GoDaddy (GDDY), the world’s largest domain name registrar, disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of websites affected by this breach.
The company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.
GoDaddy resellers also compromised
On Tuesday (11/23/2021), GoDaddy confirmed that some of their resellers were also compromised in the attack. If you purchased your WordPress domains from
Assume your WordPress site has been compromised.
According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, when the attacker’s access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.
What happened at GoDaddy?
Several sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials so that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which is industry best practice. This decision allowed an attacker direct access to password credentials without cracking them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”
What did the attacker have access to?
The SEC filing indicates that the attacker had access to:
- User email addresses,
- Customer numbers,
- Original WordPress Admin password that was set at the time of provisioning,
- SSL private key and
- sFTP and database usernames and passwords.
What could an attacker do with this info?
The attackers had unrestricted access to these systems for over two months. During that time, they could have:
They have taken over these sites by uploading malware or adding a malicious administrative user. This allows them to maintain persistence and retain control of the sites even after the passwords are changed.- The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the impacted sites’ databases.
- Sometimes, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
- The exposed email addresses and customer numbers cause increased phishing risks.
How to resecure your GoDaddy host WordPress site
GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:
- If you run an e-commerce site or store PII (personally identifiable information) and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
Change all of your WordPress passwords.- Force a password reset for your WordPress users or customers.
- Change any reused passwords and advise your users or customers to do so.
- Enable 2-factor authentication wherever possible.
- Check your site for unauthorized administrator accounts.
- Scan your site for malware using a security scanner.
- Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu.
- Be on the lookout for suspicious emails.
rb-
These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that “up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.
Related article
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.