2 min read
young man on keyboard

GoDaddy: Hack Exposes Customer Data of 1.2 Million WordPress Users

While most of the country was getting ready for Thanksgiving, GoDaddy, one of the biggest web hosting providers in the world, notified the Securities and Exchange Commission (SEC) on November 22, 2021, that more than one million of its WordPress Users had been subject to a data breach that went unnoticed for nearly three months.

“Domain registrar and web hosting giant GoDaddy has been hacked and customer data for some 1.2 million WordPress users were exposed to the attacker for more than three months,” writes Ryan Naraine in SecurityWeek. “Millions of users of its managed WordPress hosting service had sensitive data stolen, including database usernames and passwords, email addresses and private SSL keys.”

In a filing with the SEC, GoDaddy Chief Information Security Officer Demetrius Comes wrote that the hack apparently started on September 6, 2021 and that the unauthorized third-party access to GoDaddy’s Managed WordPress hosting environment was not discovered until November 17, 2021.

Big Daddy: Not the First Time Web Hosting Giant Targeted

The Arizona-based GoDaddy was born in 1999 and by 2005 declared it had become the largest ICANN-accredited domain registrar in the world, surpassing Network Solutions.

GoDaddy also became a perennial Super Bowl advertiser with its sometimes provocative but almost always effective ads.

FirstSiteGuide says that today, “GoDaddy is the undisputed champion and the owner of the most popular global shared web hosting provider title. It currently has over 44 million subscribers.”

Of course, with more than 37,000 servers located all around the world, GoDaddy has also become a prime target in recent years for hackers.

Yahoo! Finance says recent GoDaddy security breaches include:

GoDaddy Hack Went Unnoticed for Nearly Three Months

The GoDaddy hack that went unnoticed for nearly three months started when a compromised password was used by an authorized third party to access the provisioning system of the legacy code base for Managed WordPress.

“Upon identifying this incident, we immediately blocked the unauthorized third party from our system,” says GoDaddy.

GoDaddy says its investigation is ongoing, but they have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information:

  • Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents a risk of phishing attacks.
  • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
  • For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
  • For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

“We are contacting all impacted customers directly with specific details. Customers can also contact us via our help center which includes phone numbers based on country,” said GoDaddy in the SEC filing.

In conclusion to the breach notice, GoDaddy security chief Comes says: “We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

WordPress or any CMS hosting can be tricky. We understand that. We still love WordPress and we feel comfortable with the managed hosting we provide to our clients. However, we've been building more sites on HubSpot's CMS lately and it just helps us sleep better at night!

Contact adWhite today to find out more about how our dedicated team can help you build and/or host and maintain your website.