Why GoDaddy Data Breach Of +1 Million Clients Is Worse Than Described

Over one million GoDaddy hosting customers suffered a data breach in September 2021 that went unnoticed for two months. GoDaddy described the security event as a vulnerability. Security researchers indicate that the cause of the vulnerability was due to inadequate security that did not meet industry best practices.

The statement by GoDaddy announced that they have changed passwords for the affected customers of their WordPress Managed Hosting.

However simply changing passwords does not completely fix possible problems left behind by hackers, which means that up to 1.2 million GoDaddy hosting customers may remain affected by security issues.

GoDaddy Informs SEC Of Breach

On November 22, 2021 GoDaddy informed the United States Security and Exchange Commission (SEC) that they had discovered “unauthorized third-party access” to their “Managed WordPress hosting environment.”

GoDaddy’s investigation revealed that the intrusion began on September 6, 2021 and was only discovered on November 17th, two months later.

Who is Affected And How

GoDaddy’s statement says that up to 1.2 million customers of their WordPress managed hosting environment may be affected by the security breach.

According to the statement to the SEC the data breach was due to a compromised password in their provisioning system.

A provisioning system is the process for setting up customers with their new hosting services, by assigning them server space, usernames and passwords.

GoDaddy explained what happened:

“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”

GoDaddy Customer data that was exposed:

  • Email addresses
  • Customer numbers
  • Original WordPress administrator level passwords
  • Secure FTP (SFTP) usernames and passwords
  • Database usernames and passwords
  • SSL private keys

What Caused GoDaddy Security Breach

GoDaddy described the cause of the intrusion as a vulnerability. A vulnerability is generally thought of as a weakness or flaw in software coding but it also can arise from a lapse in good security measures.

Security researchers from Wordfence made the startling discovery that GoDaddy’s Managed WordPress hosting stored sFTP usernames and passwords in a manner that did not conform to industry best practices.

SFTP stands for Secure File Transfer Protocol. It is a file transfer protocol that allows someone to upload and download files from a hosting server using a secure connection.

According to the Wordfence security experts, the usernames and passwords were stored in an unencrypted plain text manner which allowed a hacker to freely harvest usernames and passwords.

Wordfence explained the security lapse they discovered:

“GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.

…Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.”

GoDaddy Security Issues May Still Be Ongoing

GoDaddy’s statement to the SEC stated that the exposure of customer emails could lead to phishing attacks. They also communicated that all passwords were reset for affected customers, which seems to close the door to the security breach, but that’s not entirely the case.

However over two entire months had elapsed by the time GoDaddy discovered the security lapse and intrusion which means that websites hosted on GoDaddy could still be in a compromised state if malicious files have not been removed.

It’s not enough to change the passwords of affected websites, a thorough security scan should have been performed to make sure that any affected websites are free of backdoors, Trojans and malicious files.

GoDaddy’s official statement has not said anything about mitigating the effects of already compromised websites.

The security researchers at Wordfence acknowledged this shortcoming:

“…the attacker had nearly a month and a half of access during which they could have taken over these sites by uploading malware or adding a malicious administrative user. Doing so would allow the attacker to maintain persistence and retain control of the sites even after the passwords were changed.”

Wordfence also states that the damage is not limited to the businesses hosted on WordPress managed hosting. The security researchers observed that hacker access to website databases could lead to access to website customer information, revealing sensitive customer information stored at ecommerce websites.

Effects of GoDaddy Data Breach May Continue

GoDaddy only announced that they have reset passwords. However nothing was said about identifying and fixing compromised databases, removing rogue administrator accounts and finding malicious scripts that have been uploaded, not to mention possible data breaches of sensitive customer information from ecommerce sites hosted on GoDaddy.

Citation

GoDaddy Announces Security Incident Affecting Managed WordPress Service

Read The Wordfence Security Report

GoDaddy Breached – Plaintext Passwords – 1.2M Affected