UPDATED: WordPress site owners hosted by GoDaddy have had their data exposed — for months.
Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.
WordPress is far more than just blogs. It powers over 42% of all websites. So whenever there’s a WordPress security failure, it’s a big deal. And now GoDaddy, which is the top global web hosting firm with tens of millions more sites than its competition, reports that data on 1.2 million of its WordPress customers has been exposed.
The best VPN services
Every remote worker should consider a virtual private network to stay safe online.
Read More
In a Securities and Exchange Commission (SEC) filing, GoDaddy’s chief information security officer (CISO) Demetrius Comes said they’ve discovered unauthorized access to its managed WordPress servers. To be exact the breach opened information on 1.2 million active and inactive managed WordPress customers since September 6, 2021.
This managed service, according to WordPress, is streamlined, optimized hosting for building and managing WordPress sites. GoDaddy handles basic hosting administrative tasks, such as installing WordPress, automated daily backups, WordPress core updates, and server-level caching. These plans start at $6.99 a month.
Customers had both their email addresses and customer numbers exposed. As a result, GoDaddy warns users that this exposure can put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password, created when WordPress was first installed, has also been exposed. So if you never changed that password, hackers have had access to your website for months.
In addition, active customers had their sFTP and database usernames and passwords exposed. GoDaddy has reset both these passwords. Finally, some active customers had their Secure-Socket Layer (SSL) private key exposed. GoDaddy is currently reissuing and installing new certificates for those customers.
WordFence, a WordPress security company, says in their report, “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”
GoDaddy has announced that its investigation is ongoing. The company is contacting all impacted customers directly with specific details. Customers can also contact GoDaddy via its help center. This site includes phone numbers for users in affected countries.
At this time, that’s all the information GoDaddy has made public about the breach.
Related Stories:
Fitbit recalls over one million Ionic smartwatches due to burn risk
Conti ransomware attack on Irish healthcare system may cost over $100 million
464 Australian data breaches reported to the OAIC in latter half of 2021
One year later: Treasury to review Australia’s news media bargaining code
MacTel warns critical infrastructure reforms create gaps in government data protection
We’re all still using the same passwords, even after they’ve been breached
Ukrainian gov’t sites disrupted by DDoS, wiper malware discovered
Jamf reports $366.4 million in revenue for 2021, $103.8 million for Q4
Salesforce paid more than $2.8 million in 2021 bug bounties, $12.2 million since 2015
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
© 2022 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use
