The US Securities and Equities Commission (SEC) has published a “Security Incident” submitted last week by Web services behemoth GoDaddy.
According to GoDaddy, the crooks – or the unauthorised third party, as the report refers to them:
- Had been active since 06 September 2021, a ten-week window.
- Acquired email addresses and customer numbers of 1,200,000 Managed WordPress (MWP) customers.
- Got access to all active MWP usernames and passwords for sFTP (secure FTP) and WordPress databases.
- Got access to SSL/TLS private keys belonging to some MWP users, subset of active users
GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we’re hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence.
If the passwords had been salted hashed and stretched, as you might expect, that GoDaddy would have reported the breach by saying so, given that properly hashed passwords, once stolen, still need to be cracked by the attackers, and with well-chosen passwords and a decent hashing process, that process can take weeks, months or years.
GoDaddy has now reset all affected passwords, and says it’s in the process of replacing all potentially stolen web certificates with freshly generated ones.
GoDaddy is also in the process of contacting as many of the 1,200,000 affected users at it can.
We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection”, which is a refreshing change from companies that start off by telling you how strong their protection was even before the incident.GoDaddy Statement
Ten weeks in hand before getting spotted, the criminals in this attack could have used the compromised sFTP passwords and web certificates to pull off further cybercrimes against MWP users.
Those unauthorised website additions could include:
- Backdoored WordPress plugins to let the crooks sneak back in again even after your passwords are changed.
- Fake news that would embarrass your business if customers were to come across it.
- Malware directly targeting your site, such as cryptomining or data stealing code designed to run right on the server.
- Malware targeting visitors to your site, such as zombie malware to be served up as part of a phishing scam.
Also, crooks with a copy of your SSL/TLS private key could set up a fake site elsewhere, such as an investment scam or a phishing server, that not only claimed to be your site, but also actively “proved” that it was yours by using your very own web certificate.
Steps to be followed
- Watch out for contact from GoDaddy about the incident.
- Turn on 2FA if you haven’t already.
- Review all the files on your site, especially those in WordPress plugin and theme directories.
- Review all accounts on your site.
- Be careful of anyone contacting you out of the blue and offering to “help” you to clean up.