GoDaddy, one of the largest domain registrars, announced that they suffered a major cybersecurity breach and data of 12 lakh WordPress users are at risk. The company in its disclosure to the US Securities and Exchange Commission revealed that it had discovered unauthorised third-party access to our Managed WordPress hosting environment.
Explaining the incident, GoDaddy said, “We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”
While there isn’t any report of an incident taking advantage of this data breach, what users need to worry is that attackers can use SSL credentials to mimic domains that are owned by legal companies as part of a larger credential theft attack or can even be used to spread malware. Other concerns include that the keys may be used to hijack domain names and blackmail companies.
Affected users need to generate new certificates and privacy keys. Another aspect that GoDaddy needs to clarify is whether the exposed certificates and privacy keys belonged to GoDaddy CA or other certificates were also exposed in this data breach.
According to GoDaddy, starting September 6, 2021, the unauthorised third party used the vulnerability to gain access to:
1. Up to 12 lakh active and inactive Managed WordPress customers had their email address and customer number exposed.
2. The original WordPress Admin password that was set at the time of provisioning was exposed.
3.For active customers, sFTP and database usernames and passwords were exposed.
4. For some active customers, the SSL private key was exposed.
How is GoDaddy trying to fix the issue
GoDaddy claims that it had immediately blocked the unauthorised third party from their system. It also said that it had reset the WordPress Admin password along with sFTP and database usernames and passwords. The company is also issuing and installing new certificates for those customers. “Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help) which includes phone numbers based on country,” it said.
GoDaddy takes responsibility and says sorry
In its statement to US Securities and Exchange Commission, Demetrius Comes, CIO at GoDaddy said, “We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”