Security incidents affecting WordPress have become widespread in recent years as more and more companies rely on the popular content management system to power their websites. The latest organization to suffer a WordPress security breach is domain registrar GoDaddy, which recently went public with unauthorized third-party access to its managed WordPress hosting environment, affecting as many as 1.2 million active and inactive customers.
Below is a timeline of the event with details and insights from the company and experts in the field.
GoDaddy WordPress Data Breach Timeline
November 17, 2021: GoDaddy finds unauthorized third-party access on managed WordPress
In an SEC filing, Demetrius Comes, GoDaddy’s chief information security officer, announced that the group discovered unauthorized access to its hosted WordPress servers. GoDaddy determined that the incident began on September 6, 2021, and exposed the data of 1.2 million active and inactive managed WordPress customers. “We discovered suspicious activity in our managed WordPress hosting environment and immediately started an investigation with the help of an IT forensics firm and contacted law enforcement,” Comes said. “Using the compromised password, an unauthorized third party accessed the configuration system in our legacy codebase used to host WordPress.”
November 22, 2021: GoDaddy announces data breach
GoDaddy disclosed the breach in the aforementioned SEC filing and announced that it had blocked access to is systems by unauthorized third parties. While the investigation continues, GoDaddy has determined that a third party has exploited the vulnerability to access the following customer information:
- Email addresses and customer numbers of up to 1.2 million active and inactive managed WordPress customers exposed, at risk of phishing attacks
- The original WordPress admin password set during configuration was exposed.If these credentials are still in use, GoDaddy will reset these passwords
- For active clients, sFTP and database usernames and passwords are exposed. GoDaddy reset both passwords
- For a subset of active clients, the SSL private key has been exposed. GoDaddy is issuing and installing new certificates for these customers
“We deeply apologize for this incident and the concerns it caused our customers. As GoDaddy leadership and employees, we take our responsibility to protect our customers’ data very seriously and never want to let them down. Lessons have been learned from this incident and steps have been taken to strengthen our supply system with additional layers of protection,” Comes said.
November 23, 2021: Cybersecurity Industry Reacts, Managed WordPress Reseller Reveals Impact
Following GoDaddy’s data breach announcement, experts in the cybersecurity field shared reactions and insights on the incident, GoDaddy’s response, and the wider impact on organizations and users.
Dominic Trott, UK manager of Orange Cyberdefense, said: “One of the most surprising discoveries of the GoDaddy vulnerability may be the delay between the initial attack and the company’s discovery of the vulnerability more than a month later. “The lack of 24/7 threat detection and response activities will inevitably put critical assets such as customer data at greater risk of exploitation, exposing GoDaddy to reputational and financial damage. In this case, 1.2 million email addresses and Account passwords are compromised, leaving customers vulnerable to phishing threats that could put them, their personal devices and their finances at risk.”
Nick France, a digital cryptography expert and CTO of Sectigo, said that this breach of a large number of private keys would eventually result in all compromised certificates needing to be revoked within a very short period of time. “This could have major implications for businesses that rely on these certificates – especially during a holiday week like this.”
Ed Williams, director of Trustwave SpiderLabs, added that, in fact, breaches of this scale are especially dangerous during the holiday season. “Hackers attempt to use every new email address and password exposed to launch phishing attacks and social engineering schemes.”
Wordfence confirmed that at least six resellers where GoDaddy hosted WordPress were also affected by the breach: tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet and Host Europe. GoDaddy said only a few reseller customers were affected.
Copyright © 2021 IDG Communications, Inc.