Cybersecurity and GoDaddy

GoDaddy=UhOhDaddy!

by Charles Parker

Most of us of a certain vintage remember the media prominence GoDaddy had over a decade ago with the flashy commercials through the years and spokespersons. The company at its root is a domain registrar and web-hosting company. It’s really that simple. The company is publicly traded on the YSE as GDDY and is sizable at $3.3B valuation. They are based in warm Tempe, AZ with approximately 20M customers worldwide and more than 82M domain names registered using its servers.

Breach

There was a security incident detected by the company, which began around September 6, 2021. Curiously the compromise wasn’t noticed until November 17, 2021. The attackers potentially had access for approximately two months. This was detected through suspicious activity in the managed WordPress hosting environment. With the amount of traffic through this network, this would have been detected with a SIEM or like functioning program.

Method

With a system this large, the attack points would be vast. In this case, the unauthorized entry was from a compromised password. There are users that complain constantly about changing their passwords. The reports so far have not noted if the password had not been changed for six months or if this was a case of credential stuffing, or social engineering harvesting the person’s credentials. Whichever method was used, this is another example of why changing passwords (as long as we continue to use them) regularly is required. It’s also worth mentioning implementing 2FA/MFA would have gone a long way to remove this attack vector as this would have been helpful to defeat any attempt to compromise the system with the compromised password.

Affected

This issue was substantial. The data belonging to up to 1.2M WordPress customers was exposed. The data itself was not too expansive of what it could have been. In this case, it appears they had access to the managed WordPress customer’s email addresses and numbers. This included the active and inactive accounts. While this isn’t as terrible as it could have been, what did make it worse was the WordPress admin passwords that were set when the accounts were provisioned were also compromised. Also the usernames and passwords for the Secure File Transfer Protocol (SFTP) and database usernames and passwords were included. But wait, there’s more! The SSL (secure socket layer) private keys were compromised.

Incident Response

Once detected, the unauthorized third party was blocked. Godaddy contracted with an IT forensics computer company to fully review and analyze the breach and depth of the penetration. The company also contacted law enforcement. As a result of the compromise, the company had to reset the admin passwords if they had not been changed since the account was provisioned. The passwords for the SFTP and database also had to be reset. With the SSL keys, these were reissued and installed new certificates for the affected clients. A wrinkle with their issue involves the business being publicly traded. As this is the case, GoDaddy had to file a statement regarding the breach with the Securities and Exchange Commission (SEC). In retrospect, they are fortunate the segment wasn’t pivoted from into other areas or victimized by ransomware.

Resources

Coble, S. (2021, November 22). GoDaddy announces data breach. https://www.infosecurity-magazine.com/news/godaddy-announces-data.breach/

Comes, D. (2021, November 22). GoDaddy announces security incident affecting managed wordPress service. https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm

Cooper, D. (2021, November 22). GoDaddy discloses recent security breach that exposed 1.2 million accounts. https://ww.engadget.com/godaddy-wordpress-securityissue-1-2-million-users-150142622.html

Gatlan, S. (2021, November 22). GoDaddy hack causes data breach affecting 1.2 million customers. https://www.bleepingcomputer.com/news/security/godaddy-hack-causes-data-breach-affecting-12-million-customers

Humphries, M. (2021, November 22). GoDaddy hacked, 1.2M customers at risk of phishing attack. https://www.pcmag.com/news/godaddy-hacked-12m-customers-at-risk-ofphishing-attack

Insurance Journal. (2021, November 22). GoDaddy says security incident exposed data of 1.2M WordPress users. https://www.insurancejournal.com/news/national/2021/11/22/643173.htm

Lakshmanan, R. (2021, November 22). GoDaddy breach exposes over 1 million WordPress customer’s data. https://thehackernews.com/2021/11/godaddy-data-breach-exposes-over-1.html

Miller, M. (2021, November 22). GoDaddy says information on 1.2 million customers exposed in data breach. https://thehill.com/policy/cybersecurity/582676-godaddy-says-information-on-12-million-customers-exposed-in-data-breach

Novinson, M. (2021, November 22). GoDaddy breach exposes 1.2M customer email addresses. https://www.crn.com/news/security/godaddy-breach-exposes-1-2-customer-email-addresses?itc=refresh

Palmers, G. (2021, November 22). GoDaddy email addresses leaked in massive security breach: How to know if you’re exposed. https://www.itechpost.com/articles/107959/20211122/godaddy-email-addresses-leaked-massive-security-breach-know-yourre-exposed.htm

Reuters. (2021, November 22). GoDaddy security breach exposes WordPress users’ data. https://www.reuters.com/technology/godaddy-security-brech-exposes-wordpress-users-data-2021-11-22/

Reuters. (2021, November 22). GoDaddy security breach exposes WordPress user’s data. https://money.usnews.com/investing/news/articles/2021-11-22/godaddy-security-breach-exposes-wordpress-users-data

Shen, M. (2021, November 22). GoDaddy data breach exposes over 1M user accounts; investigation “ongoing”. https://www.usatoday.com/story/tech/2021/11/22/godaddy-data-breach-users-2021/8727554002/

Tedder, M. (2021, November 22). GoDaddy data breach leaves 1.2 million users vulnerable. https://www.thestreet.com/investing/godaddy-data-breach-leaves-1-2-million-users-vulnerable

Vaughn-Nichols, S.J. (2021, November 22). Over a million WordPress sites breached. https://www.zdnet.com/article/over-a-million-godaddy-managed-wordpress-sites-cracked/

Vijayan, J. (2021, November 22). GoDaddy breach exposes SSL keys of managed WordPress hosting customers. https://www.darkreading.com/attacks-breaches/godaddy-breach-exposes-ssl-keys-of-managed-workpress-hosting-customers

Whitney, L. (2021, November 22). GoDaddy security breach impacts more than 1 million WordPress users. https://www.techrepublic.com/article/godaddy-security-breach-impacts-more-than-1-million-wordpress-users/

Whittaker, Z. (2021, November 22). GoDaddy says data breach exposed over a million user accounts. https://techcrunch.com/2021/11/22/godaddy-breach-millions-accounts/