Up to 1.2 Million WordPress Accounts At Risk in Latest Breach
An unauthorized attacker managed to breach a “legacy” WordPress management tool still in use at GoDaddy.
The attacker used a compromised password on September 6, 2021 to access the tool. However, the breach wasn’t discovered by GoDaddy’s internal security team until November 17, 2021.
Over the six-week period of unauthorized access up to 1.2 million active and inactive managed WordPress customers had their email address and customer number exposed to the attackers.
Additionally, major customer credentials and secrets have been exposed:
- Customers’ original WordPress Admin password (set at the time of account provisioning)
- Customers’ FTP and database usernames and (plaintext) passwords
- And, for a subset of these customers, their SSL private keys.
Immediate Consequences of the GoDaddy Breach
GoDaddy has implemented a series of changes to remediate the effects of the breach, including resetting any potentially compromised passwords.
While GoDaddy is still investigating the causes of the compromised accounts they are also reaching out to impacted customers to issue appropriate advice regarding resetting passwords.
They’re also attempting to raise awareness of the compromise of their users’ email addresses, so that those users can be conscious of phishing scams.
It is unclear whether GoDaddy has fully accounted for all potentially exposed private keys.
Long-term Consequences of the GoDaddy Breach
The attackers were able to gain access to raw passwords for sFTP and database accounts. It would therefore appear likely that at the very least GoDaddy was storing FTP credentials in a majorly insecure manner.
This is a huge security practice failure on GoDaddy’s part.
Storing passwords in plaintext is a major no-no. It’s unclear at this point why GoDaddy didn’t remediate this relatively basic flaw with their “legacy” managed WordPress service. This service – which makes up a sizeable portion of GoDaddy’s income – was fundamentally insecure.
It’s unclear what GoDaddy means by “legacy” and whether GoDaddy intended to move these customers off of this platform eventually. However it is clear that they did not do so soon enough.
GoDaddy is also keen to point out “best practices” for securing WordPress instances in a (long) series of posts. However, GoDaddy’s own mistakes here have lead to a massive customer exposure.
That does little to instill a sense of trust in GoDaddy who will need to do some reputation management in the coming months.
What should you do?
If you’re a GoDaddy Worpress user you should immediately reset all passwords associated with your account. Note: don’t re-use passwords, ever!
Users should also look to their email for notification from GoDaddy as to the status of their SSL certificates. At the time of this writing GoDaddy was still “in the process of issuing and installing new certificates for those customers.”
And it never hurts to consider alternatives when looking for WordPress hosting. We offer a low-cost basic hosting package that’s more than suitable for hosting a small WordPress site / blog. We also offer a wide variety of larger hosting packages that would perfectly suit the needs of a higher-trafficked site.