GoDaddy security breach affects more than 1,000,000 WordPress users

A security incident exposed email addresses of 1.2 Million Managed WordPress customers.

Image: BCFC/Shutterstock

GoDaddy was the victim of a security attack that affected more than 1,000,000 WordPress customers. A Monday filing with Securities and Exchange CommissionDemetrius Comes, chief information security officer, said that the hosting company discovered third-party access to Managed WordPress hosting environments on Nov. 17, 2021. GoDaddy discovered that the third party had used a compromised password in order to gain access to the Managed WordPress provisioning system.

SEE: Security Awareness and Training Policy (TechRepublic Premium)

The company had to respond to customers after the breach caused a variety of problems. First, email addresses and customer numbers of 1.2 million Managed WordPress customers were exposed. GoDaddy had to reset the original WordPress Admin passwords that were set at provisioning.

Third, the sFTP and database usernames/passwords were compromised. GoDaddy had to reset them as well. Fourth, the SSL key private key was made public for certain customers. The company stated that it is currently setting up SSL certificates for such customers.

Comes confirmed that GoDaddy had removed the third party from their system after they learned about the breach. But, the attacker had already used the compromised password since Sept. 6. This gave them more than two years to do harm before they were discovered.

“GoDaddy is a $3.3B business that you can assume has made a significant investment in cybersecurity. Yet, they still had an adversary within their environment for 72 hours,” stated Ian McShane. “It’s common to say that the mean time it takes for a detection number to be detected is inflated (208 according the most recent Ponemon). [study]This person was able to escape being arrested for two months despite having been a non-nation attacker.

GoDaddy offers Managed WordPress HostingFor customers who want to build and manage their own WordPress blogs. The “ManagementGoDaddy manages all of the administrative tasks such as updating WordPress or backing up host sites. The provisioning system to WordPress legacy code indicates code that must be maintained in order for the product’s backward compatibility.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic).

According to Comes, the investigation is still ongoing. He said that GoDaddy is informing all affected customers with additional details. Comes apologised for the breach and promised that GoDaddy would learn from it. The company will now improve its provisioning system, with additional layers of protection.

Javvad Mlik, KnowBe4’s security awareness advocate, said that any breach is unacceptable. WordPress and GoDaddy are used by many small businesses to maintain a website presence. This kind of breach can have a significant impact on their business and individual reputations.

Malik expressed concern that the attacker had been in GoDaddy’s server more than two years, but he also praised GoDaddy for its response.

Malik stated that the company had reset passwords for admin, sFTP and database users and was installing new SSL certificates. Malik said that the company also contacted law enforcement and notified customers. All this information is a good example for other organizations to use to help them understand how to deal with a breach.

The ramifications of this breach remain to be determined. Cybercriminals will be quick to exploit stolen credentials and other data in order to launch new attacks, given the number of compromised accounts.

“The number of affected accounts—1.2 million—is so big that it feels like this would have been a lucrative ransomware opportunity, so there might be more to come from this story, particularly as we’ve seen more and more breaches devolve into ransomware and extortion sagas,” McShane said.

Also see