Tag Archive for Passwords

| November 26, 2021
Comments Off on GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?GoDaddy (GDDY), the world’s largest domain name registrar, disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of websites affected by this breach.

GoDaddy logoThe company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.

GoDaddy resellers also compromised

On Tuesday (11/23/2021), GoDaddy confirmed that some of their resellers were also compromised in the attack. If you purchased your WordPress domains from

Assume your WordPress site has been compromised.

According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, when the attacker’s access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

What happened at GoDaddy?

credentials in cleartextSeveral sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials so that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which is industry best practice. This decision allowed an attacker direct access to password credentials without cracking them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

What did the attacker have access to?

The SEC filing indicates that the attacker had access to:

  • User email addresses,
  • Customer numbers,
  • Original WordPress Admin password that was set at the time of provisioning,
  • SSL private key and
  • sFTP and database usernames and passwords.

What could an attacker do with this info?

The attackers had unrestricted access to these systems for over two months. During that time, they could have:

  • Secure FTPThey have taken over these sites by uploading malware or adding a malicious administrative user. This allows them to maintain persistence and retain control of the sites even after the passwords are changed.
  • The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the impacted sites’ databases.
  • Sometimes, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
  • The exposed email addresses and customer numbers cause increased phishing risks.

How to resecure your GoDaddy host WordPress site

GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

  1. If you run an e-commerce site or store PII (personally identifiable information) and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
  2. Change passwordsChange all of your WordPress passwords.
  3. Force a password reset for your WordPress users or customers.
  4. Change any reused passwords and advise your users or customers to do so. 
  5. Enable 2-factor authentication wherever possible. 
  6. Check your site for unauthorized administrator accounts.
  7. Scan your site for malware using a security scanner.
  8. Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu.
  9. Be on the lookout for suspicious emails.

rb-

These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that “up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.


Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| February 20, 2021
Comments Off on You Need a Strong Username

You Need a Strong Username

You Need a Strong UsernameWhen securing you online accounts your username matters. A recent report from password manager provider Nordpass points out why you should have a strong username. They explain that an easy to guess username gives away half of the protection for your online information.

Nordpass logo Strong passwords are vital to to securing your online information, but you shouldn’t skimp on your username. Nordpass found that most people use their actual name to secure their online usernames.

The blog states that usernames which include personal information are the worst. That is because when you use personal data to create your account, it helps cybercriminals build your profile. If you post a comment on Facebook with a username Becky1970 or ToledoTommy, that’s enough for an attacker to start a social engineering attack.

How to create a strong username

Here are some tips from Nordpass to help you create a strong username.

  • How to create a strong usernameDon’t reuse your username on other accounts — this makes it easy to track you.
  • Don’t use your actual name.
  • Avoid creating a username that’s identical to your email address.
  • Don’t use personal information like your birth date, the city you’re from, or social security and ID numbers.
  • Don’t use usernames that are the same as your password or may hint at it.

If these tips are too complicated – use a username generator.

Here are the 25 most popular usernames

2020 Risky usernames

RankNameTimes used
1ยศกร875,562
2David470,646
3Alex451,546
4Maria438,485
5Anna387,660
6Marco352,629
7Antonio325,085
8Daniel310,096
9Andrea305,442
10집을뒤집자298,963
11Laura296,627
12Ali290,285
13박춘우277,859
14Jose271,960
15Sandra264,886
16พิมวิภา249,476
17Sara247,072
18Carlos214,261
19Ana212,049
20Michael198,312
21Marie194,530
22Francesco193,526
23Mehmet191,023
24Marta186,424
25Sarah184,996
NordPass partnered up with a white-hat hacker, who compiled a report of the most popular usernames of all time. The hacker requested to stay anonymous.


Click here to see the Nordpass 200 most used usernames.

rb-

For those of use that don’t know the most common username means ‘title’ in Thai.

Thankfully some key usernames are missing from this list: Admin, Administrator, guest, root, user.

 

Stay safe out there !

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| January 26, 2021
Comments Off on Data Privacy Day 2021

Data Privacy Day 2021

Data Privacy Day 2021Data Privacy Day in the U.S. is January 28, 2021. It is an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection

Why is Data Privacy Day important?

In this era with the rapid advancement in technology, having relevant data is the key to the success of any organization.  Almost every organization is collecting and combining the data in order to put the right content, in front of the right person, at the right time, and on the right platform. 

Why is Data Privacy Day important?The data is collected from the users or customers who submit their personal information trusting the firm will keep the data private. Users provide their personal information to the companies with the trust of receiving a better service and with the trust that their data is private, safe, and secure. But when the goes into the wrong hands and data privacy fails, bad things can happen. Data breaches result in cyber-criminals misusing user information for scams and identity theft. That is why everyone needs to “Own Your Their Data Privacy.” Here are resources to help you “Own Your Data Privacy.”

Update your Privacy Settings

Your purchase history, IP address, location, etc., has value – just like money. (How else does Mark Zuckerberg make his $100 billons?) Make informed data privacy decisions about sharing your data with companies. Consider the amount of personal information you are giving up and weigh it against the benefits you may receive. Use these resources provided by the National CyberSecurity Alliance (NCSA) to update your privacy settings on popular devices and online services.

Keep tabs on your apps

Keep tabs on your appsMany apps ask for access to personal information, like geographic location, contacts list, or photo album, before you can use their services. Be wary of apps that require access to information that is not required or relevant for the services they are offering. Use these tips from the Data Detox Kit, to protect your data privacy. Keep your apps up to date. Delete unused apps on your devices.

