GoDaddy recently revealed through a report filed with the Securities and Exchange Commission (SEC) that an unknown attacker had gained unauthorised access to one of their systems. This system is used to provision the company’s Managed WordPress sites, meaning the hack could impact up to 1.2 million of their WordPress customers! Keep in mind that this figure could be higher as it does not include the total number of customers of the websites affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.
Fortunately, this breach does not affect our clients as we use our own servers for hosting instead of GoDaddy. Protecting our clients’ information is a top priority so we take every precaution to make sure it’s safe. Here are just a few of the ways we protect our clients’ data and keep attacks like this at bay…
- We never store passwords in plain text form, even on WordPress sites all databases and passwords are encrypted using unique keys. Meaning every site we host is isolated from every other site
- Any client supplied passwords are encrypted and stored in separately encrypted vaults
- Our servers and Client Hosting Containers all use separate encrypted credentials
- Our security approach is to deny all access by default, meaning that even if credentials were stolen, they cannot access anything until we grant the ability to login. This includes common protocols like sFTP, SSH etc.
- We do not allow unsecured connections via HTTP or sFTP – this is not negotiable
- We run three layers of firewalls designed to make attempting intrusion extremely difficult.
What happened with the GoDaddy breach?
According to the report, the attacker initially gained access via a compromised password on September 6, 2021, but was not discovered until November 17, 2021 – at which point their access was revoked. The attacker had over two months to build persistence, so anyone using GoDaddy’s Managed WordPress program should assume they have been compromised until they can confirm otherwise.
sFTP (SSH File Transfer Protocol) credentials appear to have been stored either in plaintext or in a form that could be reversed into plaintext. GoDaddy used this approach rather than utilising a salted hash or a public key, which are both considered industry standards for sFTP. This permitted the attacker to access them. According to GoDaddy’s SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”
What did the attacker have access to?
User email addresses and customer numbers, the initial WordPress Admin password that was set at the time of installation, and SSL private keys all could have been accessed by the attacker. One thing, in particular, sticks out:
During the period between September 6, 2021, and November 17, 2021, the attacker was able to access the sFTP and database usernames and passwords of active customers.
According to the team at Wordfence “GoDaddy seems to acknowledge that they stored database passwords as plaintext or in a reversible format. Unfortunately storing database passwords as plaintext is quite normal in a WordPress setting, where the database password is stored in the wp-config.php file as text. What is more surprising, in this breach, is that the password that provides read/write access to the entire filesystem via sFTP is stored as plaintext.”
What could an attacker do with this information?
The SEC filing has a warning on the potential of phishing by exposing email addresses and customer numbers. However that risk is minimal in comparison to exposing sFTP and database passwords.
The attacker had a lengthy period before the sFTP and Database passwords on all of the harmed sites were reset, which could have allowed them to upload malware or add a malicious administrative user. This would allow the attacker to maintain persistence and retain control even after new passwords were set.
The attacker would have had access to critical information, such as the website’s customer PII (Personally Identifiable Information) kept on the databases of the impacted sites, and they might have been able to obtain all of the impacted database contents. This includes password hashes stored in WordPress user accounts databases from damaged sites, as well as customer information from eCommerce sites.
It’s possible for an attacker to decrypt traffic using the stolen SSL (Secure Socket Layer) private key on sites where the SSL private key was exposed, provided they can successfully carry out a man-in-the-middle (MITM) attack that captures encrypted traffic between a site visitor and an affected site.
What should I do if I have a GoDaddy Managed WordPress site?
Customers who use GoDaddy’s Managed WordPress service will be contacted soon. However, given the nature of the problem and the data that the attacker had access to, we strongly advise all Managed WordPress users to assume they’ve been breached and take the following steps:
- If you’re running an eCommerce site, or store PII, and you have been verified by GoDaddy as having a data breach, you may be required to notify your customers. Familiarise yourself with the regulatory requirements in your area and make sure you follow them.
- Change all of your WordPress passwords! If you can, force a password reset for your WordPress users or clients. Because the hacker had access to the password hashes in all of the impacted WordPress databases, they could theoretically break and use those passwords on the impacted sites.
- Change any reused passwords and advise your users or customers to do so as well. The attacker might be able to access any other services for which the same password was used, since credentials may have been extracted from the compromised sites. If one of your clients uses the same email and password on your site as they do for their Gmail account, the hacker will be able to break into that customer’s Gmail after he or she decipher the customer’s password.
- Enable 2-factor authentication (2FA). The Wordfence plugin provides this as a free feature for WordPress sites, and most other services provide an option for 2FA.
- Check your site for unauthorised administrator accounts.
- Scan your site for malware using a security scanner.
- Check your site’s filesystem for any unexpected plugins, or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorised access.
- Be on the lookout for suspicious emails – phishing is still a risk, and an attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this breach.
The GoDaddy Managed WordPress data breach is poised to have a big impact. The managed WordPress platform from GoDaddy is a major component of the WordPress ecosystem, and this has implications for both site owners and their customers. According to the SEC filing, “up to 1.2 million active and inactive Managed WordPress customers” were affected.
For the time being, anyone who uses GoDaddy’s Managed WordPress service should assume their sites have been hacked until further notice and follow the instructions outlined in this article.
If you want help with all things tech, including hosting and web development, get in touch with our team today.
GoDaddy SEC Report