Ongoing Investigation: GoDaddy Security Breach Affecting Over 1.2 Million User Accounts
What started as a security breach at GoDaddy has now spread to six other web hosts, 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost, states Search Engine Journal’s report.
All of the compromised web hosting providers are resellers of GoDaddy’s WordPress hosting services, presenting the same extent of intrusion as GoDaddy. Furthermore, the starting dates of the security intrusion are matching for GoDaddy and the resellers.
GoDaddy has submitted specific dates for the security intrusions to the state of California, which then notified the public of these details. The dates of intrusion are the following: 09/06/2021, 09/07/2021, 09/08/2021, 09/09/2021, 09/10/2021, 09/11/2021, and 11/07/2021.
Customers of at least two of the resellers, as mentioned before, have received notices referencing the exact intrusion date – the 6th of September, says Wordfence. This ‘coincidence implies that the breaches are connected, at least by date, if not more.’
Wordfence confirmed that the GoDaddy hack has spread out to these web hosts, issuing a statement and elaborating the attack’s extent.
Dan Rice, who serves the role of a VP of Corporate Communications at GoDaddy, had the following to say:
The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.
Be sure to get those passwords changed. Originally only GoDaddy was mentioned but it seems there are more hosting companies affected.#webhosting #wordpress #smallbusinessowner #business101 https://t.co/tSmhlApXeT
— Danny Smith (@dansmithVL) November 25, 2021
The emails/notifications sent to customers of the additional web hosts were also very similar to the one GoDaddy sent out regarding the security breach.
Here’s the email sent to GoDaddy customers:
We are writing to inform you of a security incident impacting your GoDaddy Managed WordPress hosting service.
On November 17, we identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of a third-party IT forensics firm and have contacted law enforcement.
Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords.
What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it.
And here’s an excerpt of the email sent to MediaTemple customers:
…we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, the customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords.
The six web hosting companies experienced hacks, also targeting Managed WordPress accounts. The unauthorized third party, once again, managed to leak email addresses, customer numbers, WP Admin passwords, sFTP database usernames and passwords for active customers, and in some cases, SSL private keys.
The administrators of the respective web hosts have reset passwords and recommend that customers reset their passwords. The customers whose SSL certificates were exposed might have to have their certificates reinstalled.
The attacker had plenty of time to take advantage of the user data and access to accounts. For instance, they could have installed backdoors, added rogue administrative accounts, and uploaded malicious scripts. However, it’s still unknown how the third party has used this access to sensitive data.
Customers of the additional six web hosting providers subject to the data breach might face additional security issues. Thus, they need to be vigilant and extra cautious with the emails they receive.
The GoDaddy breach is a “hot topic,” with a number of industry professionals getting involved and trying to understand and explain its background. Fast forward, each specialist has introduced their point of view over the last 24 hours, and naturally, there are many opposing ones regarding the cause of the breach and GoDaddy’s response to it.
Robert Prigge, who serves the role of a CEO of Jumio, announced that the security breach underlines the inherent weakness of relying on credentials to authenticate users.
Prigge had the following to say:
In fact, 61% of data breaches in 2020 involved the use of unauthorized credentials. And this number is sure to increase if organizations don’t move away from this outdated method. With user email addresses, credentials for WordPress databases, and SSL private keys exposed in this breach, cybercriminals have everything they need to conduct phishing attacks or impersonate customers’ services and websites.
He further elaborated that resetting passwords and private keys is simply not sufficient. On the contrary, organizations like GoDaddy should rely on safer and more secure alternatives like biometric authentication.
Steve Moore, who serves the role of a chief security strategist at Exabeam, had the following to say:
No matter how robust your security stack is, your organization will still be vulnerable to intrusions stemming from compromised credentials. Even the best organizations must manage this problem perfectly, and perfect is seldom possible. Proper training, feedback loops, visibility, and effective technical capabilities are the keys to defending against compromised insider and external adversaries.
According to Moore, developing a baseline for normal employee behavior is an effective defensive mechanism. It can assist organizations with identifying compromised credentials and related intrusions.
Moore further added:
If you can establish normal behavior first, only then can abnormalities be known — a great asset in uncovering unknowingly compromised accounts.
