Over one million GoDaddy hosting customers experienced a data breach in September 2021 that went undetected for two months. GoDaddy characterized the security event as a vulnerability. Security researchers suggest the vulnerability was due to subpar security measures that failed to meet industry standards.
In a statement, GoDaddy announced they had changed passwords for the affected customers of their WordPress Managed Hosting.
However, simply changing passwords may not fully address potential issues left by hackers, meaning up to 1.2 million GoDaddy hosting customers could remain vulnerable to security problems.
### GoDaddy Informs SEC of Breach
On November 22, 2021, GoDaddy notified the United States Security and Exchange Commission (SEC) that they had discovered “unauthorized third-party access” to their “Managed WordPress hosting environment.”
GoDaddy’s investigation revealed that the intrusion began on September 6, 2021, and went unnoticed until November 17, 2021.
### Who is Affected and How
GoDaddy’s statement indicates that up to 1.2 million customers of their WordPress managed hosting environment may be affected by the security breach.
According to their statement to the SEC, the data breach resulted from a compromised password in their provisioning system.
A provisioning system is the process of setting up customers with their new hosting services by assigning them server space, usernames, and passwords.
#### GoDaddy explained what happened:
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”
#### GoDaddy Customer data that was exposed includes:
– Email addresses
– Customer numbers
– Original WordPress administrator-level passwords
– Secure FTP (SFTP) usernames and passwords
– Database usernames and passwords
– SSL private keys
### What Caused GoDaddy Security Breach
GoDaddy described the cause of the intrusion as a vulnerability. This is generally considered a weakness or flaw in software coding but can also result from lapses in good security measures.
Security researchers discovered that GoDaddy’s Managed WordPress hosting stored SFTP usernames and passwords in a way that did not conform to industry best practices.
SFTP stands for Secure File Transfer Protocol, a secure method to upload and download files from a hosting server.
According to security experts, the usernames and passwords were stored in plain text, allowing hackers to freely harvest them.
#### Security experts explained the security lapse they discovered:
“GoDaddy stored SFTP passwords such that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which are both industry best practices. Storing plaintext passwords or passwords in a reversible format for an SSH connection is not a best practice.”
### GoDaddy Security Issues May Still Be Ongoing
GoDaddy’s statement to the SEC mentioned that the exposure of customer emails could lead to phishing attacks. They also stated that all passwords had been reset for affected customers, seemingly closing the door on the security breach, though not entirely.
However, two months elapsed before GoDaddy discovered the security lapse, meaning websites hosted on GoDaddy might still be compromised if malicious files have not been removed.
Changing the passwords of affected websites is insufficient; a thorough security scan should have been performed to ensure affected websites are free of backdoors, Trojans, and malicious files.
GoDaddy’s official statement has not addressed mitigating the effects of already compromised websites.
#### Security researchers acknowledged this shortcoming:
“…the attacker had nearly a month and a half of access during which they could have taken over these sites by uploading malware or adding a malicious administrative user. Doing so would allow the attacker to maintain persistence and retain control of the sites even after the passwords were changed.”
Security experts also noted that the damage is not limited to businesses hosted on WordPress managed hosting. They observed that hacker access to website databases could provide access to website customer information, revealing sensitive customer information stored on e-commerce websites.
### Effects of GoDaddy Data Breach May Continue
GoDaddy only announced that they have reset passwords. However, nothing was said about identifying and fixing compromised databases, removing rogue administrator accounts, or finding malicious scripts that may have been uploaded. There was also no mention of possible data breaches involving sensitive customer information from e-commerce sites hosted on GoDaddy.
