Today isn’t a good day to be a GoDaddy customer. Especially ones who use WordPress on GoDaddy. That’s because the company admitted to a massive data breach that exposed a massive amount of customers to the possibility of pawnage:
In a filing with the Securities and Exchange Commission, GoDaddy’s chief information security officer Demetrius Comes said the company detected unauthorized access to its systems where it hosts and manages its customers’ WordPress servers. WordPress is a web-based content management system used by millions to set up blogs or websites. GoDaddy lets customers host their own WordPress installs on their servers.
GoDaddy said the unauthorized person used a compromised password to get access to GoDaddy’s systems around September 6. GoDaddy said it discovered the breach last week on November 17. It’s not clear if the compromised password was protected with two-factor authentication.
I am going to go out a limb and say that the password in question was not protected with two-factor authentication. But I am free to be proven wrong. In any case, there’s more:
The filing said that the breach affects 1.2 million active and inactive managed WordPress users, who had their email addresses and customer numbers exposed. GoDaddy said this exposure could put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, which could be used to access a customer’s WordPress server, was also exposed.
The company said that active customers had their sFTP credentials (for file transfers), and the usernames and passwords for their WordPress databases, which store all the user’s content, exposed in the breach. In some cases, the customer’s SSL (HTTPS) private key was exposed, which if abused could allow an attacker to impersonate a customer’s website or services.
Oh boy. This is not trivial. And what makes this worse is GoDaddy also owns Sucuri which besides being the business of securing websites among other things, ironically offers up advice on how to secure WordPress sites. Regardless, this is not a good look for GoDaddy and it is a safe bet that company will have a lot of explaining to do over the coming days.