Another enormous cybersecurity incident has hit domain registrar GoDaddy. The large-scale data breach is the fifth “injury” the company has had since 2018. This time, 1.2 million GoDaddy customers were affected, after an unauthorized third-party successfully infiltrated its systems on September 6.
The threat actor continued to have access for nearly two and a halfmonth, before the web hosting company noticed the breach on November 17.
This is when GoDaddy “noticed suspicious activity” in their Managed WordPress hosting environment. An investigation was initiated shortly after, with the help of an IT forensics firm. Law enforcement was also contacted.
Update November 24, 2021
It turns out that GoDaddy resellers were affected by the data breach we reported yesterday, in particular 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. “A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action,” said Dan Rice, VP of Corporate Communications at GoDaddy.
How did the GoDaddy data breach happen?
The unknown threat actor used a compromised password to gain a foothold in the provisioning system in the company’s legacy code base for Managed WordPress.
As a result, at least 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed, GoDaddy said in the official breach notice This puts exposed customers of a high risk of phishing attacks.
What else has been exposed?
“The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords,” the web hosting company added. sFTP and database credentials were also exposed for active customers. Both passwords had to be reset.
“For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers,” the company added.
The investigation is still ongoing, and impacted customers are being contacted with specific details. If you are affected by the data breach, you can contact the company via their help center.
It is curious to mention that GoDaddy is one of the companies that helped create the Sunburst malware kill switch. Following the discovery of the malware and given the severity of the situation, a joint team of experts from Microsoft, GoDaddy, and FireEye devised the so-called kill switch to stop the malware from propagating further.