GoDaddy data breach affects nearly 1.2 million WordPress users
The attacker used a compromised password to access the company's provisioning system for Managed WordPress
Attackers have breached domain registrar and web-hosting firm GoDaddy, gaining access to the information of nearly 1.2 million active and inactive Managed WordPress customers.
In a filing with the US Securities and Exchange Commission (SEC), the company's chief information security officer Demetrius Comes said the company detected 'suspicious' activity in its Managed WordPress hosting environment on 17th November, following which the firm immediately blocked the unauthorised access.
The company followed standard procedure in these cases: enlisting the aid of an IT forensics firm and contacting law enforcement.
Although the investigation is ongoing, GoDaddy's IT security team has determined that the breach began around 6th September 2021, when the attacker used a compromised password to access the company's provisioning system for Managed WordPress.
This unauthorised access affected nearly 1.2 million active and inactive Managed WordPress users. The attacker(s) was able to view their customer numbers and email addresses.
GoDaddy said the original WordPress admin password set at the time of provisioning was also exposed. The company has reset these credentials, if customers were still using them.
In addition, the attacker could also see passwords for the secure file transfer protocol and database, as well as database usernames, for active customers. GoDaddy has reset both passwords.
GoDaddy is also issuing and installing new SSL certificates for some active customers whose private SSL key was exposed.
Security experts fear attackers behind the breach could use the SSL credentials to impersonate sites belonging to genuine firms, to distribute malware or steal credentials.
"We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers' data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection," Demetrius Comes stated in the SEC filing.
This is not the first instance of a security incident exposing GoDaddy customer details.
In May last year, the company disclosed a breach that revealed some customers' web hosting account credentials.
The company said the incident happened in October 2019 and enabled an unauthorised individual to access some customers' login information, used to connect to SSH on their hosting account. It assured customers that the breach did not impact 'main customer accounts,' and there was no evidence to suggest that hackers added or modified any files on affected accounts.
In 2019, hackers used hundreds of stolen GoDaddy credentials to create nearly 15,000 subdomains to redirect potential victims to malicious websites.
In 2018, UpGuard's Cyber Risk Team uncovered a security breach in which an unsecured AWS S3 bucket exposed GoDaddy's internal systems data.