Site icon Sophos News

GoDaddy admits to password breach: check your Managed WordPress site!

Thanks to Naked Security reader Bryan for his help with this article.

The US Securities and Exchange Commission (SEC) has just published a “Security Incident” submitted last week by Web services behemoth GoDaddy.

GoDaddy says that on 17 November 2021 it realised that there were cybercriminals in its network, kicked them out, and then set about trying to figure out when the crooks got in, and what they’d managed to do while they were inside.

According to GoDaddy, the crooks – or the unauthorised third party, as the report refers to them:

Additionally, GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we’re hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence.

(Default starting passwords generally need to be sent to you somehow in cleartext, often via email, specifically so you can login for the first time to set up a proper password that you chose yourself.)

GoDaddy’s wording states that “sFTP […] passwords were exposed”, which makes it sound as though those passwords had been stored in plaintext form.

We’re assuming, if the passwords had been salted-hashed-and-stretched, as you might expect, that GoDaddy would have reported the breach by saying so, given that properly-hashed passwords, once stolen, still need to be cracked by the attackers, and with well-chosen passwords and a decent hashing process, that process can take weeks, months or years.

Indeed, researchers at WordFence, a company that focuses on WordPress security, say that they were able to read out their own sFTP password via the official MWP user interface, something that shouldn’t have been possible if the passwords were stored in a “non-reversible” hashed form.

https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

What could have happened to affected websites?

GoDaddy has now reset all affected passwords, and says it’s in the process of replacing all potentially stolen web certificates with freshly generated ones.

GoDaddy is also in the process of contacting as many of the 1,200,000 affected users at it can. (Customers who can’t be contacted due to incorrect or outdated details may not actually receive GoDaddy’s alerts, but there’s not a lot GoDaddy can do about that.)

This is a useful response, and GoDaddy hasn’t dithered over getting it out, given that the breach was first spotted just five days ago.

(The company also issued an uncomplicated and unqualified apology, as well as saying that “we will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection”, which is a refreshing change from companies that start off by telling you how strong their protection was even before the incident.)

However, with ten weeks in hand before getting spotted, the criminals in this attack could have used the compromised sFTP passwords and web certificates to pull off further cybercrimes against MWP users.

In particular, crooks who know your sFTP password could, in theory, not only download the files that make up your site, thus stealing your core content, but also upload unauthorised additions to the site.

Those unauthorised website additions could include:

Also, crooks with a copy of your SSL/TLS private key could set up a fake site elsewhere, such as an investment scam or a phishing server, that not only claimed to be your site, but also actively “proved” that it was yours by using your very own web certificate.

What to do?

By the way, we’re hoping, if GoDaddy was indeed storing sFTP passwords in plaintext, that it will stop doing so at once, and contact all its MWP customers to explain what it is now doing instead.


Exit mobile version