GoDaddy security breach exposes data of 1.2 million WordPress customers

Web-hosting company GoDaddy said in a securities and exchange commission (SEC) filing that the data of 1.2 million active and inactive Managed WordPress customers was exposed due to a breach on September 6. The breach was discovered on November 17.

The exposed data includes email addresses, customer numbers, original WordPress admin password along with Secure-Socket Layer (SSL) private keys of some customers. GoDaddy said it is in the process of issuing and installing new SSL certificates.

What is even more concerning is that during the breach, the unknown attackers gained access to secure file transfer protocol (SFTP) and database usernames and passwords of active customers.  

GoDaddy claims to have reset the SFTP and database passwords of all impacted websites immediately after the discovery.  

"We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress," GoDaddy said in the filing.  

Mark Maunder, CEO and co-founder of Wordfence, suspects that GoDaddy was storing SFTP credentials in plaintext, or in a format that could be easily reversed into plaintext, instead of using industry-recommended salted hash, or a public key. "This allowed an attacker direct access to password credentials without the need to crack them," he said in a blog post.  

Wordfence provides services such as firewall and malware scan for WordPress.

Maunder warns the attacker had over a month and a half to take over websites by planting malware. Also, access to the database would have given attackers access to personally identifiable information of owners of websites. Any website that had not changed the default admin password also risked being logged out of their account.  

The data breach can have serious implications for online businesses that use web hosting platforms such as GoDaddy, which reportedly has over 44 million subscribers. GoDaddy’s Managed WordPress services account for a major share of the WordPress user base. Managed WordPress is an optimized hosting platform for building and managing WordPress sites where the manager platform is responsible for providing basic hosting administrative tasks.  

Maunder noted if the number of impacted websites is 1.2 million, the total number of impacted users is going to be a lot higher as customers of those websites would have also been affected.