Compromised Password Leads to Hack of GoDaddy’s Managed WordPress Service

Content of the article

Administrators of WordPress sites using GoDaddy’s managed WordPress hosted service are urged to change their passwords and watch for phishing attacks after the provider admitted it was hacked last week.

Advertising

Content of the article

The way the attacker entered: a compromised password.

In an article published today with the United States Securities and Exchange Commission (SEC), Demetrius Comes, head of information security at GoDaddy, said that an attacker exploited a vulnerability between September 6 and November 17 to access the following customer information:

–The original WordPress administrator password that was set at the time of provisioning has been exposed. If these credentials were still in use, GoDaddy will reset these passwords;

– Up to 1.2 million active and inactive managed WordPress customers had their email addresses and customer number exposed. Exposing email addresses poses a risk of phishing attacks, the vendor said;

–For active clients, sFTP and database user names and passwords have been exposed. GoDaddy resets both passwords;

Advertising

Content of the article

–For a subset of active clients, the SSL private key has been exposed. GoDaddy is in the process of issuing and installing new certificates for these customers.

“Our investigation is ongoing and we are contacting all affected customers directly with specific details,” the GoDaddy statement said. “Customers can also contact us through our help center, which includes country-specific phone numbers.

“We are sincerely sorry for this incident and the concern it arouses among our customers. We, the officers and employees of GoDaddy, take our responsibility to protect our customer data very seriously and never want to let it down. We will learn from this incident and are already taking steps to strengthen our supply system with additional layers of protection. “

Advertising

Content of the article

It appears that GoDaddy stored sFTP credentials either in plain text or in a format that could be reversed as plain text, commented WordFence, which sells WordPress security solutions. “They did this rather than using a salt hash or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker to directly access the password credentials without needing to decrypt them.

WordFence claims to have confirmed this theory by going to the GoDaddy Managed Hosting user interface and determining that it was able to display its own password. “When using public key authentication or salt hashes, it is not possible to show your own password like this because the hosting provider just doesn’t have it. “

Advertising

Content of the article

The incident shows that security isn’t something you can ask another company to do, said Rick van Galen, security engineer at Toronto-based 1Password. Being resilient against breaches involves following best online security practices, including the use of password managers, he said in a statement.

“A breach of this size is especially dangerous during the holidays,” said Ed Williams, director of Trustwave SpiderLabs. “Hackers try to take advantage of every new email address and password exposed to attempt to launch phishing attacks and social engineering programs. Businesses, SMBs, and individuals using frequently targeted platforms like WordPress should ensure they follow strong password best practices: complexity, frequent password changes, do not share passwords between applications and multi-factor authentication. If possible, use an authenticator app to secure your account instead of traditional two-factor SMS authentication, as hackers have recently targeted users with specialized SMS phishing.

Advertising

Content of the article

Ian McShane, field technical director for managed security provider Arctic Wolf, noted that although GoDaddy is a billion dollar company that presumably was spending well on cybersecurity, the hacker was in his environment for 72 days. “While it is often said that mean time to detection (MTTD) figures are inflated (208 days in the last Ponemon report) and do not reflect the reality of a non-state attacker, this person managed to avoid d ‘be taken for two months. .

“The number of affected accounts – 1.2 million – is so large that it looks like this would have been a lucrative ransomware opportunity, so there could be more to come from this story, especially as we’ve seen more of this story. more and more breaches turn into ransomware and extortion sagas.

Advertising

Content of the article

Robert Prigge, CEO of Jumio, said the breach highlights the inherent weakness in using credentials to authenticate users. Just over 60% of data breaches in 2020 involved the use of unauthorized credentials, he said.

“With user email addresses, credentials for WordPress databases, and SSL private keys exposed in this breach, cybercriminals have everything they need to carry out phishing attacks or spoof the identity of customer services and websites. Resetting passwords and private keys is simply not enough to protect the 1.2 million users affected by this breach. Instead, online organizations should look to a more secure and secure alternative like biometric authentication (taking advantage of a person’s unique human traits to verify identity), which confirms that the user who logs in is the account holder and ensures that personal data is protected from cybercriminals.

The post Compromised Password Leads to Hack of GoDaddy’s Managed WordPress Service first appeared on IT World Canada.

This section is powered by IT World Canada. ITWC covers the business IT spectrum, providing news and information for IT professionals aiming to succeed in the Canadian market.

Advertising

comments

Postmedia is committed to maintaining a vibrant but civil discussion forum and encourages all readers to share their views on our articles. Comments may take up to an hour of moderation before appearing on the site. We ask that you keep your comments relevant and respectful. We have enabled email notifications. You will now receive an email if you receive a reply to your comment, if there is an update to a comment thread that you follow, or if a user that you follow comments. Check out our community guidelines for more information and details on how to adjust your email settings.

Source link