GoDaddy has admitted that 1.2M Managed WordPress customers have had account details compromised by a third party. The attackers were using a compromised password that gave them access to GoDaddy’s legacy provisioning systems. The incident started on September 6, 2021, and continued until November 17, 2021, when it was discovered. GoDaddy says it has now blocked that third-party from its systems and is making forced password changes to all affected accounts.
According to Demetrius Comes, Chief Information Security Officer, GoDaddy, “Our investigation is ongoing, and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help), which includes phone numbers based on country.
“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
What data was compromised, and what is GoDaddy doing?
GoDaddy has said that this breach is limited to its Managed WordPress customers and affects a mix of active and inactive users. Other GoDaddy customers are, at present, believed to be unaffected. The company has issued a statement listing what was accessed and the actions it is taking.
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
The steps above look reasonable but are they enough? As GoDaddy has said, there is an immediate risk of phishing attacks. Some customers may have already been subjected to such attacks. While GoDaddy is resetting some passwords, customers should act and reset all passwords to be on the safe side.
It is not saying how it will approach cleaning up customer installations to make sure there is no malicious code left behind. It will not be good enough to reset customer systems back to September 5. Any restore would lose all customer data in their WordPress database, forcing them to rekey all updates to their sites. It would also mean that any add-ons that they have added would be lost.
A need to reset security certificates
One area that will be watched is how quickly GoDaddy deals with replacing potentially compromised security certificates. GoDaddy is one of the large certificate authorities (CA), which means it has processes to deal with this.
Nick France, CTO at Sectigo, another CA commented: “Breaches like the GoDaddy incident where a large number of private keys are compromised will ultimately lead to events where the compromised certificates all need to be revoked in a very short space of time.
“The impact this can have on businesses reliant on those certificates can be significant – especially on holiday weeks such as this. It highlights the importance of ensuring all enterprises manage their certificates – regardless of which CA they are from – in one interface so that the impact of such events can be minimized.”
What is the likely business impact on customers?
It will vary. We don’t know how many of these customers were active or what they use their WordPress sites for. Those doing retail will be particularly concerned as we head into the Black Friday/Cyber Monday sales bonanza. If there is any downtime for their sites or loss of data, it will cost them time and money to replace. It could also result in potential lost sales.
Those losses are unlikely to be covered by GoDaddy. The company will cover the cost of replacement certificates and restores, but it is unlikely it will cover consequential damages. For that, customers will need to turn to their own insurers, and it is likely that many do not have that sort of cover.
It means that many will get little in the way of compensation for this breach. Of course, if there are enough US-based customers, the best hope they will have is a class action lawsuit. In fact, given that it has been more than 24 hours and no lawyers have popped up to offer that service, is a surprise.
Enterprise Times: What does this mean?
Breaches are a fact of life for any organisation using the Internet. However, customers using the GoDaddy Managed WordPress service might have thought their risk was lower, and GoDaddy had their backs. However, all it takes is a single set of compromised credentials for a breach to happen.
One big question here is why was GoDaddy not using multifactor authentication (MFA)? That would have prevented a compromised password from causing this problem. GoDaddy has numerous help pages that tell users how to turn on MFA. Perhaps it should take the advice it offers customers and apply that to its own systems.