GoDaddy security breach leaves WordPress users’ data exposed

Web hosting company GoDaddy announced on November 22 that up to 1.2 million active and inactive Managed WordPress customers' email addresses were exposed in an unauthorized third-party access.

"We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement," Demetrius Comes, GoDaddy Chief Information Security Officer said in the company's SEC filing. "Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress."

GoDaddy said it blocked the unauthorized third party from its system as soon as it discovered the incident on November 17. The hosting company's investigation is ongoing, but it determined the breach began on September 6, 2021. The unauthorized third party leveraged GoDaddy's system's vulnerability to access Managed WordPress customers' email addresses and customer numbers, leaving them vulnerable to phishing attacks.

How GoDaddy is remedying the situation
GoDaddy's investigation into the data breach is ongoing, but the company has taken some initial steps to resolve the issue. The company stated that its original WordPress Admin password that was in place at the time was exposed. The company reset those passwords if the credentials were still being used. Additionally, GoDaddy reset passwords for active customers in the event that their database usernames and passwords were exposed. Lastly, the company is working to issue and install new certificates for any active customers whose Security Sockets Layer (SSL) private key was exposed.

The company is contacting all of its impacted customers directly with specific details. GoDaddy also invites customers to contact the company through its help center.

"We are sincerely sorry for this incident and the concern it causes for our customers," Comes said in his statement. "We, GoDaddy leadership and employees, take our responsibility to protect our customers' data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection."

Is GoDaddy's customers' data safe from exposure now?
Yes, GoDaddy reset affected customers' passwords, but that does not guarantee that users are 100% in the clear, according to Search Engine Journal. The site notes that the breach began in early September, but GoDaddy discovered it on November 17. That's two months that customers' websites could have been infected with corrupt files that are still present. Changing affected websites' passwords is just the first step after a breach. A complete security scan should also be done to ensure that affected websites don't have any backdoors, Trojans or malicious files.

Search Engine Journal also reported GoDaddy has not said what it would do beyond resetting passwords, such as finding and repairing compromised databases, removing rouge admin accounts or deleting any malicious scripts that might have been uploaded. There's also the matter of if any of the ecommerce sites GoDaddy hosts had any of its private customer data compromised.

What should a company do after a data breach?
In this instance, a hack of GoDaddy's system left its customers vulnerable and the company is ultimately responsible for addressing the issue. That does not mean companies should just wait for GoDaddy to finish its investigation and password rests. There are a number of steps businesses can take after a data breach, according to the Federal Trade Commission (FTC):

  • Stop any more data loss: Take any affected equipment offline right away, but don't turn the machines off until forensic experts can look at them. Put in clean machine replacements if possible and update authorized users' credentials and passwords. Your system will remain vulnerable until you make that change.
  • Secure your operations: Lock any physical areas that might be related to the breach and change access codes if necessary. You should also get your breach response team together to minimize any further data loss. Your expert team size will vary depending on your company's makeup.
  • Address any vulnerabilities: If your breach was service provider related like this GoDaddy case, look at what information the provider has access to and decide if you need to reduce or alter that access. Confer with your provider to ensure they're doing everything on their end to keep this from happening again.
  • Notify the appropriate parties: Everyone has a right to know if their data has been compromised. Inform anyone who your data breach might have impacted, like your customers or other businesses that your company deals with. You should also notify law enforcement as soon as possible to alert of the situation and the identify theft risk.

How to avoid data breaches
Unfortunately, a hacker's work is never done, but there are preventive measures individuals and businesses can take to decrease the likelihood that they fall victim to a data breach. Ignoring attachments or links in emails from senders you don't recognize is one of the best ways to avoid a breach, according to AmTrust Financial.

Creating strong, different passwords for various accounts can also help keep company and customer information safe. Remember, GoDaddy's current issues stemmed from a compromised password.

Here at the Inventu Corporation, we equip organizations of all sizes with a revolutionary web terminal emulation tool called Inventu Viewer+, a high performance emulation solution that is built with C at its core. Inventu Viewer+ supports SAML 2.0 and other identity technologies to enable securing your critical mainframe applications. This allows deployment of reliable and safe software using clean HTML and JavaScript hosted on secure Windows servers.  All in all, the Inventu Viewer+ web terminal emulation meets employer and staff expectations in a way that feels both familiar and simple. Contact us today and see how Inventu can help you integrate your active terminal emulation with the best web identity frameworks available.