{"id":120753,"date":"2021-11-26T17:22:24","date_gmt":"2021-11-26T22:22:24","guid":{"rendered":"https:\/\/rbach.net\/?p=120753"},"modified":"2023-05-29T10:09:57","modified_gmt":"2023-05-29T14:09:57","slug":"godaddy-wordpress-sites-hacked","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/godaddy-wordpress-sites-hacked\/","title":{"rendered":"GoDaddy WordPress Sites Hacked?"},"content":{"rendered":"\r\n<p><a href=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/godaddy_data_theft.jpg?ssl=1\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-120781 size-medium\" title=\"GoDaddy WordPress Sites Hacked?\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/godaddy_data_theft.jpg?resize=150%2C122&#038;ssl=1\" alt=\"GoDaddy WordPress Sites Hacked?\" width=\"150\" height=\"122\" \/><\/a><a href=\"https:\/\/www.godaddy.com\/\" target=\"_blank\" rel=\"nofollow noopener\"><strong>GoDaddy<\/strong><\/a> (<a href=\"https:\/\/www.tradingview.com\/symbols\/NYSE-GDDY\/\" target=\"_blank\" rel=\"nofollow noopener\">GDDY<\/a>)<strong>,<\/strong> the world&#8217;s largest <a href=\"https:\/\/web.archive.org\/web\/20220104223225\/https:\/\/www.cloudflare.com\/learning\/dns\/glossary\/what-is-a-domain-name-registrar\/\" target=\"_blank\" rel=\"nofollow noopener\">domain name registrar<\/a>, disclosed that it had been <strong>hacked<\/strong>. <a href=\"https:\/\/gizmodo.com\/a-security-breach-exposed-emails-and-site-passwords-of-1848108614\" target=\"_blank\" rel=\"nofollow noopener\">According to<\/a> <a href=\"https:\/\/www.wordfence.com\/blog\/2021\/11\/godaddy-breach-plaintext-passwords\/\" target=\"_blank\" rel=\"nofollow noopener\">reports<\/a> on Monday (11\/22\/2021), an unknown attacker gained unauthorized access to the system used to provision the company&#8217;s <strong>Managed WordPress sites<\/strong>. This breach impacts up to <strong>1.2 million GoDaddy WordPress customers<\/strong>. This number does not include the number of customers of websites affected by this breach.<\/p>\r\n<p><a href=\"https:\/\/www.godaddy.com\/\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-120777 size-medium\" title=\"GoDaddy logo\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/logo_go_daddy-1-e1637957317415-150x36.jpg?resize=150%2C36&#038;ssl=1\" alt=\"GoDaddy logo\" width=\"150\" height=\"36\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/logo_go_daddy-1-e1637957317415.jpg?resize=150%2C36&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/logo_go_daddy-1-e1637957317415.jpg?resize=75%2C18&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/logo_go_daddy-1-e1637957317415.jpg?w=536&amp;ssl=1 536w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/><\/a>The company posted, <em>We are sincerely sorry for this incident and the concern it causes for our customers,&#8221; &#8220;We, GoDaddy leadership and employees, take our responsibility to protect our customers&#8217; data very seriously and never want to let them down.<\/em><\/p>\r\n<h3>GoDaddy resellers also compromised<\/h3>\r\n<p>On Tuesday (11\/23\/2021), GoDaddy <a href=\"https:\/\/www.wordfence.com\/blog\/2021\/11\/godaddy-tsohost-mediatemple-123reg-domain-factory-heart-internet-host-europe\/\" target=\"_blank\" rel=\"nofollow noopener\">confirmed<\/a> that some of their <strong>resellers were also compromised<\/strong> in the attack. If you purchased your WordPress domains from<\/p>\r\n<ul>\r\n<li><a href=\"https:\/\/www.youtube.com\/watch?v=yRRMg5uT4AA\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-120779\" title=\"GoDaddy WordPress resellers hacked\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/go_daddyy_reseller-1.jpg?resize=110%2C115&#038;ssl=1\" alt=\"GoDaddy WordPress resellers hacked\" width=\"110\" height=\"115\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/go_daddyy_reseller-1.jpg?resize=143%2C150&amp;ssl=1 143w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/go_daddyy_reseller-1.jpg?resize=72%2C75&amp;ssl=1 72w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/go_daddyy_reseller-1.jpg?w=563&amp;ssl=1 563w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/a><a href=\"https:\/\/www.tsohost.com\/\" target=\"_blank\" rel=\"nofollow noopener\">tsoHost<\/a><\/li>\r\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Media_Temple\" target=\"_blank\" rel=\"nofollow noopener\">Media Temple<\/a><\/li>\r\n<li><a href=\"https:\/\/www.123-reg.co.uk\/\" target=\"_blank\" rel=\"nofollow noopener\">123Reg<\/a><\/li>\r\n<li><a href=\"https:\/\/www.df.eu\/\" target=\"_blank\" rel=\"nofollow noopener\">Domain Factory<\/a><\/li>\r\n<li><a href=\"https:\/\/www.heartinternet.uk\/\" target=\"_blank\" rel=\"nofollow noopener\">Heart Internet<\/a><\/li>\r\n<li><a href=\"https:\/\/www.hosteurope.de\/\" target=\"_blank\" rel=\"noopener\">Host Europe<\/a><\/li>\r\n<li><a href=\"https:\/\/www.domainspricedright.com\" target=\"_blank\" rel=\"nofollow noopener\">Domainspricedright<\/a><\/li>\r\n<\/ul>\r\n<p><strong>Assume your WordPress site has been compromised.