Thanks to Naked Security reader Bryan for his help with this article.
The US Securities and Exchange Commission (SEC) has just published a “Security Incident” submitted last week by Web services behemoth GoDaddy.
GoDaddy says that on 17 November 2021 it realised that there were cybercriminals in its network, kicked them out, and then set about trying to figure out when the crooks got in, and what they’d managed to do while they were inside.
According to GoDaddy, the crooks – or the unauthorised third party, as the report refers to them:
- Had been active since 06 September 2021, a ten-week window.
- Acquired email addresses and customer numbers of 1,200,000 Managed WordPress (MWP) customers.
- Got access to all active MWP usernames and passwords for sFTP (secure FTP) and WordPress databases.
- Got access to SSL/TLS private keys belonging to some MWP users. (The report just says “a subset of active users”, rather than stating how many.)
Additionally, GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we’re hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence.
(Default starting passwords generally need to be sent to you somehow in cleartext, often via email, specifically so you can login for the first time to set up a proper password that you chose yourself.)
GoDaddy’s wording states that “sFTP […] passwords were exposed”, which makes it sound as though those passwords had been stored in plaintext form.
We’re assuming, if the passwords had been salted-hashed-and-stretched, as you might expect, that GoDaddy would have reported the breach by saying so, given that properly-hashed passwords, once stolen, still need to be cracked by the attackers, and with well-chosen passwords and a decent hashing process, that process can take weeks, months or years.
Indeed, researchers at WordFence, a company that focuses on WordPress security, say that they were able to read out their own sFTP password via the official MWP user interface, something that shouldn’t have been possible if the passwords were stored in a “non-reversible” hashed form.
What could have happened to affected websites?
GoDaddy has now reset all affected passwords, and says it’s in the process of replacing all potentially stolen web certificates with freshly generated ones.
GoDaddy is also in the process of contacting as many of the 1,200,000 affected users at it can. (Customers who can’t be contacted due to incorrect or outdated details may not actually receive GoDaddy’s alerts, but there’s not a lot GoDaddy can do about that.)
This is a useful response, and GoDaddy hasn’t dithered over getting it out, given that the breach was first spotted just five days ago.
(The company also issued an uncomplicated and unqualified apology, as well as saying that “we will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection”, which is a refreshing change from companies that start off by telling you how strong their protection was even before the incident.)
However, with ten weeks in hand before getting spotted, the criminals in this attack could have used the compromised sFTP passwords and web certificates to pull off further cybercrimes against MWP users.
In particular, crooks who know your sFTP password could, in theory, not only download the files that make up your site, thus stealing your core content, but also upload unauthorised additions to the site.
Those unauthorised website additions could include:
- Backdoored WordPress plugins to let the crooks sneak back in again even after your passwords are changed.
- Fake news that would embarrass your business if customers were to come across it.
- Malware directly targeting your site, such as cryptomining or data stealing code designed to run right on the server.
- Malware targeting visitors to your site, such as zombie malware to be served up as part of a phishing scam.
Also, crooks with a copy of your SSL/TLS private key could set up a fake site elsewhere, such as an investment scam or a phishing server, that not only claimed to be your site, but also actively “proved” that it was yours by using your very own web certificate.
What to do?
- Watch out for contact from GoDaddy about the incident. You might as well check that your contact details are correct so that if the company needs to send you an email, you’ll definitely receive it.
- Turn on 2FA if you haven’t already. In this case, the attackers apparently breached security using a vulnerability, but to get back into users’ accounts later using exfiltrated passwords is much harder if the password alone is not enough to complete the authentication process.
- Review all the files on your site, especially those in WordPress plugin and theme directories. By uploading booby-trapped plugins, the attackers may be able to get back into your account later, even after the all the original holes have been patched and stolen passwords changed.
- Review all accounts on your site. Another popular trick with cybercriminals is to create one or more new accounts, often using usernames that are carefully chosen to fit in with the existing names on your site, as a way of sneaking back in later.
- Be careful of anyone contacting you out of the blue and offering to “help” you to clean up. The attackers in this case made off with email addresses for all affected users, so those “offers” could be coming directly from them, or indeed from any other ambulance-chasing cybercrook out there who knows or guesses that you’re an MWP user.
By the way, we’re hoping, if GoDaddy was indeed storing sFTP passwords in plaintext, that it will stop doing so at once, and contact all its MWP customers to explain what it is now doing instead.
Bryan
My GD account rep says if I’ve not received an email by now (I’ve not), then my account was unaffected by the breach.
Fingers and toes are currently crossed, hoping she’s correct–and they’re not merely slow with the bad-news notification.
It boggles the mind that large vendors are still getting caught with this. Hasn’t it been 20 years or so that it’s fairly common knowledge within I.T. circles that plaintext passwds is a no no?
Bryan
Well one week later–and I’ve still not received a “sorry, you were breached” notification.
Paul Ducklin
I assume that means you were not one of the 1.2 million… what isn’t clear is how many users of MWP there are altogether, and therefore what the probability is that any individual user was affected.
Bryan
(with apologies to Prince)
Tonight we’re storing passwords
Like it’s 1999