Data breach on GoDaddy WordPress: a timeline
Security incidents affecting WordPress have been of notable prevalence in recent years as more companies rely on the hugely popular content management system to power their websites. The latest organizations to fall victim to WordPress security vulnerabilities are domain registrar GoDaddy, which recently made public unauthorized third-party access to its managed WordPress hosting environment, affecting up to 1.2 million people. active and inactive clients.
Here is a timeline of the incident featuring details and information from the company and experts in the field.
GoDaddy WordPress data breach timeline
November 17, 2021: GoDaddy discovers unauthorized third-party access to Managed WordPress
In a Filing with the Securities and Exchange Commission (SEC)GoDaddy’s CISO, Demetrius Comes, announced that the organization discovered unauthorized access to its managed WordPress servers. GoDaddy determined that the incident began on September 6, 2021 and exposed data on 1.2 million active and inactive managed WordPress customers. “We identified suspicious activity in our managed WordPress hosting environment and immediately began an investigation with the help of an IT firm and contacted law enforcement,” Comes said. “Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for managed WordPress. “
November 22, 2021: GoDaddy announces data breach
GoDaddy reveals the breach in the SEC file mentioned above and announced that it has blocked the unauthorized third party from its systems. As the investigation continues, GoDaddy has determined that the third party exploited a vulnerability to gain access to the following customer information:
- Up to 1.2 million active and inactive managed WordPress customers have had their email address and customer number exposed, posing a risk of phishing attacks
- The original WordPress administrator password that was set during provisioning has been exposed. If these credentials were still in use, GoDaddy will reset these passwords.
- For active clients, sFTP and database user names and passwords have been exposed. GoDaddy resets both passwords
- For a subset of active clients, the SSL private key has been exposed. GoDaddy was issuing and installing new certificates for these clients
“We are sincerely sorry for this incident and the concern it arouses among our customers. We, the officers and employees of GoDaddy, take our responsibility to protect our customers’ data very seriously and never want to let it down. We will learn from this incident and are already taking steps to strengthen our supply system with additional layers of protection, ”said Comes.
November 23, 2021: Cyber Security Industry Responds, Managed WordPress Resellers Revealed to Be Affected
Following the news of GoDaddy’s data breach, cybersecurity experts shared their feedback and ideas on the incident, GoDaddy’s response and the broader implications for organizations and users. .
“Perhaps one of the most surprising revelations of the GoDaddy breach is the delay between the initial attack and the company’s discovery of the breach more than a month later,” said Dominic Trott, UK director of Orange Cyberdefense. “A lack of 24-hour threat detection and response activity will inevitably leave critical assets such as customer data at much greater operational risk, exposing GoDaddy to both reputation and damage. to finances. In this case, 1.2 million account email addresses and passwords were hacked, leaving customers vulnerable to the threat of phishing that could put them, their personal devices and their finances at risk.
Sectigo digital cryptography and CTO expert Nick France said breaches of this nature in which large amounts of private keys are compromised ultimately lead to events where compromised certificates all have to be revoked within a very short period of time. of time. “The impact this can have on businesses that depend on these certificates can be significant, especially on vacation weeks like this. “
Indeed, a breach of this size is particularly dangerous during the holidays, added Ed Williams, director of Trustwave SpiderLabs. “Hackers try to take advantage of every new email address and password exposed to attempt to launch phishing attacks and social engineering programs.”
Wordfence confirmed that at least six GoDaddy Managed WordPress resellers were also affected by the violation: tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet and Host Europe. GoDaddy said only a small number of reseller customers were affected.
Copyright © 2021 IDG Communications, Inc.