Posted on November 24, 2021 at 12:50 PM
GoDaddy Says 1.2 Million GoDaddy Sites Have Been Breached For Months
Web Hosting giant GoDaddy recently disclosed that a recent data breach led to the unauthorized access of over 1 million active and inactive customers. This makes it the third time such a security incident has been recorded since 2018.
Based on the filing Godaddy made with the US Securities and Exchange Commission (SEC), a malicious third party tried to access its managed WordPress hosting environment using a compromised password. The filing revealed that the threat actors used the password to steal sensitive information about their customers. However, it’s not clear whether the stolen password was secured with two-factor authentication.
Investigation Into The Breach Is Underway
GoDaddy said it has launched an investigation into the situation. The company also stated that it is “contacting all impacted customers directly with specific details.”
The threat actors may have accessed the customer numbers and email addresses of about 1.2 million WordPress customers who are either active or inactive.
They also accessed the SSL private keys for a subset of the active customer, sFTP, and database usernames, as well as the original WordPress Admin password set at the time of provisioning.
GoDaddy also stated that it wants to issue and install new certificates for the affected customers. As a precautionary step, the platform says it has reset the affected password and will be improving its security systems to wade off further attacks.
A Flaw In GoDaddy’s Password-Protection System
Chief Executive Officer of Wordfence, Mark Maunder, stated that GoDaddy generally stores sFTP passwords in ways that allow the easy retrieval of the plaintext versions. He added that the platform doesn’t use the industry-best practice of providing public-key authentication or storing salted hashes of the passwords.
Although data breaches are now more common than ever, password and email address exposures present high risks of phishing attacks. Additionally, it will give the threat actors the ability to infiltrate the exposed WordPress sites to plant malware. This means the hackers, when they have successfully infiltrated the system, can dig deeper to access personally identifiable information stored in the affected system.
Maunder added that the threat actor can easily decrypt traffic using the stolen SSL private key on the sites where the SSL private key was exposed.
The popularity of WordPress among website builders has made it a constant target by bad actors. The platform powers over 42% of all websites, which makes it a very serious case whenever there is a reported breach.
GoDaddy is one of the largest Webhosting firms in the world with tens of millions of sites being hosted by the platform.
The latest breach was discovered on Godaddy’s Managed WordPress servers. According to the Webhosting giant, the breach was discovered on September 6.
The Breach Puts Affected Customers At Risk Of Phishing Attacks
WordPress stated that the managed service is an optimized and streamlined hosting platform that builds and manages WordPress sites. On the other hand, GoDaddy takes care of basic hosting administrative tasks like server-level caching, WordPress core updates, automated daily backups, and the installation of WordPress.
GoDaddy has warned the affected users that the recent exposure can put them at more risk of several attacks, but particularly phishing attacks in the future. The firm also admitted that those who have not changed their original password when WordPress was first installed are at greater risk of a breach. According to the web host, threat actors may have had access to the websites of those who have not changed their original password.
WordPress Sites Are At More Risk Of Being Hacked
WordPress is an open-source platform, which makes it more appealing for threat actors looking to plant malware and steal vital information. BleepingComputer reported last week that a new wave of attack breached almost 300 WordPress sites and displayed fake encryption notices. The threat actors were trying to deceive the site owners into paying 0.1 Bitcoin (BTC) for restoration. The ransom demands also come with a countdown timer that induces a sense of urgency and urges the admin to pay the ransom quickly. The attacks were reported by cybersecurity firm Sucuri when it was performing incident response for a client.
Sucuri has tracked about 290 websites affected by the breach using a Google search. According to the security firm, the affected sites contain cleaned-up sites and those still showing ransom notes.