The American internet domain registrar and web hosting company GoDaddy recently made the news for the latest 2021 security breach.
The major cyber attack impacted 1.2 million of its current and former managed hosting customers, including its WordPress users with a managed hosting plan.
Let’s look at the implications of the digital privacy disaster to learn powerful lessons from the attack:
What Happened?
On November 22, 2021, GoDaddy announced a security incident affecting their managed WordPress service. The internet domain registrar company told The United States Security and Exchange Commission (SEC) that they discovered “unauthorized third-party access” to their “Managed WordPress hosting environment” five days earlier on November 17.
The cybercriminals breached GoDaddy’s database by compromising a password in their provisioning system, a process they use to offer customers their new hosting services by assigning them server space, usernames, and passwords.
As a result of the GoDaddy hack, 1.2 million of its current and former WordPress users with a managed hosting plan had their email address and customer number exposed.
Additionally, GoDaddy faced exposure of other data including:
- Original WordPress administrator level passwords
- Secure FTP (sFTP) usernames and passwords
- Database usernames and passwords for active customers
- SSL private keys for a subset of active customers
According to an investigation by Wordfence security experts, GoDaddy’s Managed WordPress hosting stored sFTP usernames and passwords in a manner that did not conform to industry best practices.
Wordfence explains, “GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication.” As a result of storing usernames and passwords in unencrypted plain text, bad actors were able to access the provisioning system in GoDaddy’s legacy code base for Managed WordPress.
Worse still, the breach itself occurred on September 6, 2021 — two months prior to its formal discovery by the GoDaddy team on November 17, 2021.
Who Exactly is Affected?
According to GoDaddy, up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer numbers exposed, but the spread of the breach does not end there.
The day after the breach was announced, GoDaddy shared that brands that resell GoDaddy Managed WordPress were also affected, including tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe. Investigation is still underway to determine the full extent of compromised data.
GoDaddy’s Next Steps
With their announcement of the breach, GoDaddy also shared what they were doing to recover from their extensive data breach. The domain registrar immediately blocked the unauthorized third-party from their system, reset passwords for affected accounts, and warned of the possible threats that lie ahead for affected users.
One of the biggest risks their exposed customers face is phishing attacks. The exposure of their email addresses in the breach gives bad actors direct access to their inboxes. With a little open-source intelligence research and the right pretext, a social engineer could craft a highly-targeted phishing email to trick a user into taking an action and downloading malware.
GoDaddy’s CISO wrapped up his statement of the attack by saying, “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.” But what those additional layers of protection are, we are not yet sure...
Lessons Learned
Cyber attacks are becoming more frequent with amplifying repercussions as bad actors continue to target big brands storing extensive networks of private data.
In today’s modern age, no company is safe from a cyberattack, so it’s crucial to frequently assess your security before a breach occurs.
In the case of GoDaddy, two entire months had passed by the time the company discovered their system was breached. This means the adversary spent over 60 days moving laterally throughout their network. The extent of their compromise cannot be easily determined without a thorough investigation by security professionals. With this in mind, GoDaddy’s remediation action of changing the passwords of compromised accounts is not enough; they must perform vulnerability scanning and penetration testing to accurately identify the true scope of the attack.
Now more than ever, these newsworthy cyber attacks remind us how vital it is to follow security best practices for storing sensitive information.
Are You Protected From Cyber Threats?
The reality is, many organizations do not have a realistic idea of their true threat landscape and vulnerabilities.
While investing in a vulnerability scan or penetration test is the best way to know for sure, there are a few things you can do to assess your security posture yourself.
Learn to protect your organization from internal and external threats by downloading our 5-1/2 Easy Steps to Avoid Cyber Threats eBook today.
