In November 2021, GoDaddy announced that an unknown attacker had gained unauthorized access to the system used to serve its managed WordPress sites, affecting up to 1.2 million WordPress customers.
Note that this number does not include the number of customers on websites affected by this violation, and some GoDaddy customers have more than one website on their accounts.
According to the report [1], the attackers first gained access on September 6, 2021, using a compromised password and were discovered by blocking access on November 17, 2021. While the company immediately took mitigation measures, the attacker had more than two months to establish persistence. Anyone currently using GoDaddy’s managed WordPress product should compromise until they can confirm they are not.
It appears that GoDaddy saved sFTP credentials either as clear text or in a format that can be converted to clear text. They did this instead of using a salted hash or public key, considered industry best practice for sFTP. This gave an attacker direct access to password access data without cracking it.
According to its SEC filing, “sFTP and database usernames and passwords have been given to active customers.”
What did the attacker have access to?
The SEC filing reveals that the attacker accessed users’ email addresses and customer numbers, the original WordPress administrator password set at deployment, and SSL private keys. All of these could be useful to an attacker, but one point stands out in particular:
From September 6, 2021, to November 17, 2021, the attacker accessed the sFTP and database user names and passwords of active customers.
GoDaddy has stored sFTP passwords so that the clear text versions can be retrieved instead of storing salted hashes of those passwords or providing public key authentication, both of which are industry best practices.
GoDaddy seems to confirm that they have stored database passwords in clear text or in a reversible format. These can also be accessed via their user interface. Unfortunately, saving database passwords as clear text is normal in a WordPress setting, where the password is saved as text in the wp-config.php file. What is more surprising about this violation is that the password that enables read/write access to the entire file system via sFTP is stored as clear text.
What could an attacker do with this information?
While the SEC filing highlights the potential phishing risk from exposed email addresses and customer numbers, the associated risk is minimal compared to the potential impact of exposed sFTP and database passwords.
Although GoDaddy immediately reset the sFTP and database passwords for all affected sites, the attacker had access for almost a month to take over these sites by uploading malware or adding a malicious administrator. This would allow the attacker to maintain persistence and control the sites even after changing passwords.
In addition, with database access, the attacker would have access to sensitive information, including personal data of website customers, stored in the databases of the affected websites and possibly have been able to extract the contents of all affected databases fully. This includes information such as the password hashes stored in the WordPress user account databases of the websites concerned and customer information from e-commerce websites.
An attacker could similarly gain control of sites that have not changed their default admin password, but it would be easier for them to use their sFTP and database access to do so easily.
On pages where the private SSL key has been disclosed, an attacker could decrypt the data traffic with the stolen private SSL key if he could successfully carry out a man-in-the-middle attack on the encrypted traffic between a site visitor and an affected entity.
What should I do if I have a GoDaddy Managed Site?
GoDaddy will be reaching out to affected customers in the next few days. In the meantime, given the severity of the problem and the data the attacker had access to, we recommend that all managed WordPress users assume they have been breached and take the following measures:
If you run an eCommerce website or have personal information and GoDaddy has verified that you’ve violated, you may need to notify your customers of the violations.
Please inform yourself about the regulatory requirements in your jurisdiction and ensure that you comply with these requirements.
Change your WordPress passwords and, if possible, force a password reset for your WordPress users or customers.
Since the attacker had access to the password hashes in every affected WordPress database, he could potentially crack these passwords and use them on the affected websites.
Change any reused passwords and advise your users or customers to do the same.
The attacker could use credentials extracted from affected websites to access other services with the same password. For example, if one of your customers uses the same email address and password on your website for their Gmail account, the attacker could crack that customer’s Gmail as soon as he cracked that customer’s password.
If possible, activate 2-factor authentication.
The WordFence plugin[2] offers this as a free feature for WordPress sites, and most other services offer an option for 2-factor authentication.
Check your site for unauthorized administrator accounts.
Scan your website for malware with a security scanner.
Check your site’s file system, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu, as it is possible to use legitimate plugins to maintain unauthorized access.
Be on the lookout for suspicious-looking phishing emails. An attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.
Summary
The GoDaddy Managed WordPress data breach is likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that “Up to 1.2 million active and inactive Managed WordPress customers” were involved. Customers of those sites are most likely also affected, making the number of affected people much larger.
For now, anyone using GoDaddy’s Managed WordPress offering should assume their sites have been compromised until further information becomes available and follow the steps we have provided in this article. We will update the article if more information becomes available.
Sources:
GoDaddy SEC Report: https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
WordFence:
https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/
Note: All logos, product names, and trademarks are the property of their respective owners in the United States and/or other countries. All company, product, and service names used on this page are for identification purposes only. Using these names, logos, and trademarks does not imply endorsement.