UPDATE: Nov. 24, 2021: The massive breach at GoDaddy has directly impacted several WordPress resellers, the web hosting provider and domain registrar confirmed via email.
"The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost," a spokesperson for GoDaddy said via email. "A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action."
- After detecting suspicious activity, GoDaddy and an IT forensics team discovered a data breach that exposed the emails and customer numbers of up to 1.2 million managed WordPress customers, according to an 8-K filing with the Securities and Exchange Commission. The company has contacted law enforcement.
- An unauthorized third party used a compromised password to access the company's WordPress hosting environment between Sept. 6 and Nov.17, when the breach was discovered, according to the disclosure from Demetrius Comes, CISO at GoDaddy. The threat actor accessed GoDaddy's provisioning system in the legacy code base for managed WordPress. The original admin password set at the time of provisioning was exposed. If those credentials were still in use, the passwords have been reset.
- The SFTP and database usernames and passwords were exposed for active customers, GoDaddy said. For a subset of private customers however, the SSL private key was exposed as well. The company is currently issuing and installing new certificates for those customers.
Comes apologized to customers and said the company takes the responsibility of securing data very seriously.
"We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection," Comes said.
The incident marks the second significant security breach at GoDaddy in about two years. In May 2020, GoDaddy disclosed a data breach that took place in October 2019, which impacted 28,000 customers.
A breach such as the GoDaddy attack can put business and consumers at risk of phishing attacks, identify theft and credit card fraud, according to Steve Turner, analyst of security and risk at Forrester.
"This also exposes people who were impacted to advanced attacks where the adversaries can craft very targeted campaigns based on the data that they've gleaned from these Wordpress databases, which would allow them to impersonate the merchants or others down to the extreme detail," Turner said in an email.
Businesses should purge customer data that isn't currently being used to lower the potential downstream risk of the breach, which revealed information related to current and past customers.
From an enterprise standpoint, the GoDaddy breach is an illustration of why identity is the security perimeter and is constantly under attack, according to Gartner Research VP Peter Firstbrook.
"This attack, along with the Nobelium attacks, the recent Azure CosmosDB vulnerability and numerous other examples, demonstrate why we should expect sustained attacks on the identity system," Firstbrook said. "Enterprise security managers must improve their focus on identity detection and response."
GoDaddy did not return a request for comment.