirmed that a number of their resellers were also compromised in the attack. If you purchased your WordPress domains from
Assume your WordPress site has been compromised.
According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker initially gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, at which point the attacker access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.
What happened at GoDaddy?
Several sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials in a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are industry best practices. This decision allowed an attacker direct access to password credentials without the need to crack them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”
What did the attacker have access to?
The SEC filing indicates that the attacker had access to:
- User email addresses,
- Customer numbers,
- Original WordPress Admin password that was set at the time of provisioning,
- SSL private key, and
- sFTP and database usernames and passwords.
What could an attacker do with this info?
The attackers had unrestricted access to these systems for over two months. During that time they could have:
- Taken over these sites by uploading malware or adding a malicious administrative user. This would allow them to maintain persistence and retain control of the sites even after the passwords were changed.
- The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites.
- In some cases, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
- Increased phishing risks caused by the exposed email addresses and customer numbers.
How to resecure your GoDaddy host WordPress site
GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:
- If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
- Change all of your WordPress passwords.
- Force a password reset for your WordPress users or customers.
- Change any reused passwords and advise your users or customers to do so as well.
- Enable 2-factor authentication wherever possible.
- Check your site for unauthorized administrator accounts.
- Scan your site for malware using a security scanner.
- Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu.
- Be on the lookout for suspicious emails.
rb-
These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, and this affects not only site owners, but their customers. The SEC filing says that “Up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.
Related article
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.