The data breach at GoDaddy, which impacted up to 1.2 million web hosts, has now affected six additional web hosts that serve customers globally. These newly compromised web hosts are resellers of GoDaddy’s hosting services, and the timing of the security breach is identical to the one experienced by GoDaddy.
The six affected web hosting providers are:
- 123Reg
- Domain Factory
- Heart Internet
- Host Europe
- Media Temple
- tsoHost
Details of the Intrusion:
The state of California released a notification of the breach submitted by GoDaddy on November 23, 2021, which provided specific dates for the breaches:
- 09/06/2021
- 09/07/2021
- 09/08/2021
- 09/09/2021
- 09/10/2021
- 09/11/2021
- 11/07/2021
These dates hold significance as customers of at least two of the affected hosting providers received notices mentioning the same initial intrusion date, September 6, 2021, as indicated by Wordfence. This consistency suggests a shared root cause for the breaches.
The notifications to GoDaddy customers and those to at least two of the additional web hosts bear similarities.
Excerpts from the notifications:
GoDaddy’s notification to customers:
“We are writing to inform you of a security incident impacting your GoDaddy Managed WordPress hosting service.
On November 17, we identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of a third-party IT forensics firm and have contacted law enforcement.
Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords.
What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it.”
Notification to MediaTemple customers:
“…we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, the customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords.”
Administrators from the affected web hosts have reset passwords and recommend that customers do the same. Those whose SSL certificate data was exposed may need to reinstall their certificates.
Potential Risks for Customers:
Customers of the six web hosts subjected to the data breach could face security risks, as their sensitive data was exposed for two months without detection, providing hackers ample time to install backdoors, create rogue administrative accounts, and upload malicious scripts.
Sources:
- GoDaddy Breach Widens to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe
- California Data Security Breach Notification
- Sample Of Email Sent By GoDaddy (PDF)
