Web-hosting giant GoDaddy has confirmed another data breach, this time affecting at least 1.2m of its customers.
The domain registrar has logged its 5th cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys & database logins.
On Mon., the world’s largest domain registrar explained in a public filing to the US SEC that an “unauthorised 3rd party” managed to infiltrate its systems on Sept. 6, & that the person(s) had continued access for almost 2 & a half months before GoDaddy noticed the breach on Nov. 17.
“We identified suspicious activity in our Managed WordPress hosting environment & immediately began an investigation with the help of an IT forensics firm & contacted law enforcement,” Demetrius Comes, GoDaddy CISO, stated in the website notice.
Specifically, the attackers compromised GoDaddy’s Managed WordPress hosting environment – a site-building service that allows companies & individuals to use the popular WordPress Content Management System (CMS) in a hosted environment, without having to manage & update it themselves.
“Using a compromised password, an unauthorised 3rd party accessed the provisioning system in our legacy code base for Managed WordPress,” according to Comes.
The information the cyber-criminal(s) was/were able to obtain is a ‘mixed bag.’ The Scottsdale, Ariz., US-based firm stated that it included:
- Emails & customer numbers for 1.2m active & inactive Managed WordPress customers
- sFTP & database usernames & passwords for active customers (passwords are now reset)
- SSL private keys “for a subset of active customers,” used to authenticate websites to internet users, enable encryption & prevent impersonation attacks. GoDaddy is in the process of issuing & installing new certificates for affected customers.
It did not attach numbers as to how many customers are affected by the database log-in or certificate compromises.
“Our investigation is ongoing, & we are contacting all impacted customers directly with specific details,” Comes concluded. “We will learn from this incident & are already taking steps to strengthen our provisioning system with additional layers of protection.”
Questions also remain as to how the account itself was protected: Was a strong password in use, or multi-factor authentication (MFA)?
“The key question is, ‘was multifactor in use?’ With this breach being caused by a compromised credential, I would not imagine the login was protected by multi-factor authentication, which is an element that could have caused this breach,” Randy Watkins, CTO at Critical Start, observed via email.
“Moving forward, key & password management is crucial. Applying least-privilege where applicable can lessen the impact of a compromised credential, but it’s still best to protect every login with MFA & monitor service accounts that don’t support MFA.”
When it comes to the consequences, ‘follow-on phishing’ is the obvious thing to look for, as flagged by GoDaddy in its announcement. Other issues should also be considered, researchers outlined.
“This breach could mean a few things for users,” commented Watkins. “There is a chance that keys or credentials could be used to gain access or impersonate customer sites.
Either of these situations could lead to a compromise of those organisations’ customers’ data too. While this breach will just be an inconvenience for most, others may have serious brand damage from impersonated sites or an actual breach. ”
Private Keys & Certificates
According to Murali Palanisamy, Chief Solutions Officer for AppViewX, compromised SSL private keys & certificates could also allow hackers to hijack a domain name & use it to extort ransom for its return.
“They can also redirect users to what appears as an identical website & deploy malware or collect user credentials & credit-card information & much more,” he commented. “All of these threats are extinction-level events.”
He added that while GoDaddy is working to update the SSL certificates, it will take time to accomplish this, so customers may want to take matters into their own hands.
“To mitigate current vulnerabilities, customers of GoDaddy need to check that the certificates are updated & change the passwords for sFTP access to new & unique numbers, letters and symbols,” he stated. “I’d also recommend incorporating a cryptographic agility capability, which will enable a quick rollover of certifications & keys.”
Long-term, users could also incorporate short-lived automated certificates.
“This way, if the keys are compromised, they are not used by attackers, & the window of opportunity for such sophisticated attacks are reduced,” he explained. “Customers of GoDaddy should monitor for unusual activity & report any red flags to the government/FTC as soon as possible.”
This is only the company’s latest data incident. Last year, GoDaddy made headlines with 3 separate incidents.
The 1st was found in March 2020, when an attacker phished an employee to gain access to GoDaddy’s internal support system & went on to change at least 5 customers’ domain name entries.
Then, in May 2020, the company said that cyber-criminals had stolen customers’ web-hosting account credentials (SSH usernames & passwords), after having access to its systems from Oct. 2019 to April 2020.
In that incident, 28,000 of the company’s 19m active users were affected by the attack.
Last Nov., a social-engineering “vishing” attack on GoDaddy employees temporarily handed over control of cryptocurrency service sites Nice Hash & Liquid to fraudsters, exposing personal information of users.
Before that, GoDaddy also exposed high-level configuration information for 10s of 1,000s of systems (& competitively sensitive pricing options for running those systems) in Amazon AWS back in 2018, thanks to a cloud storage misconfiguration.
“Due to its history with cyber-incidents, GoDaddy has become an easy target,” outlined Nick Tausek, Security Solutions Architect at Swimlane.
“It operates 35,000 servers hosting more than 5m websites, with millions of people relying on its services for the day-to-day operations of their businesses & hobbies. Because of the level of user dependency, repercussions can be severe when a situation like this presents itself.”
The company did not immediately return a request for comment.