More than 1 million GoDaddy hosting customers suffered a data breach in September 2021, which was not noticed for two months. GoDaddy described the security incident as a vulnerability. Security researchers said that the cause of the vulnerability was due to insufficient security that did not comply with industry best practices.
GoDaddy’s statement announced that they have changed the passwords of affected customers of their WordPress hosting hosting.
However, simply changing the password does not completely solve the possible problems left by hackers, which means that as many as 1.2 million GoDaddy hosting customers may still be affected by security issues.
GoDaddy notifies the SEC of violations
On November 22, 2021, GoDaddy notified the U.S. Security and Exchange Commission (SEC) that they discovered “unauthorized third-party access” to its “managed WordPress hosting environment.”
advertise
Keep reading below
GoDaddy’s investigation revealed that the invasion began on September 6, 2021, and was not discovered until November 17, two months later.
Who is affected and how
GoDaddy’s statement stated that as many as 1.2 million customers of its WordPress hosting environment may be affected by the security breach.
According to the statement submitted to the SEC, the data breach was caused by the leak of the password in its supply system.
The provisioning system is the process of setting up new hosting services for customers by allocating server space, user names and passwords to customers.
GoDaddy explained what happened:
“Using the leaked password, an unauthorized third party accessed the configuration system in our hosted WordPress old code base.”
advertise
Keep reading below
Exposed GoDaddy customer data:
- email address
- Customer Number
- Original WordPress admin level password
- Secure FTP (SFTP) username and password
- Database user name and password
- SSL private key
What caused the GoDaddy security breach
GoDaddy described the cause of the intrusion as a vulnerability. Vulnerabilities are usually regarded as weaknesses or defects in software coding, but they can also be caused by the lack of good security measures.
Security researchers at Wordfence surprisingly discovered that GoDaddy’s managed WordPress hosting stores sFTP usernames and passwords in a way that does not meet industry best practices.
SFTP stands for Secure File Transfer Protocol. It is a file transfer protocol that allows someone to upload and download files from a hosting server using a secure connection.
According to Wordfence security experts, usernames and passwords are stored in unencrypted plain text, which allows hackers to obtain usernames and passwords at will.
Wordfence explained the security vulnerabilities they found:
“GoDaddy stores sFTP passwords in a way that can retrieve the plaintext version of the passwords, instead of storing salted hashes of these passwords, or providing public key authentication, which is industry best practice.
…It is not best practice to store plain text passwords or passwords in reversible format for content that is essentially an SSH connection. “
advertise
Keep reading below
GoDaddy security issues may continue
In a statement to the SEC, GoDaddy stated that exposure of customer emails may lead to phishing attacks. They also stated that all passwords of affected customers have been reset, which seems to close the door to security breaches, but this is not entirely the case.
However, more than two months have passed since GoDaddy discovered security breaches and intrusions, which means that if the malicious files are not deleted, the website hosted on GoDaddy may still be compromised.
Merely changing the password of the affected website is not enough. A thorough security scan should also be performed to ensure that any affected website is free of backdoors, Trojan horses, and malicious files.
advertise
Keep reading below
GoDaddy’s official statement did not mention mitigating the impact of compromised websites.
The security researchers at Wordfence acknowledged this shortcoming:
“…The attackers have access for nearly a month and a half, during which they can take over these sites by uploading malicious software or adding malicious administrative users. Doing so will allow the attacker to maintain persistence even after changing the password. Maintain control of the site.”
Wordfence also pointed out that the damage is not limited to WordPress-hosted businesses. Security researchers have observed that hackers’ access to website databases may result in access to website customer information, thereby leaking sensitive customer information stored on e-commerce websites.
advertise
Keep reading below
The impact of the GoDaddy data breach may continue
GoDaddy only announced that they have reset their passwords. However, there is no explanation for identifying and repairing damaged databases, deleting rogue administrator accounts, and finding malicious scripts that have been uploaded, let alone potentially leaking data of sensitive customer information from e-commerce sites hosted by GoDaddy.
Citation
GoDaddy announces a security incident affecting managed WordPress services