<\/strong><br \/><br \/>According to the SEC <a href=\"https:\/\/web.archive.org\/web\/20211201080752\/https:\/\/www.sec.gov\/Archives\/edgar\/data\/1609711\/000160971121000122\/gddyblogpostnov222021.htm\" target=\"_blank\" rel=\"nofollow noopener\">report<\/a> filed by the Scottsdale, AZ-based firm, the attacker gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, when the attacker&#8217;s access was revoked. The attacker had more than two months to establish persistence, so <strong>anyone currently using GoDaddy&#8217;s Managed WordPress product should assume compromise<\/strong> until they can confirm that is not the case.<\/p>\r\n<h3>What happened at GoDaddy?<\/h3>\r\n<p><a href=\"https:\/\/www.elespanol.com\/omicrono\/software\/20170803\/comprueba-contrasena-millones-robadas-web\/236227355_0.html\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-120786\" title=\"credentials in cleartext\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/cleartext.jpg?resize=121%2C68&#038;ssl=1\" alt=\"credentials in cleartext\" width=\"121\" height=\"68\" \/><\/a>Several sites are reporting that GoDaddy stored <a href=\"https:\/\/www.techopedia.com\/definition\/1879\/secure-file-transfer-protocol-sftp\" target=\"_blank\" rel=\"nofollow noopener\">sFTP<\/a> (<strong>Secure FTP<\/strong>) credentials so that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which is industry best practice. This decision allowed an attacker direct access to password credentials without cracking them. According to their SEC filing: &#8220;<strong>For active customers, sFTP and database usernames and passwords were exposed.&#8221;<\/strong><\/p>\r\n<h3>What did the attacker have access to?<\/h3>\r\n<p>The SEC filing indicates that the attacker had access to:<\/p>\r\n<ul>\r\n<li>User email addresses,<\/li>\r\n<li>Customer numbers,<\/li>\r\n<li>Original WordPress Admin password that was set at the time of provisioning,<\/li>\r\n<li>SSL private key and<\/li>\r\n<li>sFTP and database usernames and passwords.<\/li>\r\n<\/ul>\r\n<h3>What could an attacker do with this info?<\/h3>\r\n<p>The attackers had unrestricted access to these systems for over two months. During that time, they could have:<\/p>\r\n<ul>\r\n<li><a style=\"font-size: 16px; color: #777777; text-decoration-line: none;\" href=\"https:\/\/icon-library.com\/icon\/sftp-icon-5.html\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-120782\" title=\"Secure FTP\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/sftp-icon-5.png?resize=110%2C110&#038;ssl=1\" alt=\"Secure FTP\" width=\"110\" height=\"110\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/sftp-icon-5.png?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/sftp-icon-5.png?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/sftp-icon-5.png?w=204&amp;ssl=1 204w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/a>They have taken over these sites by <strong>uploading malware or adding a malicious administrative user<\/strong>. This allows them to maintain persistence and retain control of the sites even after the passwords are changed.<\/li>\r\n<li>The attacker would have had <strong>access to sensitive information, including website customer PII<\/strong> (personally identifiable information) stored on the impacted sites&#8217; databases.<\/li>\r\n<li>Sometimes, an attacker could set up a <strong>man-in-the-middle (MITM) attack<\/strong> that intercepts encrypted traffic between a site visitor and an affected site.<\/li>\r\n<li>The exposed email addresses and customer numbers cause increased phishing risks.