GoDaddy security breach impacts more than 1 million WordPress users

The hosting company has revealed a security incident that exposed the email addresses and customer numbers of 1.2 million Managed WordPress customers.

GoDaddy sign outside headquarters

Image: BCFC/Shutterstock

GoDaddy has been on the receiving end of a security breach that has affected the accounts of more than 1 million of its WordPress customers. In a Monday filing with the Securities and Exchange Commission, Chief Information Security Officer Demetrius Comes said that on Nov. 17, 2021, the hosting company discovered unauthorizing access by a third party to its Managed WordPress hosting environment. After contacting law enforcement officials and investigating the incident with an IT forensics firm, GoDaddy found that the third party used a compromised password to access the provisioning system in its legacy code base for Managed WordPress.

SEE: Security Awareness and Training policy (TechRepublic Premium)

More about cybersecurity

The breach led to a number of issues that have hit customers and forced the company to react. First, the email addresses and customer numbers were exposed for 1.2 million active and inactive Managed WordPress customers. Second, the original WordPress Admin passwords set at the time of provisioning were exposed, requiring GoDaddy to reset them.

Third, the sFTP (Secure File Transfer Protocol) and database usernames and passwords were compromised, forcing GoDaddy to reset those as well. Fourth, the SSL private key was exposed for a certain number of active customers. The company said that it’s currently setting up new SSL certificates for those customers.

After learning about the breach, Comes said that GoDaddy blocked the third party from its system. However, the attacker had already been using the compromised password since Sept. 6, giving them more than two months to do damage before they were discovered.

“GoDaddy is a $3.3B company who you can assume has a large investment in cybersecurity, yet they still had an adversary in their environment for 72 days,” said Ian McShane, field CTO for Arctic Wolf. “While it’s often said that the mean time to detection numbers are inflated (208 in the latest Ponemon [study]) and do not reflect the reality of a non-nation state attacker, this person managed to avoid being caught for two months.”

GoDaddy offers Managed WordPress hosting for customers who want to create and manage their own WordPress blogs and websites. The “managed” part of the equation means that GoDaddy handles all the basic administrative chores, such as installing and updating WordPress and backing up hosted sites. The provisioning system for WordPress legacy code points to code that must be maintained for the product to be backward compatible.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The investigation is ongoing, according to Comes, who said that the company is alerting all affected customers with more details. Apologizing for the breach, Comes promised that GoDaddy would learn from the incident, starting with the company now improving its provisioning system with more layers of protection.

“Any breach is unfortunate, especially where over a million customer records have been potentially compromised,” said Javvad Malik, security awareness advocate for KnowBe4. “Many individuals and small businesses rely on WordPress and GoDaddy to have a web presence, and this kind of breach can have a major impact.”

While expressing concerns that the attacker was in GoDaddy’s server for more than two months, Malik praised the company for its response.

“The company has reset exposed sFTP, database and admin user passwords and is installing new SSL certificates,” Malik said. “In addition, the company contacted law enforcement, a forensics team, and notified customers. All of this is an ideal playbook from which other organizations could learn to better understand how to respond to a breach.”

However, the ramifications from this breach are still to be determined. With so many accounts compromised, cybercriminals will most certainly rush to exploit the stolen credentials and other data for new attacks.

“The number of affected accounts—1.2 million—is so big that it feels like this would have been a lucrative ransomware opportunity, so there might be more to come from this story, particularly as we’ve seen more and more breaches devolve into ransomware and extortion sagas,” McShane said.

Also see