The GoDaddy breach affecting 1.2 million customers has widened – it turns out that various subsidiaries that resell GoDaddy Managed WordPress were also affected.
The additional affected companies are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.
The world’s largest domain registrar confirmed to researchers at Wordfence that several of these brands’ customers were affected by the security incident (and Wordfence provided breach-notification notices from two of them in a Tuesday posting).
“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost,” Dan Rice, vice president of corporate communications at GoDaddy, told Wordfence. “A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.”
It’s unclear exactly how many additional users were affected by the widened breach.
GoDaddy’s Managed WordPress hosting environment is a site-building service that allows companies and individuals to use the popular WordPress content management system (CMS) in a hosted environment without having to manage and update it themselves.
On Monday, the web-hosting giant said in a public filing to the SEC that an “unauthorized third party” managed to infiltrate its Managed WordPress systems starting on Sept. 6, using stolen credentials – and that the attackers lurked there for almost two and a half months before GoDaddy noticed the breach on Nov. 17.
The stolen data included:
- Emails and customer numbers for 1.2 million active and inactive Managed WordPress customers
- sFTP and database usernames and passwords for active customers (passwords are now reset)
- SSL private keys “for a subset of active customers,” used to authenticate websites to internet users, enable encryption and prevent impersonation attacks. GoDaddy is in the process of issuing and installing new certificates for affected customers.
Wordfence noted that all of the affected hosting providers are using URLs for logging into the service starting with “https://myh.secureserver.net/#/hosting/mwp/v1/” for provisioning, account management and configuration of their Managed WordPress offerings, and store sFTP passwords that can be retrieved in plaintext.
Ev Kontsevoy, CEO of Teleport, noted that the case is one more reason why passwords in computing infrastructure have to go. He advocated that companies should move to purpose-built security devices that use public/private key crypto, along with biometrics.
“Unfortunately [this breach] is destined to be another footnote on the ongoing list of data leaks caused by faulty password management,” Kontsevoy said via email. “Earlier this year, we learned the hack that took down the Colonial Pipeline was the result of a single compromised password. Passwords are everywhere, so eventually we’re going to see them leaked, intercepted or stolen.”
He added, “As an industry, we need to build responsible systems that protect user data and prevent the critical infrastructure we maintain from being used to expose or compromise such data. Removing passwords from our infrastructure is one step towards this.”
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!