Get in Touch
GoDaddy have announced a breach of their Managed WordPress hosting environment.
The currently unknown/unidentified threat actor was able to gain access to GoDaddy systems via a compromised set of credentials. Investigations are ongoing, but it is believed that the threat actor gained access to systems as far back as 6th September 2021.
Around 1.2 million past and current customers have had the following data exposed:
- Email addresses
- Customer Numbers
- Admin passwords used at the time of provisioning
- Current users’ SFTP usernames and passwords
- Current users’ database usernames and passwords
- Some current users’ TLS keys.
This affects GoDaddy affiliates, 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.
Containment, Mitigations & Remediations
Customers of GoDaddy WordPress hosting should be aware of a heightened risk of phishing activity.
GoDaddy have stated that they have reset passwords for impacted accounts, however, any passwords associated with an affected account should be changed immediately – particularly if the credentials have been used elsewhere.
GoDaddy are in the process of cycling the TLS keys for affected customers.
GoDaddy state that they have already cycled passwords for exposed passwords, though no comment has made with regards to if the passwords were encrypted. Given that they have already taken this action, one expected associated phishing attack would be for a new password along with a link to login or reset the password.
One concern would be that the threat actor has used the stolen information to upload malicious content to trusted websites in order to compromise other/associated organisations. This is what is referred to as a “Watering Hole” attack.
If you are concerned that you site may have been impacted by this attack, check access logs to your site and compare change requests to file update/creation times on the site.
T1078 – Valid Accounts