GoDaddy reports that it was the victim of a data breach affecting up to 1.2 million of its customers. The breach occurred in September 2021, although the web hosting service didn’t notice it until November of this year. Security researchers say the breach was the result of inadequate security that failed to meet industry best practices. While GoDaddy has changed the passwords of the affected customers, those customers may still be at risk for additional problems caused by the hackers while they had access to customer accounts.
GoDaddy’s investigation shows that the attack began on September 6, 2021, but wasn’t discovered until November 17. It also reported that a third party had accessed its provisioning system in GoDaddy’s legacy code base for its Managed WordPress hosting environment. This system is the process by which GoDaddy sets up its customers with their new hosting services, which involves assigning them server space, usernames and passwords. GoDaddy also informed the United States Security and Exchange Commission (SEC) of the breach in November.
The customer data that was exposed includes the following:
- Customer numbers
- Email addresses
- WordPress administrator passwords
- Secure FTP (SFTP) usernames and passwords
- Database usernames and passwords
- SSL private keys
Wordfence security experts report that GoDaddy’s Managed WordPress hosting environment stored sFTP usernames and passwords in unencrypted plain text, allowing hackers to freely obtain usernames and passwords. This approach doesn’t comply with industry best practices, which generally prohibits storing any passwords in a reversible format. The most commonly accepted methods of protecting passwords are to either store them as salted hashes or provide public key authentication for passwords.
GoDaddy’s report to the SEC states that it has reset all the passwords for affected customers, which should prevent future breaches of those accounts. However, the report also describes the possibility of phishing attacks, since the attackers now have customer email addresses. Furthermore, the fact that the intrusion wasn’t detected for over two months means that websites hosted on GoDaddy could still be compromised because those websites could still contain malicious files left by the hackers. This possibility requires GoDaddy to perform a thorough security scan to remove these files, which could be backdoors or Trojans. Hackers can use these types of files to upload other malicious files or add a user account with administrative privileges.
However, GoDaddy’s official statement doesn’t mention anything about the measures it has taken to repair websites that could still be compromised. Wordfence analysts acknowledge that the two-month period during which the breach was undiscovered could have allowed attackers to retain control over the website even after GoDaddy changed the passwords for those users. Furthermore, the damage may not be limited to the businesses hosted on WordPress through GoDaddy, according to Wordfence. Hackers also had access to databases that could allow them to access additional customer information, including sensitive data stored on ecommerce websites.
A data breach affecting over a million GoDaddy customers occurred in September 2021, which remained undetected for two months. Hackers were able to exploit a vulnerability in GoDaddy’s hosting service that involved storing customer passwords in plain text, making it easy for them to access those customers’ accounts. GoDaddy has reported this breach to the general public and specifically to the SEC.
GoDaddy’s only reported action so far is to reset the passwords of the affected customer accounts. The hosting service hasn’t said anything yet concerning the mitigation of other possible actions by the attackers such as compromised databases, rogue administrator accounts, and malicious scripts. Additional breaches of ecommerce sites hosted by GoDaddy are another issue of concern for their customers going forward.