GoDaddy recently revealed through a report filed with the Securities and Exchange Commission (SEC) that an unknown attacker had unauthorised access to one of their systems. This system’s use is to provision the company’s Managed WordPress sites. This means the hack could impact up to 1.2 million of their WordPress customers! Keep in mind that this figure for the GoDaddy breach could be higher. Also, the numbers do not include the total number of customers of the websites in danger of this breach. Some GoDaddy customers have multiple Managed WordPress sites in their accounts.
Fortunately, this GoDaddy breach does not affect our clients as we use our own servers for hosting instead of GoDaddy. Protecting our clients’ information is a top priority so we take every precaution to make sure it’s safe. Here are just a few of the ways we protect our clients’ data and keep attacks like this at bay…
- We never store passwords in plain text form, even on WordPress sites we encrypt all databases and passwords using unique keys. Meaning every site we host is in isolation
- We encrypt and store any client-supplied passwords separately
- Our servers and Client Hosting Containers all use separate credentials
- Our security approach is to deny all access by default, meaning that even if someone steals credentials, they cannot access anything until we grant the ability to login. This includes common protocols like sFTP, SSH etc.
- We do not allow unsecured connections via HTTP or sFTP – this is not negotiable
- We run three layers of firewalls designed to make attempting intrusion extremely difficult.
What happened with the GoDaddy breach?
According to the report, the attacker initially gained access due to a compromisation of a password on September 6, 2021. However, the discovery of the event was on November 17, 2021. The attacker had over two months to build persistence. So, anyone using GoDaddy’s Managed WordPress program should assume that this event can effect them.
sFTP (SSH File Transfer Protocol) credentials were either in plaintext or in a form that could be reversed into plaintext. GoDaddy used this approach rather than utilising a salted hash or a public key. Both are industry standards for sFTP which, gave the attacker access.
What did the GoDaddy attacker have access to?
The attacker potentially accessed user email addresses and customer numbers and the initial WordPress Admin password that was set at the time of installation. Plus, SSL private keys. One thing, in particular, sticks out:
During the period between September 6, 2021, and November 17, 2021, the attacker was able to access the sFTP and database usernames and passwords of active customers.
According to the team at Wordfence “GoDaddy seems to acknowledge that they stored database passwords as plaintext or in a reversible format. Unfortunately storing database passwords as plaintext is quite normal in a WordPress setting, where the database password is the wp-config.php file as text. What is more surprising, in this breach, is that the password that provides read/write access to the entire filesystem via sFTP is plaintext.”
What could an attacker do with this information?
The SEC filing has a warning about the potential of phishing by exposing email addresses and customer numbers. However, that risk is minimal in comparison to exposing sFTP and database passwords.
The attacker had a lengthy period before an intervention to reset the sFTP and Database passwords on all of the harmed sites. Which might have let them upload malware or add a malicious administrative user. This would allow the attacker to maintain persistence and retain control even after new passwords were set.
The attacker would have had access to critical information, such as the website’s customer PII (Personally Identifiable Information) on the databases of the sites. They might have been able to obtain all of the database contents. This includes password hashes in WordPress user account databases from damaged sites. Also, the customer information from eCommerce sites.
It’s possible for an attacker to decrypt traffic using the stolen SSL (Secure Socket Layer) private key on sites where the SSL private key was exposed, they might have successfully carried out a man-in-the-middle (MITM) attack.
What should I do if I have a GoDaddy Managed WordPress site?
Customers who use GoDaddy’s Managed WordPress service will hear from the authorities soon. However, given the nature of the problem and the data that the attacker had access to, we strongly advise all Managed WordPress users to assume they’ve been breached and take the following steps:
- You’re running an eCommerce site, or store PII, and you have been verified by GoDaddy as having a data breach. You may have to notify your customers. Familiarise yourself with the regulatory requirements in your area and make sure you follow them.
- Change all of your WordPress passwords! Force a password reset for your WordPress users or clients. The hacker had access to the password hashes in all of the impacted WordPress databases.
- Change any reused passwords and advise your users or customers to do so as well. The attacker might be able to access any other services for which the same password was used. The credentials may have been extracted from the compromised sites. If one of your clients uses the same email and password on your site as they do for their Gmail account, the hacker will be able to break into that customer’s Gmail after he or she decipher the customer’s password.
- Enable 2-factor authentication (2FA). The Wordfence plugin provides this as a free feature for WordPress sites, and most other services provide an option for 2FA.
- Check your site for unauthorised administrator accounts.
- Scan your site for malware using a security scanner.
- Check your site’s filesystem for any unexpected plugins. It is possible to use legitimate plugins to maintain unauthorised access.
- Be on the lookout for suspicious emails. Phishing is still a risk, and an attacker could still use emails and customer numbers to obtain further sensitive information from victims of this breach.
The GoDaddy Managed WordPress data breach will have a big impact. The WordPress platform from GoDaddy is a major component of the WordPress ecosystem. This has implications for both site owners and their customers. According to the SEC filing, “up to 1.2 million active and inactive Managed WordPress customers” could run into consequences.
For the time being, anyone who uses GoDaddy’s Managed WordPress service should assume their sites might be in danger until further notice. It is important to follow the instructions in this article.
If you want help with all things tech, including hosting and web development, get in touch with our team today.
GoDaddy SEC Report