GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles

External investigation finds breach dates back more than two months

The personal data more than 1.2 million GoDaddy customers was exposed after cybercriminals breached its WordPress hosting service, the company has admitted.

In a statement filed with the US Securities and Exchange Commission, the internet infrastructure firm said it confirmed the breach on November 17 after detecting “suspicious activity” on its managed WordPress hosting environment.

A subsequent incident response investigation by an external IT forensics firm uncovered evidence that the breach dates back more than two months, following an initial intrusion dating back to September 6.

“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress,” according to the domain registrar and web hosting firm.

Tangled web

WordPress said it has blocked the intrusion but not before the exposure of a range of sensitive information.

Up to 1.2 million active and inactive Managed WordPress customers had their email address exposed.

Catch up with the latest data leak news and analysis

Users’ sFTP and database usernames and passwords were all exposed because of the breach. These passwords have been reset.

For a subset of active customers, the SSL private key was exposed. GoDaddy is in the process of issuing and installing new certificates.

Fresh phish

Following news of the breach, website administrators were warned that miscreants may seek to abuse the leaked credentials to construct convincing phishing attacks designed to trick recipients into handing over even more sensitive information.

Independent security experts advised that the deployment of multi-factor authentication to WordPress environments – best practice in normal circumstances – would be particularly helpful to GoDaddy customers in the aftermath of this breach.

Ed Williams, director of Trustwave’s SpiderLabs research division, commented: “Enterprises, SMBs, and individuals using frequently targeted platforms like WordPress should ensure they are following strong password best practices: complexity, frequent password changes, not sharing passwords between applications, and multi-factor authentication.

“If possible, utilize an authenticator app to secure your account instead of traditional two-factor authentication via SMS – as hackers have recently been targeting users with specialized SMS phishing,” Williams added.

RELATED SIM swap fraud – an explainer

Other third party security vendors noted that this isn’t the first time GoDaddy has suffered a security incident.

Matt Sanders, director of security at LogRhythm, said: “Unfortunately, this incident is the fourth time in the last few years GoDaddy has suffered a data breach or cyber-attack.

“This month’s data breach follows the hacking of a cryptocurrency domain managed by GoDaddy last November, an unauthorized user who breached 28,000 accounts last May, and an AWS error that exposed GoDaddy server data in 2018.

“When an organization experiences a cyber-attack, it can signal a lack of proper security controls and policies, making the organization an even more appealing target for cybercriminals,” Sanders concluded.