Manager your passwords!

You don’t need to be overwhelmed by all your log-ins and passwords. Use a password manager to keep your data private and track your strong passwords. Add an extra layer of protection by activating Two-Factor Authentication (2FA) whenever it is available. With 2FA, even if a cybercriminal steals your password, they won’t be able to access your account.

Take action!

  • Make sure your computer is free from known viruses, spyware, and discover if your computer is vulnerable to cyber-attacks. Use these Free Security Check-Up resources from NCSA to protect your data privacy.
  • Check your online safety know-how with a privacy and security quiz. Get started with the National Privacy Test and Google Phishing Quiz. To measure how good you are at protecting your privacy.
  • Join the National Cyber Security Alliance – and LinkedIn on January 28, 9 a.m. for the signature video conference event Data Privacy in an Era of Change. It gathers data privacy experts from industry, government, academia, and non-profit for keynotes, panels, and discussions on current topics in data privacy – Register here.
  • Show your support for Data Privacy Day by using one of the International Association of Privacy Professionals’ official Data Privacy Day virtual backgrounds for video collaborations.

rb-

Data Privacy Day reminds us of the value of our data and the rights for data transparency. It is the day that tells us to re-evaluate and identify the flaws in how we have been collecting, sharing, and using the data. The day persuades us to find a way to patch the loopholes so that our valuable data do not get tampered with malicious malware, misused, or lost.

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| December 9, 2020
Comments Off on These Passwords are Not Protecting Your Info

These Passwords are Not Protecting Your Info

These Passwords are Not Protecting Your InfoIt is 2020 and among all the other things going on during this dumpster-fire of a year – passwords are still a problem. According to a list of the 200 worst passwords of 2020 from NordPass, millions of people are still using “123456” and “password” as part of their login credentials. These passwords are the worst you can use year in and year out they have been the worst since I started tracking them on the Bach Seat in 2011.“123456,” has been breached more than 23 million times alone, according to NordPass. To protect your data – stop using “123456″ and “password.”

Half of the top 25 passwords are new offenders for 2020. But NordPass says any of the top 25 bad passwords typically take less than a second to crack. Don’t be fooled – using some variation of the number bar, such as “000000″ or “123123” does not add extra security to your account. Similarly, any adjacent-key letter combo you are using such as “qwertyuiop” or “asdfghjkl,” can be easily cracked in less than a second’s time, the company said.

2020's Worst Passwords

2020 RankPasswordChange from 2019
1123456-
2123456789-
3picture1New
4password-
512345678+1
6111111+3
7123123+3
812345-1
91234567890New
10senhaNew
111234567-6
12qwerty-9
13abc123-2
14Million2New
15000000New
161234New
17iloveyou-9
18aaron431New
19password1New
20qqww1122New
21123New
22omgpopNew
23123321New
24654321New
25qwertyuiop-10

data breach researchMethodology: The list of passwords was compiled by Nordpass,  which sells a password manager, in partnership with a third-party company specializing in data breach research. They evaluated a database that contained 275,699,516 passwords in total.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| December 21, 2019
Comments Off on Stop Using These Passwords Now

Stop Using These Passwords Now

Stop Using These Passwords NowThe annual list of the worst passwords is out. People are lazy and still use the same old compromised passwords. Not much has changed since 2018, 2017, or 2016. SplashData’s 9th annual list of worst passwords looked at 5 million passwords that were leaked in various data breaches in 2019 and found that 123456 is still the most frequently used password.

Some other interesting password factoids from the survey include:

  • SplashData logopassword has been knocked out of the top two spots for the first time in the list’s history.
  • Simple patterns using contiguous keys on the keyboard like 1q2w3e4r, qwertyuiop, and !@#$%^&* are new for 2019. They may seem complex but will not fool attackers.
  • QWERTY is a big mover in 2019. qwerty moved up 6 places to #3 in 2019 and qwerty123 moved up 13 spots to #13 in 2019.
  • After making his debut on the 2018 annual list “donald” fell to #34 on the most dangerous password to use.

RankPasswordChange
1123456(Rank unchanged from 2018)
2123456789(up 1)
3qwerty(Up 6)
4password(Down 2)
51234567(Up 2)
612345678(Down 2)
712345(Down 2)
8iloveyou(Up 2)
9111111(Down 3)
10123123(Up 7)
11abc123(Up 4)
12qwerty123(Up 13)
131q2w3e4r(New)
14admin(Down 2)
15qwertyuiop(New)
16654321(Up 3)
17555555(New)
18lovely(New)
197777777(New)
20welcome(Down 7)
21888888(New)
22princess(Down 11)
23dragon(New)
24password1(Unchanged)
25123qwe(New)

Morgan Slain, CEO of SplashData, told Gizmodo,

Our hope … is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off. We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.

rb-

So how can you keep your online personal information safe?

  1. how can you keep your online personal information safe?Make sure none of your passwords are on SplashData’s worst passwords of the year list. If they are log on and change them immediately. See the full 100 worst passwords on SplashData’s site.
  2. Use two-factor authentication, whenever possible. Even if a hacker has your password, they won’t have that random code and therefore won’t be able to get into your account. Not sure if your favorite website supports two-factor authentication, search the Two Factor Auth List to find out.
  3. Consider a password manager. Your brain is no longer an adequate password manager. SplashData makes several password managers SplashIDTeamsID, and Gpass depending on your needs.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
« Older Entries   Recent Entries »