During the filing last Monday with the Securities and Exchange Commission, GoDaddy Chief Information Security Officer Demetrius Comes said that on November 17, 2021, the hosting company was able to detect unauthorized third-party access to its managed WordPress hosting environment.
After consulting law enforcement officers and further investigation at an IT forensics firm, GoDaddy discovered that the third party used a compromised password to gain access to the provisioning system in its legacy code base for Managed WordPress.
GoDaddy provides Managed WordPress hosting for users who want to create and manage their own WordPress blogs and websites. Simply, the “managed” part means that GoDaddy will be the one to do all the basic administrative tasks, including installing and updating WordPress and backing up hosted websites.
The breach has already led to a number of problems. First, the email addresses and customer numbers of around 1.2 million active and inactive Managed WordPress users were disclosed. Second, the original WordPress Admin passwords set at the time of deployment were also uncovered and already reset by GoDaddy.
Third, the Secure File Transfer Protocol (sFTP) and database usernames and passwords have been compromised and reset by the company. Fourth, the SSL private key has been exposed to a number of active customers, which means that the company must issue new SSL certificates for these customers.
Comes explained that GoDaddy had already blocked the third party out of its system. However, the company also found that the perpetrators had been using the compromised password since September 6, giving them more than two months to wreak havoc on the system before they were discovered.
The investigation is still ongoing. On behalf of the company, Comes has apologized for the breach and committed to improving GoDaddy’s provisioning system with more layers of protection.
However, the extent of the damage caused by this breach has yet to be assessed. Since so many accounts have been exposed, there is a very high probability that the attackers would hurry to exploit the stolen login credentials and other data to launch even more attacks