Breach, Threat Management, Network Security

Over 1 million GoDaddy WordPress accounts breached

Traders work on the floor of the New York Stock Exchange as the website hosting service GoDaddy makes its initial public offering (IPO) on April 1, 2015, in New York City. (Photo by Spencer Platt/Getty Images)

GoDaddy on Monday disclosed that its Managed WordPress hosting environment was breached by an unauthorized third-party using a compromised password.  

The popular web hosting company said up to 1.2 million active and inactive Managed WordPress customers had their email address and customer numbers exposed.

GoDaddy customers were also notified that the original WordPress admin password that was set at the time of provision was exposed. If those credentials were still in use, GoDaddy reset the passwords. GoDaddy also reset the passwords for active customers who had their sFTP and database user names and passwords exposed.

According to a release issued by web hosting provider, the company discovered the breach on Nov. 17. While the investigation is ongoing, GoDaddy determined that the breach dates back to Sept. 6.

Security analysts said most troubling in this case was that for a subset of active customers, SSL private keys were exposed. GoDaddy said it's in the process of issuing and installing new certificates for those customers.

“With compromised SSL private keys and certificates, hackers can hijack a domain name and use it to extort ransom for its return,” said Murali Palanisamy, chief solutions officer at AppViewX. “They can also redirect users to what appears as an identical website and deploy malware or collect user credentials and credit card information and much more. All of these threats are extinction-level events. Bottom line: today’s hackers know what they are doing.” 

Many individuals and small businesses rely on WordPress and GoDaddy to have a web presence and this kind of breach can have a major impact, said Javvad Malik, security awareness advocate at KnowBe4.

“While it's concerning that the attacker was in GoDaddy's servers for over two months, the response by GoDaddy has been very good,” Malik said. “The company has reset exposed sFTP, database, and admin user passwords and is installing new SSL certificates. In addition, the company contacted law enforcement, a forensics team and notified customers. All of this is an ideal playbook from which other organizations could learn to better understand how to respond to a breach.”

Ian McShane, field CTO at Arctic Wolf, said its troubling that this hacker managed to avoid being caught for some two months.

“The number of affected accounts is so big that it feels like this would have been a lucrative ransomware opportunity, so there might be more to come from this story, particularly as we’ve seen more and more breaches devolve into ransomware and extortion sagas,” McShane said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.