GoDaddy has disclosed that an unknown attacker had obtained unauthorized access to the system used to facilitate its managed WordPress sites, impacting up to 1.2 million WordPress customers. Consider that this number does not include the numerous websites affected by this breach, as some GoDaddy customers have multiple Managed WordPress sites in their accounts. Let’s take a closer look into what this means for the company and the users affected.
According to the report filed by GoDaddy, the attacker initially gained access via a compromised password on September 6, 2021, discovered on November 17, 2021, at which point they revoked their connection. Perceptibly, GoDaddy stored sFTP credentials as plaintext or in a format that can reverse into plaintext. Rather than using a salted hash, or a public key, both are considered industry best practices for sFTP. This lack in judgment allowed an attacker direct access to password credentials without the need to crack them.
After discovering the breach, GoDaddy reset the sFTP and Database passwords of all the impacted sites. Despite that, the attacker had nearly a month and a half of access. They could have uploaded malware or added a malicious administrative user. Doing so would allow the attacker to maintain persistence and retain control of the sites even after changing passwords and credentials. Additionally, with database access, the attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites, and may have been able to extract the contents of all impacted databases in full. This database includes information such as the password hashes stored in the WordPress user accounts databases of affected sites and customer information from e-Commerce sites.
An attacker could similarly gain control on sites that had not changed their default admin password, but it would be simpler for them to use their sFTP and database access to do so. On sites that exposed the SSL private key, an attacker could decrypt traffic using the stolen SSL private key, provided they could successfully perform a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site. GoDaddy will be reaching out to impacted customers over the next few days. However, given the severity of the issue, we recommend that all Managed WordPress users assume that they are breached.
Here are some action steps to take:
- Change all of your WordPress passwords, and force a password reset for your WordPress users or customers.
- Determine if it is crucial to notify your customers of the breach
- Change any reused passwords and advise your users or customers to do so as well. The attacker could use credentials extracted from impacted sites to access other accounts.
- Enable 2-factor authentication on all sites that allow it.
- Check your site for unauthorized administrator accounts.
- Scan your site for malware using a security scanner
- Check your site’s filesystem for any unexpected plugins.
- Be on the lookout for suspicious emails. An attacker may use extracted emails and customer numbers to obtain further sensitive information.
In Conclusion, The GoDaddy Managed WordPress data breach is likely to have far-reaching consequences. They make up a significant portion of the WordPress ecosystem, affecting both site owners and their customers. SEC filed reports that “Up to 1.2 million active and inactive Managed WordPress customers” were involved. Customers of those sites are most likely also affected, making the number of affected people much larger. At this current moment, those using GoDaddy’s to Manage their WordPress should assume their sites are compromised until further information comes to light.