This morning, GoDaddy revealed that an unidentified attacker had gained unauthorized access to a system used to organize the company’s managed WordPress sites, affecting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of the websites that are affected by this breach, and that some GoDaddy customers have multiple managed WordPress sites in their accounts.
According to the report filed by GoDaddy with the SEC, the attacker initially gained access via a compromised password on September 6, 2021, and was revealed on November 17, 2021, at which point their access was cancelled. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s managed WordPress product should be compromised when until they can confirm that it is not.
It appears that GoDaddy was storing the sFTP credentials as either plaintext, or in a format that could be reversed into plaintext. They did this instead of using salted hashes or public keys, both of which are considered industry best practices for sFTP. This allowed direct access to an attacker without needing to crack the password credentials.
According to their SEC filing: “For active customers, SFTP and database usernames and passwords were exposed.”
We attempted to contact GoDaddy for comment and to confirm our findings, but they did not immediately respond to our requests for comment.
What did the attacker have access to?
SEC filings indicate that the attacker had access to user email addresses and customer numbers, the original WordPress admin password that was set at the time of provisioning, and SSL private keys. All of these can come in handy for an attacker, but one item, in particular, stands out:
During the period from September 6, 2021 to November 17, 2021, the sFTP and database usernames and passwords of active clients were accessible to the attacker.
GoDaddy stored sFTP passwords in such a way that plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, both of which are industry best practices.
We confirmed this using the user interface for GoDaddy Managed Hosting and were able to see our password as shown in the screenshot below. When using public key authentication or salted hashes, it is not possible to view your own password as such because the hosting provider does not have it.
You will also note that the system is using port 22, which is Secure File Transfer Protocol. There are several types of sFTP, and this confirms that they are using sFTP via SSH, which is encrypted, and is designed to be one of the most secure ways to transfer files. It’s not necessarily best practice to store plaintext passwords, or passwords in a reversible format, for an SSH connection.
It appears that GoDaddy has admitted that they stored the database passwords as plaintext or in a reversible format. These can also be retrieved through their user interface. Unfortunately storing database password as plaintext is quite common in WordPress setting, where database password is stored as text in wp-config.php file. What’s more surprising in this breach is that the password that provides read/write access to the entire filesystem via SFTP is stored as plain text.
What can an attacker do with this information?
While the SEC filing emphasizes the potential phishing risk posed by exposed email addresses and customer numbers, the risk posed by this is minimal compared to the potential impact of exposed SFTP and database passwords.
Although GoDaddy quickly reset the sFTP and database passwords of all affected sites, the attackers had about a month and a half of access, during which they could have taken over these sites by uploading malware or adding malicious administrative users. Doing so would allow the attacker to maintain persistence and control of sites even after the password has been changed.
Additionally, with database access, the attacker would have access to sensitive information, including website customer PII (Personally Identifiable Information) stored on the databases of the affected sites, and may have access to the contents of all affected databases. be able to remove. This includes information such as password hashes stored in the database of WordPress user accounts of affected sites and customer information from e-commerce sites.
An attacker could similarly gain control of sites that had not changed their default administrator password, but it would be easier for them to use their sFTP and database access to do so.
On sites where the SSL private key was exposed, it may be possible for an attacker to decrypt the traffic using the stolen SSL private key, provided they can withstand a man-in-the-middle (MITM) attack. Prevents encrypted traffic that can be executed successfully between a site visitor and an affected site.
What should I do if I have a GoDaddy managed WordPress site?
GoDaddy will reach out to affected customers over the next few days. In the meantime, given the seriousness of the problem and the data the attacker has, we recommend that all managed WordPress users assume that they have been breached and take the following actions:
- If you are running an e-commerce site, or store PII (Personally Identifiable Information), and GoDaddy verifies that you have been violated, you may need to notify your customers of the breach. Is . Please research what the regulatory requirements are in your jurisdiction, and make sure you comply with those requirements.
- Change all your WordPress passwords, and if possible force reset passwords for your WordPress users or customers. Since the attacker had access to password hashes in each of the affected WordPress databases, they could potentially crack and use those passwords on the affected sites.
- Change any reused passwords and advise your users or customers to do the same. The attacker could potentially use the credentials extracted from the affected sites to access any other services where the same password was used. For example, if one of your customers uses the same email and password on your site that they use for their Gmail account, that customer’s Gmail could be breached by an attacker after cracking that customer’s password. could.
- Check your site for unauthorized administrator accounts.
- Scan your site for malware using a security scanner.
- Check your site’s filesystem including wp-content/plugins and wp-content/mu-plugins to maintain unauthorized access to any unexpected plugins or plugins that do not appear in the Plugins menu, as it uses legitimate plugins For it is possible.
- Be on the Lookout for Suspicious Emails – Phishing is still a risk, and an attacker can still use extracted email and customer numbers to obtain more sensitive information from victims of this compromise.
The GoDaddy managed WordPress data breach has the potential to have far-reaching consequences. GoDaddy’s managed WordPress offering forms a significant part of the WordPress ecosystem, and this affects not only site owners, but their customers. The SEC filing says that “up to 1.2 million active and inactive managed WordPress customers” were affected. Customers of those sites are also the most affected, making the number of people affected a lot.
For the time being, anyone using GoDaddy’s Managed WordPress offering should assume that their sites have been compromised until further information is available, and follow the steps we provide in this article . We will update the article as more information becomes available.
Note: All product names, logos, and brands are property of their respective owners in the United States and/or other countries. All company, product, and service names used on this page are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.