GoDaddy held its hands up last week and admitted that September had seen the web hosting platform suffer a significant data breach involving customer account information.
The US-based domain registrar claims that as many as 1.2 million active and inactive customers have had their ‘email address and customer number exposed’ thanks to an ‘unauthorized third party’.
The malicious actor was able to access GoDaddy’s WordPress hosting environment due to a compromised password, making it the latest in a string of large-scale data breaches that illustrate the importance of using password managers and multi-factor authentication tools.
GoDaddy Admits to Hack
GoDaddy’s recent disclosures to the Securities and Exchange Commission detail the nature of the attack and the extent of the damage caused by an ‘unauthorized third party’:
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress” – Demetrius Comes, Chief Information Security Officer, GoDaddy.
The web hosting platform confirmed that along with the email addresses and customer numbers of 1.2 million active and inactive WordPress accounts that have been compromised, the unauthorized actor accessed:
- The original WordPress Admin password set at the time of provisioning.
- sFTP usernames/passwords (active customers).
- Database usernames/passwords were exposed (active customers).
- The SSL private key (some active customers).
GoDaddy – which hosts over 82 million domains – says it has reset passwords and is issuing new SSL certificates to minimize the scope of the damage to customers.
Why is GoDaddy Only Mentioning the Hack Now?
GoDaddy only just revealed the existence of the breach to the Securities and Exchange Commission last week – shortly after the organization says it discovered it. However, the web hosting service says the issue dates back to early September. Responding to the incident, GoDaddy said:
“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection” – Demetrius Comes, Chief Information Security Officer, GoDaddy.
The web hosting platform is no stranger to a data breach, however, having suffered in 2018 when an Amazon Web Services bucket configuration subsequently led to the exposure of internal information belonging to GoDaddy.
Then, in May of 2020, GoDaddy informed its users that they had discovered an ‘altered SSH file’ inside the domain registrar’s hosting environment and some subsequent ‘suspicious activity’ taking place on the company’s servers.
GoDaddy employees were duped into transferring ownership of several cryptocurrency sites to hackers using social engineering techniques last year, which allowed them to access site staff emails.
What Should I do if I’m Part of the Breach?
GoDaddy has warned those that are part of the breach to look out for is phishing emails. Although your email address being exposed in a breach isn’t the end of the world, it is now part of a bank of emails that could be used for mass phishing attacks.
GoDaddy says it reset the passwords that were exposed, but the first thing to do would be to change any other accounts you own that share details with WordPress accounts you’ve previously owned, to be on the safe side.
Really, though, you shouldn’t be using the same password on more than one website, and you should be using a password manager like LastPass, which also has an authenticator application, or NordPass, which will secure your passwords and let you check for leaked personal data.
To mitigate the possibility you’ll become a victim of phishing, treat emails from addresses you don’t recognize with extreme caution, and never click on a link in an email that is:
- Giving you some sort of ultimatum/threatening you (e.g. ‘Do X or your account will be closed forever’).
- Asking you to perform a task as a matter of urgency (e.g. ‘I need you to send me X amount of money right now’).
- Full of spelling mistakes, or grammatical errors that would be unusual to find in a legitimate email from a genuine company.
- Asking you to click on a shortened URL, or any URL at all. If you do accidentally click a link in a suspicious email, shut down the page, your browser and turn off your internet connection.
Remember, if you want to check if a company is trying to legitimately contact you to either offer their service or sell you something – or if you have a relationship with them, or have an account they manage – then you can open a separate, direct channel of communication with them. In other words, if you're not sure whether an email really comes from your bank – contact them by phone or email the number on their website. It's always better to be safe than sorry.
If this news from GoDaddy has alarmed you, you may want to consider other web hosting platforms. We've reviewed the best web hosting solutions out there, and finding a replacement could even save you money too, as well as restoring your peace of mind. Read our guide to the best web hosting services for 2021.