On November 22, 2021, GoDaddy, confirmed that they had identified unauthorized access to their hosting environment. This data security breach exposed nearly 1.2 Million “Managed WordPress Hosting” Accounts. Important data was compromised including customer email addresses, admin passwords, sFTP and database credentials, and SSL private keys.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement”.
Demetrius Comes -GoDaddy’s chief information security officer
The attacker gained initial access using a compromised password early in September 2021. This breach was unnoticed till November 17, 2021. During this period, sFTP and database usernames and passwords of customers were accessible to the attacker.
“For the time being, anyone using GoDaddy’s Managed WordPress offering should assume their sites have been compromised until further information becomes available”
–WordFence
WordFence also said “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them”.
The control of the website can be retained by the attacker by injecting malware or by adding a malicious admin user.
All the managed hosting users of the company are advised to follow the below steps
- Thoroughly scan the website for malware using a security scanner
- Deleting any unauthorized admin users and changing all passwords (hosting account, cPanel, all sFTP accounts, and wp-admin, etc.)
- Request all the users/members to change passwords (if you are running woo commerce or membership sites) and
- Be in touch with Godaddy customer care.
Companies acquired by GoDaddy in the recent past are also impacted by this security incident
Dan Rice, VP of Corporate Communications at GoDaddy says:
“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.”
In its SEC report, GoDaddy said, “We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
SEC report filed by Godaddy (The Securities and Exchange Commission)
The company started working on the damage and issuing new SSL certificates and resetting the sFTP and Database passwords of all the impacted sites.