WordPress sites have been affected.
GoDaddy was Hacked
GoDaddy, a popular web registrar and hosting company, discovered that an unauthorized third party gained access to its WordPress hosting environment. As a result of that breach, up to 1.2 million users’ email addresses, numbers, and admin passwords have been exposed.
The company also stated that the attack was on September 6, 2021. The investigation is still ongoing. It is also working with a private IT forensics firm to help in resolving this breach. GoDaddy has reset the relevant credentials. It will also issue new SSL certificates.
“We are sincerely sorry for this incident and the concern it causes for our customers. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.” GoDaddy
WordFence reported that GoDaddy stored sFTP credentials on plaintext or in a format that could be easily reversed into plaintext. GoDaddy used such a format instead of a public key or salted hash, which are industry best practices for sFTP. Because of that, the attacker had direct access to password credentials without even cracking them.
The report added that the attacker had direct access to the information for nearly a month and a half. The bad actor could have taken over those compromised sites by uploading malicious admin users. In that case, even if the users have changed the passwords, the attacker could still retain control of those sites.
GoDaddy is expected to reach out to its customers who have been affected by the breach. If you’re a Managed WordPress user, you should notify your customers of the breach. It’s also advisable to reset your WordPress passwords and force a password reset for your customers or users.
GoDaddy Security Problem
Over the last couple of years, the company is struggling with security. Last year, it discovered a breach that affected SSH credentials that belonged to its 28,000 customers. The attack happened in 2019 but it was only discovered in April 2020. Its employees also provided scammers control of domains belonging to many of its customers because of social engineering.
But the latest attack could have huge repercussions because it involved SSL credentials. The attacker could impersonate domains that belong to legitimate companies. Then, the bad actor will start to distribute malware and steal their customers’ information.
Furthermore, attackers could also use the keys to hijack a website and extort a ransom forts return.
The companies that have been affected will have to replace the certificates. It’s a quick process. The certificates could be replaced in 24 hours and five days. Since GoDaddy also offers certificates, it could easily revoke and reissue those exposed SSL keys.
However, it’s not clear if all compromised certificates were issued by GoDaddy. Hosting companies do offer their own certificates but they also all customers to use their own certificates if they want to.
Experts recommend using short-lived digital certificates. Thus, if the keys are compromised, the attacker would have limited time to misuse them.