GoDaddy breach: SSL keys, sFTP, database passwords of WordPress customers exposed

GoDaddy, the popular internet domain registrar and web hosting company, has suffered a data breach that affected over a million of their Managed WordPress customers.

What happened?

“On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment,” the company’s CISO, Demetrius Comes, explained in a filing with the U.S. Securities and Exchange Commission. “Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”

Apparently, the breach started on September 6, 2021, and allowed the attacker to gain access to:

• Email addresses and customer numbers of up to 1.2 million active and inactive Managed WordPress customers
• The original WordPress Admin password that was set at the time of provisioning
• For active customers: sFTP and database usernames and passwords
• For a subset of active customers: the SSL private key

The investigation is still ongoing, but in the meantime, GoDaddy has reset the original WordPress Admin passwords still in use, the sFTP and database passwords for active customers, and are in the process of issuing and installing new SSL certificates for those active customers whose SSL private key was exposed. They also warned customers about potential phishing attacks facilitated by the compromise of their email addresses and customer numbers.

Potential fallout for affected customers

“It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them,” noted Mark Maunder, CEO of Defiant, the company behind Wordfence, one of the most popular security plugins for WordPress.

The attacker having access to sFTP and database passwords for nearly a month and a half means that they have had plenty of time to take over these sites by uploading malware or adding a malicious administrative user, he added. The same thing was possible (and easier) by using the default admin password (on sites where it hasn’t been changed).

“Additionally, with database access, the attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the databases of the impacted sites, and may have been able to extract the contents of all impacted databases in full. This includes information such as the password hashes stored in the WordPress user accounts databases of affected sites, and customer information from e-Commerce sites,” Maunder continued.

“On sites where the SSL private key was exposed, it could be possible for an attacker to decrypt traffic using the stolen SSL private key, provided they could successfully perform a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.”

He says that all GoDaddy Managed WordPress users should assume that they have been breached and make sure to perform a number of incident response and risk mitigation actions.

Jim Taylor, Chief Product Officer for SecurID, noted that phishing, account takeover, and brand impersonation could create major damage to GoDaddy’s users, as these attacks could enable hackers to scam customers, damage a brand’s reputation, make changes to their corporate website, expose business to GDPR violations, and more.

“Moreover, if the leaked GoDaddy credentials are the same or similar to other, third-party services or admin information, then cybercriminals could infiltrate a corporate network or launch a ransomware attack,” he told Help Net Security.

He also pointed out that while the unauthorized person used a compromised password to get access to GoDaddy’s systems, it is still not clear if the compromised password was protected with two-factor authentication.

Murali Palanisamy, Chief Solutions Officer for AppViewX, says that compromised SSL private keys and certificates could also allow hackers to hijack a domain name and hold it for ransom.

“While GoDaddy is working to update all the new SSL certificates, it will take time to accomplish this. As such, to mitigate current vulnerabilities, customers of GoDaddy need to check that the certificates are updated and change the passwords for sFTP access to new and unique numbers, letters and symbols. I’d also recommend incorporating a cryptographic agility capability, which will enable a quick rollover of certifications and keys,” he advises.

“Last, the long-term resolution to ensuring an organization’s most valuable asset – its digital presence – is protected is to begin using short-lived certificates and incorporating full automation to manage its lifecycle. This way, if the keys are compromised, they are not used by attackers and the window of opportunity for such sophisticated attacks are reduced. Customers of GoDaddy should monitor for unusual activity and report any red flags to the government/FTC as soon as possible.”