The world’s largest domain registrar was recently affected by yet another data breach, making the incident the fifth since 2018. The attackers used a compromised password to steal email addresses, SSH keys, and database logins.
GoDaddy Suffers The Fifth Data Breach Since 2018
GoDaddy has confirmed another data breach, this time compromising a staggering 1.2 million of its customers.
The web-hosting giant didn’t notice the infiltration until Nov. 17, after the attacker(s) had ongoing access to its network for nearly two and a half months.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Demetrius Comes, GoDaddy CISO, said in a public filing to the SEC.
The attack started with the threat actors compromising GoDaddy’s Managed WordPress hosting environment.
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress,” Comes noted.
According to GoDaddy’s SEC notice, the hackers managed to steal various types of information, including:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
“Our investigation is ongoing, and we are contacting all impacted customers directly with specific details,” Comes concluded. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
It is still unclear if the account itself was properly protected – whether with a strong password, MFA (multi-factor authentication), or both.
“The key question is, ‘was multifactor in use?’ With this breach being caused by a compromised credential, I wouldn’t imagine the login was protected by multi-factor authentication, which is an element that could have caused this breach,” Randy Watkins, CTO at Critical Start, said. “Moving forward, key and password management is crucial. Applying least-privilege where applicable can lessen the impact of a compromised credential, but it’s still best to protect every login with MFA and monitor service accounts that don’t support MFA.”
1.2 Million Records Left Exposed
A data breach never comes alone. The affected customers are very likely to be targeted by phishing attacks. However, phishing is not the only issue to be considered, researchers warned.
“This breach could mean a few things for users,” said Watkins. “There is a chance that keys or credentials could be used to gain access or impersonate customer sites. Either of these scenarios could lead to a compromise of those organizations’ [customers’] data as well. While this breach will just be an inconvenience for most, others may have serious brand damage from impersonated sites or an actual breach. ”
GoDaddy’s Cyberattack-Rich History
Since 2018, the domain registrar has made headlines with five security incidents, all having started with phishing and fishing.
“Due to its history with cyber-incidents, GoDaddy has become an easy target,” said Nick Tausek, security solutions architect at Swimlane. “It operates 35,000 servers hosting more than five million websites, with millions of people relying on its services for the day-to-day operations of their businesses and hobbies. Because of the level of user dependency, repercussions can be severe when a situation like this presents itself.”
The company did not disclose any other details regarding the latest incident.
Keep phishers at bay with a solid security awareness program for your employees.
ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irremediable damage.