<\/li>\r\n<\/ul>\r\n<h3>How to resecure your GoDaddy host WordPress site<\/h3>\r\n<p><strong>GoDaddy should be notifying impacted customers<\/strong>. In the meantime, experts recommend that all Managed WordPress users <strong>assume that they have been breached<\/strong> and perform the following actions:<\/p>\r\n<ol>\r\n<li>If you run an e-commerce site or store PII (personally identifiable information) and GoDaddy verifies that you have been breached, you may be required to <strong>notify your customers<\/strong> of the breach.<\/li>\r\n<li><strong><a href=\"https:\/\/icon-library.com\/icon\/change-password-icon-16.html\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-120787\" title=\"Change passwords\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/change-password-icon-16.png?resize=110%2C110&#038;ssl=1\" alt=\"Change passwords\" width=\"110\" height=\"110\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/change-password-icon-16.png?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/change-password-icon-16.png?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/change-password-icon-16.png?w=200&amp;ssl=1 200w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/a>Change all of your WordPress passwords<\/strong>.<\/li>\r\n<li>Force a password reset for your WordPress users or customers.<\/li>\r\n<li>Change any reused passwords and advise your users or customers to do so.\u00a0<\/li>\r\n<li><strong>Enable <a href=\"https:\/\/wp.me\/p2wgaW-tYR\" target=\"_blank\" rel=\"noopener\">2-factor authentication<\/a><\/strong> wherever possible.\u00a0<\/li>\r\n<li>Check your site for unauthorized administrator accounts.<\/li>\r\n<li>Scan your site for <strong>malware<\/strong> using a security scanner.<\/li>\r\n<li>Check your site&#8217;s filesystem, including wp-content\/plugins and wp-content\/mu-plugins, for any <strong>unexpected plugins<\/strong>\u00a0or plugins that do not appear in the plugins menu.<\/li>\r\n<li>Be on the lookout for <strong>suspicious emails<\/strong>.<\/li>\r\n<\/ol>\r\n<p style=\"text-align: left;\"><em><strong>rb-<\/strong><\/em><\/p>\r\n<p style=\"text-align: left;\"><em>These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy&#8217;s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that &#8220;up to 1.2 million active and inactive Managed WordPress customers&#8221; were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.<\/em><\/p>\r\n<p style=\"text-align: center;\"><br \/><em><strong><a href=\"https:\/\/web.archive.org\/web\/20240728154520\/https:\/\/www.cdc.gov\/coronavirus\/2019-ncov\/prevent-getting-sick\/prevention.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fprepare%2Fprevention.html\" target=\"_blank\" rel=\"noopener noreferrer\">Stay safe out there!<\/a><\/strong><\/em><\/p>\r\n<p><strong>Related article<\/strong><\/p>\r\n<ul>\r\n<li><a title=\"GoDaddy now owns the company that invented Managed WordPress\" href=\"https:\/\/www.techradar.com\/news\/godaddy-now-owns-the-company-that-invented-managed-wordpress\" target=\"_blank\" rel=\"nofollow noopener\">GoDaddy now owns the company that invented Managed WordPress<\/a>\u00a0(<a title=\"Techradar\" href=\"https:\/\/www.techradar.com\/\" target=\"_blank\" rel=\"nofollow noopener\">Techradar<\/a>)<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a>\u00a0about IT, careers, and anything else that catches his attention since 2005. You can follow him on\u00a0<a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>Over 1.2 million GoDaddy WordPress sites may have been compromised in a two-month data breach that impact sites managed by GoDaddy and their resellers.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3558,2682,3615,3614,67,2213,2193,2541,612,951,4,3616,84],"class_list":["post-120753","post","type-post","status-publish","format-standard","hentry","category-security","tag-3558","tag-2fa","tag-gddy","tag-godaddy","tag-hack","tag-multi-factor-authentication","tag-password-management","tag-passwords","tag-phishing","tag-pii","tag-security","tag-sftp","tag-wordpress"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/120753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=120753"}],"version-history":[{"count":19,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/120753\/revisions"}],"predecessor-version":[{"id":128439,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/120753\/revisions\/128439"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=120753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=120753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=120753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}