Application Security , Breach Notification , Incident & Breach Response

Update: GoDaddy Breach Hits Managed WordPress Customers

Database Usernames, Passwords Among Other Customer Details Exposed
Update: GoDaddy Breach Hits Managed WordPress Customers
Managed WordPress provisioning system accessed via GoDaddy legacy code base (Image: GoDaddy)

Web hosting giant GoDaddy confirms that a data breach reported earlier this week, which affected about 1.2 million of its active and inactive Managed WordPress customers, has also impacted Managed WordPress users tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.

See Also: Psychology of Passwords: Neglect is Helping Hackers Win

"A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident, but no other brands are impacted," confirmed Dan Rice, VP of Corporate Communications at GoDaddy according to a blog by security firm Wordfence. The respective brands have already contacted their customers with specific detail and recommended actions, he adds.

Web hosting giant GoDaddy previously confirmed that it had suffered a data breach, which affected about 1.2 million of its active and inactive Managed WordPress customers, according to an 8-K filing with the U.S. Securities and Exchange Commission. As a precaution, the company has reset passwords for customers who remained exposed.

"On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment," says Demetrius Comes, chief information security officer and vice president of engineering at GoDaddy, in a blog post published by the company on Monday.

Although the investigation is ongoing, Comes says that an initial probe, carried out by an IT forensics firm and other law enforcement authorities, determined that the threat actor first gained access on Sept. 6, 2021, through an unnamed vulnerability. The threat actor(s) further leveraged a compromised password and accessed the provisioning system in the legacy code base of GoDaddy for Managed WordPress environment, he says.

GoDaddy did not respond to Information Security Media Group's request for information on the threat actor's identity, details on the vulnerability exploited and the countermeasures deployed by the hosting giant.

Customer Information Exposed

"Upon identifying this incident, we immediately blocked the unauthorized third party from our system," says Comes in the blogpost. But the intrusion was detected on Nov. 17, more than two months after the initial access. During this period, GoDaddy says, the following customer information was exposed to the threat actor(s). The company also specifies the subsequent remedial measures taken to curb the effects of exposure.

  • Email addresses and customer numbers of up to 1.2 million active and inactive Managed WordPress customers - "The exposure of email addresses presents risk of phishing attacks," notes Comes.
  • The original WordPress Admin password that was set at the time of provisioning - For those customers who still had these credentials in use, GoDaddy has now reset those passwords.
  • For active customers, secure file transfer protocol, which provides safe passage for file access and transfer over the network for organizations and businesses, and database usernames and passwords - GoDaddy has reset both these passwords, according to the blog post.
  • The Secure Sockets Layer [SSL] private key, which is used to authenticate the website on the open internet, of a smaller subset of active customers - The hosting company says it is now in the process of issuing and installing new certificates for those affected customers.

Even as GoDaddy is still contacting affected customers, it has asked its users to contact its help desk for further guidance, according to the blog post.

Experts Weigh In

The GoDaddy Managed WordPress data breach is likely to have far-reaching consequences, according to the Wordfence security blog. It suggests that for the time being, any user of GoDaddy’s Managed WordPress offering should assume their site has been compromised and change their passwords, enable two-factor authentication, check for unauthorized administrator accounts, scan for known malware in their directories and be on the lookout for phishing emails.

It is an unfortunate and concerning incident, as the attacker was in GoDaddy's servers for nearly two months, Javvad Malik, a security awareness advocate at cybersecurity firm KnowBe4, tells ISMG. But Malik is content with the response and the initial countermeasures implemented by GoDaddy and says, "All of this is an ideal playbook from which other organizations could learn to better understand how to respond to a breach."

A Twitter user named @Random_Robbie, who says he is a security researcher, criticizes GoDaddy for not having a bug bounty program that could have helped it find the exploited vulnerability in the first place.

There has also been criticism of credentials potentially being in plaintext and concern about the extent of the breach. "WordPress often stores user and consumer data and depending on the configuration of the website, there may be significant caches of personal data for a cybercriminal to extract, says Sam Dawson, digital privacy expert at ProPrivacy. "This is compounded by the fact that GoDaddy seems to have stored much of its user credentials in plaintext, massively reducing the time it would take to breach a customer's website."

Dawson is also skeptical about the extent of breach. He thinks it doesn't just affect GoDaddy or the people who use its service directly, but potentially affects everyone who uses a service on a website hosted by GoDaddy. “If you have given personal details to a GoDaddy-hosted website, you should assume you have been compromised,” he says.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.