Do you have one or more GoDaddy-managed WordPress sites? Then you should definitely give this a read before it’s too late.
On 17th November 2021, it was discovered that an unknown attacker had managed to breach the accounts managed by GoDaddy. But shockingly enough, this breach wasn’t discovered in quite a number of days. It was discovered around 1.5 months after the attacker had managed to gain access. According to GoDaddy’s own complaint report, the initial breach had happened as early as 6th September 2021. This gave the attacker a solid chunk of time to collect an incredible amount of Person Identifiable Information (PII). What else could the attacker have done during this time? Read on to find out.
According to GoDaddy’s own estimates, around 1.2 million inactive and active users were affected by this breach. But is that all? GoDaddy fails to take into account the number of customers in each account who’s also vulnerable to theft of PII. From this perspective, the number of those affected increases exponentially.
What Did GoDaddy Do Wrong?
In most data breach scenarios, the company is nothing more than an unfortunate victim of circumstances. GoDaddy’s role in the breach cannot be dismissed that easily.
GoDaddy’s fatal mistake was this.
At Wrytx, we always use MD5 or hashed passwords, so that no hacker can decode the password you used to sign up for your account. This is exactly where GoDaddy went wrong. Using plaintext to store passwords instead of using salted hash or public key (MD5). In situations where it didn’t use plaintext, it used a format that could easily be turned back into plaintext.
Using the salted hash format is one of the best ways to protect your users’ passwords. It encrypts the password into a long string of characters and digits that cannot be stolen very easily. Public key authentication replaces the regular password with a cryptographic key. This, too, is almost impossible to steal.
GoDaddy however made use of neither of these formats. Obviously, the use of plaintext while storing sFTP meant that the passwords were pretty vulnerable to exposure anyway.
Another problem was that GoDaddy was pretty open about the fact that it stored sFTP as plaintext. So this cannot even be narrowed down to the category of an insider breach. Anyone who accesses GoDaddy-managed WordPress accounts can easily see their own password after typing it. This feature itself declares loudly to the world that passwords were being stored as plaintext. If they had made use of a public key or a salted hash, you would not have been able to see your own password.
On the other hand, GoDaddy did make use of port 22. This meant that they were using Secure File Transfer Protocol. SFF is known as one of the most well guarded and secure ways to transfer files. Why they would pair this practice with storing passwords as plaintext is extremely questionable.
Not just this. The password that is meant to guard the read/write access to the whole file system itself was also stored as plaintext.
It must be noted that GoDaddy did take responsibility for this less-than-secure practice in their report. However, most WordPress sites have this same problem of storing sFTP as plaintext. GoDaddy was not an anomaly.
How Can You Be Affected Through GoDaddy’s Breach?
First, you have to understand what data the attacker has access to. The email addresses of both the GoDaddy-managed WordPress users and their customers lie bare to the attacker. This itself makes the attacker capable of launching several phishing attacks. But not that’s not all. The attacker also has access to tons of Personally Identifiable Information. This data is priceless and includes information on e-commerce customers. There is very little possibility that this won’t be sold.
The more concerning problem is the fact that the attacker had 1.5 months of time to launch further attacks. He could have installed malware or problematic plugins. The attacker also had enough time to add a malicious admin account. In this scenario, the attacker does not need to fear a change of passwords. They have firmly planted themselves into your account and cannot be removed easily.
The attacker could also have decrypted the traffic between the affected site and a site visitor. This would be possible if the attacker gained access to the SSL private key of the site. The process of intercepting the traffic is known as a Man-in-the-Middle (MITM) attack.
And of course, last but definitely not least, the attacker has access to all the passwords. This is not great for those who reuse the same passwords on different sites. The attacker has had more than enough time to breach other accounts that use the same password.
What Is To Be Done Now After GoDaddy’s Breach?
Notify Your Customers
Unless you have some concrete evidence to prove otherwise, assume that your GoDaddy-managed WordPress account has been breached. If this is the case, you must waste no time in informing your customers of the breach. After all, their Personally Identifiable Information has been compromised as well.
This one is obvious. However, it is also up to GoDaddy to change their password storing method. On your end, you must not only change your own password but also inform your customers to change theirs.
Change Reused Passwords
Are you using the same password for multiple sites like Gmail, Facebook, etc? You need to change them immediately. Otherwise, the attacker can easily gain access to those as well. Consequently, inform your customers to change their reused passwords also.
Enable 2-Factor Authentication
A 2-Factor Authentication might not be a foolproof method but it does deter attackers effectively. Install the Wordfence plugin that allows you to have a 2-Factor Authentication for WordPress accounts. This feature is free.
Check For Malicious Admin Accounts
As I have mentioned before, the attacker can just keep crouching, undiscovered, in your site via an admin account. Make sure you thoroughly check your site for any such anomalies before and even after you change your password.
Check For Malware
Using a regular security scanner should do the trick. The attacker will most probably launch such an obvious attack but it’s still advisable to cover all grounds.
Beware of Unidentified Plugins
Use wp-content/plugins and wp-content/mu-plugins to look for any suspicious plugins. The attacker might try to maintain their hold of your account through legitimate plugins as well. So, be on the lookout for that.
Beware of Phishing Emails
It’s inevitable that you’re going to receive phishing emails. After all, a large number of email addresses and passwords have been exposed. Phishing emails are designed to trick you into installing malware. Don’t click on any link that looks suspicious.
GoDaddy’s Breach was, to a large extent, facilitated by its vulnerable password storage practices. Moreover, the amount of time it took to discover the attacker was also shocking. It provided the attacker with ample time to carry out several lines of attack including phishing or installing malware.
This breach is going to affect the WordPress ecosystem in a significant way because 1.2 million accounts were compromised. And that number does not include the exponentially large number of customers whose information was stolen as well.
If you are one of the affected, make sure that you follow the steps mentioned in this article. In case you have some further questions regarding GoDaddy’s breach, do leave a comment below.