More bad news!!! The hack that exposed the details of 1.2 million GoDaddy customers has spread to six more web hosts. As Search Engine Journal reports, the six additional web hosts are all resellers of GoDaddy’s WordPress hosting services and include the following hosts.
Customers of at least two of these web hosting companies have been sent emails very similar to the one GoDaddy sent out regarding the security breach. The hack they experienced also targeted Managed WordPress accounts and managed to leak email addresses, customer numbers, WordPress Admin passwords, sFTP database usernames and passwords for active customers, and in some cases SSL private keys.
WordPress security plugin maker Wordfence confirmed the hack has spread to these web hosts and published a quote from Dan Rice, VP of Corporate Communications at GoDaddy, as to the extent of the attack:
“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.”
The intrusion began on Sept. 6, giving the attacker plenty of time to take advantage of the user data and access to accounts. It’s currently unknown how that access to the data has been used. All customers affected by the breach at the web hosts listed above need to be vigilant and extra cautious with the emails they receive.
Hopefully each company has either contacted or is in the process of contacting affected customers with the measures taken to close the security hole. If you believe your account was compromised and haven’t been contacted, be proactive and contact your web host to confirm the status/health of your account.
I highly recommend installing Wordfence security plugin, enabling/enforcing 2 factor authentication and deleting any additional admin users that you do not recognise.
If you need help locking down your WordPress installation, get in touch.
GoDaddy Managed WordPress hosting customers suffered a massive data breach. Passwords have been reset but the effects of the hack may still be persist.
Over one million GoDaddy hosting customers suffered a data breach in September 2021 that went unnoticed for two months. GoDaddy described the security event as a vulnerability. Security researchers indicate that the cause of the vulnerability was due to inadequate security that did not meet industry best practices.
The statement by GoDaddy announced that they have changed passwords for the affected customers of their WordPress Managed Hosting.
However simply changing passwords does not completely fix possible problems left behind by hackers, which means that up to 1.2 million GoDaddy hosting customers may remain at risk by security issues.
If you need helping locking down and securing your WordPress installation, get in touch.
GoDaddy Informs SEC Of Breach
On November 22, 2021 GoDaddy informed the United States Security and Exchange Commission (SEC) that they had discovered “unauthorized third-party access” to their “Managed WordPress hosting environment.”
GoDaddy’s investigation revealed that the intrusion began on September 6, 2021 and was only discovered on November 17th, two months later.
Who is Affected And How
GoDaddy’s statement says that up to 1.2 million customers of their WordPress managed hosting environment may be affected by the security breach.
According to the statement to the SEC the data breach was due to a compromised password in their provisioning system.
A provisioning system is the process for setting up customers with their new hosting services, by assigning them server space, usernames and passwords.
GoDaddy explained what happened:
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”
GoDaddy Customer data that was exposed:
Original WordPress administrator level passwords
Secure FTP (SFTP) usernames and passwords
Database usernames and passwords
SSL private keys
What Caused GoDaddy Security Breach
GoDaddy described the cause of the intrusion as a vulnerability. A vulnerability is generally thought of as a weakness or flaw in software coding but it also can arise from a lapse in good security measures.
Security researchers from Wordfence made the startling discovery that GoDaddy’s Managed WordPress hosting stored sFTP usernames and passwords in a manner that did not conform to industry best practices.
SFTP stands for Secure File Transfer Protocol. It is a file transfer protocol that allows someone to upload and download files from a hosting server using a secure connection.
According to the Wordfence security experts, the usernames and passwords were stored in an unencrypted plain text manner which allowed a hacker to freely harvest usernames and passwords.
Wordfence explained the security lapse they discovered:
“GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.
…Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.”
GoDaddy Security Issues May Still Be Ongoing
GoDaddy’s statement to the SEC stated that the exposure of customer emails could lead to phishing attacks. They also communicated that all passwords were reset for affected customers, which seems to close the door to the security breach, but that’s not entirely the case.
However over two entire months had elapsed by the time GoDaddy discovered the security lapse and intrusion which means that websites hosted on GoDaddy could still be in a compromised state if malicious files have not been removed.
It’s not enough to change the passwords of affected websites, a thorough security scan should have been performed to make sure that any affected websites are free of backdoors, Trojans and malicious files.
GoDaddy’s official statement has not said anything about mitigating the effects of already compromised websites.
The security researchers at Wordfence acknowledged this shortcoming:
“…the attacker had nearly a month and a half of access during which they could have taken over these sites by uploading malware or adding a malicious administrative user. Doing so would allow the attacker to maintain persistence and retain control of the sites even after the passwords were changed.”
Wordfence also states that the damage is not limited to the businesses hosted on WordPress managed hosting. The security researchers observed that hacker access to website databases could lead to access to website customer information, revealing sensitive customer information stored at ecommerce websites.
Effects of GoDaddy Data Breach May Continue
GoDaddy only announced that they have reset passwords. However nothing was said about identifying and fixing compromised databases, removing rogue administrator accounts and finding malicious scripts that have been uploaded, not to mention possible data breaches of sensitive customer information from ecommerce sites hosted on GoDaddy.