GoDaddy Data Breach Impacts 1.2 Million Customers

This isn't the first time attackers have breached GoDaddy.

Edward Gately, Senior News Editor

November 23, 2021

4 Min Read
Data breach
It's hard to imagine why, in this day and age, only 5% of companies properly secure their data.Shutterstock

A GoDaddy data breach has given an attacker access to more than 1 million email addresses of its Managed WordPress users.

On Nov. 17, GoDaddy discovered unauthorized third-party access to its Managed WordPress hosting environment. Using a compromised password, an unauthorized third party accessed the provisioning system in GoDaddy’s legacy code base for Managed WordPress.


GoDaddy’s Demetrius Comes

Demetrius Comes is GoDaddy‘s CISO.

“Upon identifying this incident, we immediately blocked the unauthorized third party from our system,” he said in a U.S. Securities and Exchange Commission (SEC) filing.

The attacker used the vulnerability to access the following:

  • Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.

  • The original WordPress admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.

  • For active customers, secure file transfer protocol (sFTP) and database usernames and passwords were exposed. GoDaddy reset both passwords.

  • For a subset of active customers, the security sockets layer (SSL) private key was exposed. GoDaddy is issuing and installing new certificates for those customers.

“Our investigation is ongoing and we are contacting all impacted customers directly with specific details,” Comes said. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.

Not the First GoDaddy Breach

Nick Tausek is Swimlane‘s security solutions architect. He said this GoDaddy breach follows three similar attacks in the last three years. An AWS error exposed GoDaddy server data in 2018. An unauthorized user breached 28,000 accounts in October 2019. Moreover, cryptocurrency sites hosted by GoDaddy were hacked in November 2020.


Swimlane’s Nick Tausek

“Due to its history with cyber incidents, GoDaddy has become an easy target,” he said. “It operates 35,000 servers hosting more than 5 million websites, with millions of people relying on its services for the day-to-day operations of their businesses and hobbies. Because of the level of user dependency, repercussions can be severe when a situation like this presents itself. For customers to be able to trust that their valuable and highly sensitive data remains safe and secure, organizations like GoDaddy must implement the proper controls to recognize and thwart cyber threats.”

Inherent Weakness of Relying on Credentials

Robert Prigge is CEO of Jumio. He said this breach underlines the inherent weakness of relying on credentials to authenticate users. That’s because it was caused by unauthorized access via a compromised password.

“In fact, 61% of data breaches in 2020 involved the use of unauthorized credentials,” he said. “And this number is sure to increase if organizations don’t move away from this outdated method. With user email addresses, credentials for WordPress databases and SSL private keys exposed in this breach, cybercriminals have everything they need to conduct phishing attacks or impersonate customers’ services and websites.”

It’s simply not enough to reset passwords and private keys to protect the 1.2 million users affected by this breach, Prigge said. Instead, online organizations should turn to a safer and more secure alternative like biometric authentication. That leverages a person’s unique human traits to verify identity.

Potential Major Impact on Individuals, Small Businesses

Javvad Malik is security awareness advocate at KnowBe4.


KnowBe4’s Javvad Malik

“Many individuals and small businesses rely on WordPress and GoDaddy to have a web presence, and this kind of breach can have a major impact,” he said. “While it’s concerning that the attacker was in GoDaddy’s servers for over two months, the response by GoDaddy has been very good. The company has reset exposed sFTP, database, and admin user passwords, and is installing new SSL certificates. In addition, the company contacted law enforcement, a forensics team and notified customers. All of this is an ideal playbook from which other organizations could learn to better understand how to respond to a breach.”

Steve Moore is Exabeam‘s chief security strategist.

“No matter how robust your security stack is, your organization will still be vulnerable to intrusions stemming from compromised credentials,” he said. “Even the best organizations must manage this problem perfectly, and perfect is seldom possible. Proper training, feedback loops, visibility and effective technical capabilities are the keys to defending against compromised insider and external adversaries.”

A helpful defender capability is the development of a baseline for normal employee behavior that can assist organizations with identifying compromised credentials and related intrusions, Moore said.

“If you can establish normal behavior first, only then can abnormalities be known — a great asset in uncovering unknowingly compromised accounts,” he said.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like