GoDaddy Data Breach Exposes 1.2 Million Active and Inactive Managed WordPress Hosting Accounts

In a disclosure to the U.S. Securities and Exchange Commission (SEC) that was published today, GoDaddy announced a data security breach impacting its WordPress managed hosting customers. The company discovered unauthorized third-party access to its hosting environment on November 17, 2021, through an exploited vulnerability.

GoDaddy’s initial investigations show the attacker gained access using a compromised password beginning on September 6, 2021. Nearly every sensitive data point associated with hosting a WordPress website was compromised, including customer email addresses, admin passwords, sFTP and database credentials, and SSL private keys. GoDaddy published the following summary of data the attacker had access to for more than two months:

  • Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
  • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
  • For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
  • For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

GoDaddy has more than 20 million customers but only the managed WordPress hosting accounts were affected by this breach. Looking further into the incident, Wordfence claims that GoDaddy was storing sFTP credentials as plaintext, although GoDaddy has not officially confirmed it:

GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.

We confirmed this by accessing the user interface for GoDaddy Managed Hosting and were able to view our own password…When using public-key authentication or salted hashes, it is not possible to view your own password like this because the hosting provider simply does not have it.

GoDaddy’s stock tumbled after the SEC disclosure got picked up by major news organizations, finishing down 5.25%. The company emailed its customers to notify them that their accounts may have been compromised during the two months when the attacker had unauthorized access.

The incident has damaged customers’ trust and puts developers and agencies in an uncomfortable position if they are required to notify their customers about the breach. Impacted site owners will need to watch for malware, suspicious activity, and potential phishing attacks.

Godaddy says it has already taken steps to further secure its provisioning system and is continuing its investigation with the help of an IT forensics firm and law enforcement.

17

17 responses to “GoDaddy Data Breach Exposes 1.2 Million Active and Inactive Managed WordPress Hosting Accounts”

  1. This is really shocking news. I also have blogs hosted on Managed WordPress hosting of Godaddy. Yesterday My WordPress admin password was also compromised and I have changed it. I will definitely move my blogs to new a and reliable hosting provider.

    Regards,
    Vishwajeet Kumar

    Report

  2. Seriously, while some providers are better than others, this is a fact of life when it comes to self-hosting. It is simply more risky in terms of security than a hosted proprietary platform. That’s the trade-off for flexibility.

    I’m sorry for all those affected. I wonder how Pagely employees feel. Imagine one day you wake up to find that you now work for GoDaddy. Then, a few days later the “‘managed” WordPress product is hacked to the tune of 1,200,000 accounts.

    Actually, I wonder how comfortable Pagely customers feel right now. I’d be picking up my site and running for my life. Which is exactly what I had to do after Media Temple and Sucuri were acquired. Degradation was too quick for my comfort.

    Good night and good luck.

    Report

    • … more risky in terms of security than a hosted proprietary platform.

      Erm, nope. Any platform is at risk at any time. Some proprietary platforms think, they would be somehow more safe, because nobody would know their code, but that’s of course a basic fail in security assessment.

      Report

    • You do realise that this incident exactly contradicts your first point.

      WordPress itself was not vulnerable. What failed was the proprietary part of the managed WordPress service.

      Otherwise you are right, more poor outcomes from a poor company.

      Report

  3. I asked the ManageWP helpdesk if their service was exposed as well, since they are a GoDaddy company. Luckily this seems not to be the case:

    ManageWP accounts were unaffected in the GoDaddy security breach. We do not store credentials in our system, and the data we do store (like backups) is encrypted.

    Report

  4. Seeing how Godaddy is handling these issues, knowing them well, and most of you are fast to jump! It just shows your corrector as a person! GoDaddy always has and will be a target for hackers! I have been with Godaddy for many years and have over 200 websites built with them and WordPress! Yes, this is an alarming issue to deal with! But one thing I will say about GoDaddy is when they have problems and fix them, they never go through it again! Why? Cause they learn from what happens with each attack! Jumping may be a temp move, but overall, GoDaddy is still at the top of their game cause they learn from their mistakes, fix them fast, and make it better each time! So I think you will make a big mistake by quick judgments and withdraw over this temp issue! This is my opinion, of course! But if it had been any other company than GoDaddy, I would be jumping myself along with you all! But with over 15 years working with GoDaddy & WP hosting, you be a fool to jump now! Yes, I had 15 of my website go down and had my customers all change their passwords and login info! Not one has said to me to move their website to other hosting! They trust my team and me as we all have and will still trust in GoDaddy and WP! I am building right now seven new websites for customers, all with GoDaddy and WP still! By the time you all jump and change, the issue will be fixed and moving on! See, while I am posting this, 5 of my websites are back up and looking good! Thank You for letting me post with you all today!

    Report

    • “Cause they learn from what happens with each attack! Jumping may be a temp move, but overall, GoDaddy is still at the top of their game cause they learn from their mistakes”

      I dunno, I guess I like my hosts to not be insecure in the first place. Holding secure information in plaintext is just simply wrong and GoDaddy should never have put their customers in this situation in the first place, imo.

      I’m not sure even sure we can be confident that they learn from their mistakes either…

      “In 2017, the company revoked thousands of SSL certificates after issuing them without proper checks and authorization. In January 2019, an independent researcher found a vulnerability in its process for handling DNS change requests that enabled hackers to hijack domains and create phishing campaigns. It also notified customers of a hack that exposed SSH login details in the same year.” (https://www.itpro.co.uk/security/data-breaches/361624/godaddy-data-breach-exposes-over-12-million-customer-details)

      Or is this acceptable because you consider each one to be a separate breach that you’ll forgive? What does GoDaddy have to do in this case to damage your trust?

      Report

  5. First of all, GoDaddy is the big Daddy of hosting and domains. Of course hackers and evil doers will target it. Why would they hack a small company from let’s say Moldova? A tiny country in Eastern Europe.
    If you are going to hack, you hack a bigger company that has bigger database.

    For the average Joe, GoDaddy is fine.

    Disclosure: I had domains with GoDaddy in the past, I no longer due to selling those domains to someone else years down the road. Last time I had a domain with GoDaddy was in 2016 or 2017 I think.

    Other hosting/domain registrar companies have been hacked. Change your passwords and move on.

    So many people have weak passwords anyways.

    Report

  6. I received the email. First, I have no idea what account was on Managed Hosting with them. I don’t use them. Maybe some client site from years ago? Also, “the password you first used when setting up your WordPress Admin login.” Seriously?! We’re supposed to keep/know what original passwords were? I guess the only thing not to worry about is that I use strong/unique pws. But now my email and other data is out there. They just suck.

    Report

  7. Wordfence is reporting that other web hosts that resell GoDaddy’s Managed WordPress product are affected to some degree as well:

    tsoHost
    Media Temple
    123Reg
    Domain Factory
    Heart Internet
    Host Europe

    Report

  8. SiteGround seems to be offering a really decent managed WP, anything can get hacked. So its best to have a prevnetion plan rather than assuming this will never happen. I am sure GD will sort it but they for me were always a budget hosting option. WPE or SiteGround, but WPE are super annoying constantly spamming sales as tickets.

    Report

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: