Administrators of WordPress sites using GoDaddy’s WordPress managed hosted service are being warned to change their passwords and watch for phishing attacks after the provider admitted it was hacked last week.
The way the attacker got in: A compromised password.
In a posting today with the U.S. Securities and Exchange Commission (SEC), GoDaddy chief information security officer Demetrius Comes said an attacker exploited a vulnerability between September 6 and November 17th to gain access to the following customer information:
–the original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords;
–up to 1.2 million active and inactive managed WordPress customers had their email addresses and customer number exposed. The exposure of email addresses presents risk of phishing attacks, the provider said;
–for active customers, sFTP and database usernames and passwords were exposed. GoDaddy reset both passwords;
“Our investigation is ongoing and we are contacting all impacted customers directly with specific details,” said the GoDaddy statement. “Customers can also contact us via our help center, which includes phone numbers based on country
“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext, commented WordFence, which sells WordPress security solutions. “They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”
WordFence says it confirmed this theory by accessing the user interface for GoDaddy Managed Hosting and determining it was able to view its own password. “When using public-key authentication or salted hashes, it is not possible to view your own password like this because the hosting provider simply does not have it.”
The incident shows that security is not something you can get some other company to do, said Rick van Galen, a security engineer at Toronto-based 1Password. Being resilient against breaches includes following online security best practices including using password managers, he said in a statement.
“A breach of this size is particularly dangerous around the holidays,” said Ed Williams, director of Trustwave SpiderLabs. “Hackers try to take advantage of every new email address and password exposed in an attempt to launch phishing attacks and social engineering schemes. Enterprises, SMBs, and individuals using frequently targeted platforms like WordPress should ensure they are following strong password best practices: complexity, frequent password changes, not sharing passwords between applications, and multi-factor authentication. If possible, utilize an authenticator app to secure your account instead of traditional two-factor authentication via SMS, as hackers have recently been targeting users with specialized SMS phishing.”
Ian McShane, field CTO for managed security provider Arctic Wolf, noted that despite GoDaddy being a billion-dollar company that presumably spent well on cybersecurity, the hacker was in its environment for 72 days. “While it’s often said that the mean time to detection (MTTD) numbers are inflated (208 days in the latest Ponemon report) and do not reflect the reality of a non-nation state attacker, this person managed to avoid being caught for two months.
“The number of affected accounts – 1.2M – is so big that it feels like this would have been a lucrative ransomware opportunity, so there might be more to come from this story, particularly as we’ve seen more and more breaches devolve into ransomware and extortion sagas.”
Robert Prigge, CEO of Jumio said the breach underlines the inherent weakness of relying on credentials to authenticate users. Just over 60 per cent of data breaches in 2020 involved the use of unauthorized credentials, he said.
“With user email addresses, credentials for WordPress databases, and SSL private keys exposed in this breach, cybercriminals have everything they need to conduct phishing attacks or impersonate customers’ services and websites. Resetting passwords and private keys is simply not enough to protect the 1.2 million users affected by this breach. Instead, online organizations should turn to a safer and more secure alternative like biometric authentication (leveraging a person’s unique human traits to verify identity), which confirms the user logging in is truly the account holder and ensures personal data is protected from cybercriminals.”