The GoDaddy Password Breach Affected Over a Million Users
GoDaddy says that in November 2021, it realised there were cybercriminals on it’s network, kicked them out, tried to determine when the hackers got in and what they managed to do while they were inside.
The company has not ceased to investigate the hacking incident. They contacted law enforcement and an IT forensics firm, reset all affected customers passwords. However, this latest data breach may also have exposed the email addresses of 1.2 million customers, making them vulnerable to phishing attacks.
GoDaddy detected suspicious activity in their Managed WordPress hosting environment and immediately began an investigation.
Chief Information Security Officer Demetrius Comes said, using a compromised password, an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress
“Upon identifying this incident, we immediately blocked the unauthorised third party from our system,” said Demetrius
“Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorised third party used the vulnerability to gain access to the following customer information :
•Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
•The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
•For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.•For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
The GoDaddy password breach is the latest security incident that has exposed the personal information of customers. This incident affected those who use the WordPress web content management system, as well as those who use the GoDaddy domain.
With ten weeks in hand before being spotted, the attackers could have used sFTP passwords and compromised web certificates to perform further exploits against MWP users. In particular, crooks who know your sFTP password could, in theory, not only download the files that make up your site, steal your main content, but also upload unauthorised additions to the site.
Those unauthorised website additions could include:
- Backdoored WordPress plugins to let the crooks sneak back in again even after your passwords are changed.
- Fake news that would embarrass your business if customers were to come across it.
- Malware directly targeting your site, such as crypto mining or data-stealing code designed to run right on the server.
- Malware targeting visitors to your site, such as zombie malware to be served up as part of a phishing scam.