GoDaddy announced that an unknown attacker had gained unauthorized access to the system used to serve its managed WordPress sites, affecting up to 1.2 million WordPress customers.
Note that this number does not include the number of customers on websites affected by this violation, and some GoDaddy customers have more than one website on their accounts.
According to the report , the attackers first gained access on September 6, 2021, using a compromised password and were discovered on November 17, 2021, by blocking access. While the company immediately took mitigation measures, the attacker had more than two months to establish persistence. Anyone currently using GoDaddy’s managed WordPress product should compromise until they can confirm they are not.
It appears that GoDaddy saved sFTP credentials either as clear text or in a format that can be converted to clear text. They did this instead of using a salted hash or public key, both of which are considered industry best practices for sFTP. This gave an attacker direct access to password access data without having to crack it.
According to its SEC filing, “sFTP and database usernames and passwords have been given to active customers.”
What did the attacker have access to?
The SEC filing reveals that the attacker had access to users’ email addresses and customer numbers, the original WordPress administrator password set at the time of deployment, and SSL private keys. All of these could be useful to an attacker, but one point stands out in particular:
From September 6, 2021 to November 17, 2021, the attacker had access to the sFTP and database user names and passwords of active customers.
GoDaddy has stored sFTP passwords so that the clear text versions of the passwords can be retrieved instead of storing salted hashes of those passwords or providing public key authentication, both of which are industry best practices.
GoDaddy seems to confirm that they have stored database passwords in clear text or in a reversible format. These can also be accessed via their user interface. Unfortunately, saving database passwords as clear text is completely normal in a WordPress setting, where the database password is saved as text in the wp-config.php file. What is more surprising about this violation is that the password that enables read / write access to the entire file system via sFTP is stored as clear text.
What could an attacker do with this information?
While the SEC filing highlights the potential phishing risk from exposed email addresses and customer numbers, the associated risk is minimal compared to the potential impact of exposed sFTP and database passwords.
Although GoDaddy immediately reset the sFTP and database passwords for all affected sites, the attacker had access for almost a month and a half to take over these sites by uploading malware or adding a malicious administrator. This would allow the attacker to maintain persistence and control the sites even after the passwords have been changed.
In addition, with database access, the attacker would have access to sensitive information, including personal data of website customers, stored in the databases of the affected websites and possibly have been able to fully extract the contents of all affected databases. This includes information such as the password hashes stored in the WordPress user account databases of the websites concerned and customer information from e-commerce websites.
An attacker could similarly gain control of sites that have not changed their default admin password, but it would be easier for them to use their sFTP and database access to do so easily.
On pages where the private SSL key has been disclosed, an attacker could decrypt the data traffic with the stolen private SSL key if he could successfully carry out a man-in-the-middle attack on the encrypted traffic between a site visitor and an affected entity.
What should I do if I have a GoDaddy Managed Site?
GoDaddy will be reaching out to affected customers in the next few days. In the meantime, given the severity of the problem and the data the attacker had access to, we recommend that all managed WordPress users assume they have been breached and take the following measures:
If you run an eCommerce website or have personal information and GoDaddy has verified that you’ve violated you, you may need to notify your customers of the violations.
Please inform yourself about the regulatory requirements in your jurisdiction and ensure that you comply with these requirements.
Change all of your WordPress passwords and, if possible, force a password reset for your WordPress users or customers.
Since the attacker had access to the password hashes in every affected WordPress database, he could potentially crack these passwords and use them on the affected websites.
Change any reused passwords and advise your users or customers to do the same.
The attacker could use credentials extracted from affected websites to access other services with the same password. For example, if one of your customers uses the same email address and password on your website as for their Gmail account, the attacker could crack that customer’s Gmail as soon as he cracked that customer’s password.
If possible, activate 2-factor authentication.
The WordFence plugin offers this as a free feature for WordPress sites, and most other services offer an option for 2-factor authentication.
Check your site for unauthorized administrator accounts.
Scan your website for malware with a security scanner.
Check your site’s file system, including
wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorized access.
Be on the lookout for suspicious-looking phishing emails. An attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.
The GoDaddy Managed WordPress data breach is likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting not only site owners but also their customers. The SEC filing says that “Up to 1.2 million active and inactive Managed WordPress customers” were involved. Customers of those sites are most likely also affected, making the number of affected people much larger.
For the time being, anyone who uses GoDaddy’s Managed WordPress offering should assume their sites have been compromised until further information becomes available and follow the steps we have provided in this article. We will update the article if more information becomes available.
Note: All logos, product names, and trademarks are the property of their respective owners in the United States and/or other countries. All company, product, and service names used on this page are for identification purposes only. The use of these names, logos, and trademarks does not imply endorsement.