Javvad Malik, who serves the role of a Security Awareness Advocate at KnowBe4, introduced another perspective. He had the following to say:
Many individuals and small businesses rely on WordPress and GoDaddy to have a web presence, and this kind of breach can have a major impact. While it’s concerning that the attacker was in GoDaddy’s servers for over two months, the response by GoDaddy has been very good. The company has reset exposed sFTP, database, and admin user passwords and is installing new SSL certificates. In addition, the company contacted law enforcement, a forensics team, and notified customers. All of this is an ideal playbook from which other organizations could learn to better understand how to respond to a breach.
The latest breach follows three similar attacks in the past three years: an AWS error exposing GoDaddy server data in 2018, an unauthorized user breaching 28,000 accounts in October 2019, and a hack of the cryptocurrency sites hosted by GoDaddy in November 2020.
Nick Tausek, who serves the role of a Security Solutions Architect at Swimlane, marked GoDaddy as an easy mark due to its past incidents. He had the following to say:
Due to its history with cyber incidents, GoDaddy has become an easy target. It operates 35,000 servers hosting more than 5 million websites, with millions of people relying on its services for the day-to-day operations of their businesses and hobbies. Because of the level of user dependency, repercussions can be severe when a situation like this presents itself. For customers to be able to trust that their valuable and highly sensitive data remains safe and secure, organizations like GoDaddy must implement the proper controls to recognize and thwart cyber threats.
We have also receieved this email today:
We are writing to inform you of a security incident impacting our GoDaddy Managed WordPress environment you once purchased and used. According to our records your Managed WordPress account is no longer active.
On November 17, we identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and have contacted law enforcement. Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to your customer number, email address associated with your previously used Managed WordPress account; and the password you first used when setting up your WordPress Admin login.
If you use that same password for other accounts, we recommend you change your password to those accounts and adopt data security best practices, such as choosing a strong unique password, regularly changing it, and enabling multi-factor authentication where available. We also recommend that you remain vigilant for potentially fraudulent communications sent to your email address purporting to be from GoDaddy or other third parties.
For residents living in California, Colorado, Delaware, Illinois, New York, New Jersey, Oregon, Vermont, Washington, and Wyoming, please visit https://www.godaddy.com/help/a-41004 for additional resources that describe additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.
Chief Information Security Officer
November 23, 2021
Only this Monday, GoDaddy has disclosed a data breach that could potentially lead to unauthorized access of the data of a total of 1.2 million active and inactive GoDaddy customers. It’s the third incident to come to light since 2018.
It all started on the 17th of November when GoDaddy discovered an unauthorized third-party accessing its Managed WordPress hosting environment. Immediately upon this revelation, GoDaddy began an investigation with the help of IT forensics and informed the authorities of the identified suspicious activity.
Shockingly enough, the results were the following: The unauthorized third party could access GoDaddy’s provisioning system in its legacy code base for Managed WordPress since the 6th of September, using a compromised password.
New: Web host GoDaddy has confirmed a data breach affecting 1.2 million customers, who use WordPress. GoDaddy said email addresses and customer IDs were accessed, and in some cases customer database passwords and SSL private keys were exposed. https://t.co/ak5NlFsnn1
— Zack Whittaker (@zackwhittaker) November 22, 2021
The exposed information includes WordPress Admin passwords, database usernames and passwords, customer numbers, SSL private keys, and more.
GoDaddy took immediate action, blocking the unauthorized third party from its system and resetting all exposed passwords.
Demetrius Comes, who serves the role of a Chief Information Security Officer (CISO) at GoDaddy, had the following to say:
Our investigation is ongoing, and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help), which includes phone numbers based on country.
Comes further elaborated:
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.
According to the U.S. Securities and Exchange Commission (SEC) filing, up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer numbers exposed, presenting a risk of phishing attacks.
First, the security breach exposed the original WordPress Admin passwords set at the time of provisioning. GoDaddy reset these passwords, or at least those credentials that were still in use.
When it comes to active customers, GoDaddy reset the sFTP and database usernames and passwords, as they were both exposed.
And finally, GoDaddy is to issue and install new certificates for the subset of active customers whose SSL private keys were exposed.