GoDaddy Breached – Plaintext Passwords – 1.2Million Accounts Affected

GoDaddy Data Breach of 1.2M customer records and security details - what do you need to know as a customer?
November 23, 2021 9:55 am

This post was updated 24th November 2021.

If you are a GoDaddy customer then you need to take immediate action to secure your website and your customer data.

If you need some help with this, please feel free to connect with us and we’ll discuss a plan to help you get secure again.

GoDaddy Breached – Plaintext Passwords – 1.2M Accounts Affected

This morning, GoDaddy disclosed that an unknown attacker had gained unauthorised access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.

According to the report filed by GoDaddy with the SEC the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on November 17, 2021 at which point their access was revoked. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

During the period from September 6, 2021, to November 17, 2021, the sFTP and database usernames and passwords of active customers were accessible to the attacker. 

In 2019, scammers also used hundreds of compromised GoDaddy accounts to create 15,000 subdomains, attempting to impersonate popular websites and redirect potential victims to spam pages pushing miracle cure products.

Earlier in 2019, GoDaddy was found to inject JavaScript into US customers’ sites without their knowledge, thus potentially rendering them inoperable or impacting their overall performance.

What could an attacker do with this information?

With database access, the attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites, and may have been able to extract the contents of all impacted databases in full. This includes information such as the password hashes stored in the WordPress user accounts databases of affected sites, and customer information from e-Commerce sites.

I have a GoDaddy account, and/or Website hosting – What do I need to do?

  • If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach. Please research what the regulatory requirements are in your jurisdiction, and make sure you comply with those requirements.
  • Change all of your WordPress passwords, and if possible force a password reset for your WordPress users or customers. As the attacker had access to the password hashes in every impacted WordPress database, they could potentially crack and use those passwords on the impacted sites.
  • Change any reused passwords and advise your users or customers to do so as well. The attacker could potentially use credentials extracted from impacted sites to access any other services where the same password was used. For example, if one of your customers uses the same email and password on your site as they use for their Gmail account, that customer’s Gmail could be breached by the attacker once they crack that customer’s password.
  • Enable 2-factor authentication wherever possible. The Wordfence plugin provides this as a free feature for WordPress sites, and most other services provide an option for 2-factor authentication.
  • Check your site for unauthorized administrator accounts.
  • Scan your site for malware using a security scanner.
  • Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorized access.
  • Be on the lookout for suspicious emails – phishing is still a risk, and an attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.

GoDaddy hosting reseller brands also affected

UPDATE: 24th November 2021 GoDaddy confirms that multiple brands that resell GoDaddy Managed WordPress were impacted. The brands impacted include:

  • tsoHost
  • Media Temple
  • 123Reg
  • Domain Factory
  • Heart Internet
  • Host Europe

If you host with any of these brand please take immediate action to

This is an excerpt of the original Wordfence article.

 

Leave a Comment

Login
Log in below to access your courses.
Log In With Google
Forgot Password
Enter your email address or username and we’ll send you instructions to reset your password.