GoDaddy, the web hosting giant, has reported a massive data breach impacting nearly 1.2 million customers, according to a filing with the US Securities and Exchange Commission (SEC). According to the filing, the company discovered the breach on November 17, 2021 with “third-party access” to its “Managed WordPress hosting environment.”
According to the filing, GoDaddy identified “suspicious activity” in the “Managed WordPress hosting environment” and then began an investigation. It relied on an IT forensics team and contacted law enforcement as well after discovering the breach.
The filing states that the unauthorised third-party access took place using “a compromised password,” and the attackers then gained access to the “provisioning system in the legacy code base for Managed WordPress.”
While GoDaddy says it “blocked the unauthorized third party” when it was detected, the investigation is still ongoing. The access likely began on September 6, 2021, which is nearly two months before GoDaddy discovered the breach.
Nearly “1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed,” adds the filing. The reason email addresses being stolen is an serious issue because it can increase risk of phishing attacks where cybercriminals send emails to users in an attempt to trick them into leaking their other account details.
Further, the “original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords,” adds the filing.
For active customers, “sFTP and database usernames and passwords were exposed,” though GoDaddy says they have reset both passwords. sFTP is the Secure File Transfer Protocol which provides file access and transfer over the network for organisations and businesses.
Finally for some active customers, “the SSL private key was exposed,” and GoDaddy is in the “process of issuing and installing new certificates for those customers.” The SSL private key is crucial because it is an important part of the website’s SSL (Secure Sockets Layer) certificate. This is what authenticates the website to the internet.
The company says that the investigation is still on and it is “contacting all impacted customers directly with specific details.” Customers can also contact the company via its help center.