Unauthorised access of customer’s WordPress installations, results in the data of 1.2 million GoDaddy customers being accessed
Web hosting company GoDaddy has admitted in a regulatory filing that its systems have been compromised, resulting in a significant data breach.
In the filing with the Securities and Exchange Commission (SEC), GoDaddy’s chief information security officer Demetrius Comes said the firm had detected on 17 November, unauthorised access to its systems where it hosts and manages its customers’ WordPress servers.
WordPress is a web-based content management system used by millions of people to set up blogs or websites. Customers can host their own WordPress installs on GoDaddy servers.
Demetrius Comes admitted the ‘security incident’ on Monday, in its filing with the SEC.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” wrote Comes.
“Using a compromised password, an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress,” said Comes.
“Upon identifying this incident, we immediately blocked the unauthorised third party from our system,” he said. “Our investigation is ongoing, but we have determined that, beginning on 6 September 2021, the unauthorised third party used the vulnerability to gain access to the following customer information.”
Unfortunately, up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks, Comes warned.
In addition, the original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords, he added.
Active customers also had their sFTP and database usernames and passwords exposed. GoDaddy has reset both passwords.
And finally, for a subset of active customers, the SSL private key was exposed. GoDaddy said it was in the process of issuing and installing new certificates for those customers.
“Our investigation is ongoing and we are contacting all impacted customers directly with specific details,” said Comes. “We are sincerely sorry for this incident and the concern it causes for our customers.”
Monitoring the perimeter
“We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down,” Comes concluded. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
A security expert said this case show the need for organisations to regularly monitor their perimeter and identify exposed credentials.
“We can’t express enough the importance of strong password security standards and good hygiene,” said Todd Carroll, CISO at CybelAngel. “Even with these in place, however, breaches can still happen.”
“When organisations provide third parties with data or access to production systems, their security is no longer within their control,” said Carroll.
“It is critical for companies to regularly monitor outside their immediate perimeter and identify exposed credentials well before they are leveraged by hackers and lead to data breaches like this.”
GoDaddy has suffered a number of other security incidents in recent years.
In May 2020 it warned of a data breach that affected clients’ SSH accounts.
The attackers did not obtain the credentials used to log into clients’ main GoDaddy accounts, but were able to access websites via Secure Shell (SSH), which allows users to carry out operations such as executing commands and manipulating files.
In 2017 GoDaddy suffered an outage with its infrastructure services relating to the provision of is domain name services (DNS) and website services.
In 2016 Malwarebytes detected that two CBS-affiliated stations using GoDaddy website accounts were compromised in a malvertising attack, which was caused by the Angler exploit kit.
But the most notable GoDaddy security incident took place 2012, when hackers affiliated to Anonymous took down the company’s entire operation, meaning millions of customers were left without access for several hours.