GoDaddy admits to password breach: check your Managed WordPress site!


by

The US Securities and Equities Commission (SEC) has just published a “Security Incident” submitted last week by Web services behemoth GoDaddy.


GoDaddy says that on 17 November 2021 it realised that there were cybercriminals in its network, kicked them out, and then set about trying to figure out when the crooks got in, and what they’d managed to do while they were inside.


According to GoDaddy, the crooks – or the unauthorised third party, as the report refers to them:


  • Had been active since 06 September 2021, a ten-week window.

  • Acquired email addresses and customer numbers of 1,200,000 Managed WordPress (MWP) customers.

  • Got access to all active MWP usernames and passwords for sFTP (secure FTP) and WordPress databases.

  • Got access to SSL/TLS private keys belonging to some MWP users. (The report just says “a subset of active users”, rather than stating how many.)

  • Additionally, GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we’re hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence.


    (Default starting passwords generally need to be sent to you somehow in cleartext, often via email, specifically so you can login for the first time to set up a proper password that you chose yourself.)


    GoDaddy’s wording states that “sFTP […] passwords were exposed”, which makes it sound as though those passwords had been stored in plaintext form.


    We’re assuming, if the passwords had been
    Support the originator by clicking the read the rest link below.