GoDaddy, a domain name registrar and web hosting company, disclosed a data breach incident which exposed the data of 1.2 million customers.
A disclosure published by the company notified that in an incident discovered on November 17, 2021, an unauthorized third party had accessed the company’s Managed WordPress hosting environment. The unauthorized access was immediately blocked on detection, and a forensic investigation was initiated.
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress. Upon identifying this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to our customer information,” stated, Demetrius Comes, Chief Information Security Officer, GoDaddy.
Customers Affected
The notification shared the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer number exposed. The exposure of email addresses presents a risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, those passwords were reset.
- For active customers, sFTP and database usernames and passwords were exposed. Both passwords have been reset.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Interestingly, GoDaddy has a help page for “My website was hacked. What should I do?”, listing warnings and best practices to abide by.
The company also disclosed a breach last year, in May, and alerted some of its customers that an unauthorized party used their web hosting account credentials in October to connect to their hosting account via SSH.
GoDaddy’s security team discovered that incident after spotting an altered SSH file in GoDaddy’s hosting environment and suspicious activity on a subset of GoDaddy’s servers.
GoDaddy is one of the world’s largest domain registrars and a web hosting company providing services to more than 20 million customers worldwide.
In a blog post on krebsonsecurity.com, Brian Krebs blogged about how fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms and the attacks were facilitated by scams targeting employees at GoDaddy.