GoDaddy hosting hacked: Up to 1.2 million customers information and SSL private keys exposed
No day goes by without headlines on cyberattacks or data breaches. Earlier today, we wrote about Vestas after hackers exposed the data of the world’s biggest manufacturer of wind turbines, forcing the company to shut down its wind turbines.
Now, hackers have claimed another victim. This time, it is GoDaddy, the world’s largest domain registrar and one of the largest hosting companies. In a blog post, GoDaddy reported that it “discovered unauthorized third-party access to our Managed WordPress hosting environment” that exposed the personal information of up to 1.2 million of its customers. The hacking took place on September 6, 2021.
Since the hacking took happened about two and a half months ago, we’re not sure if GoDaddy knew about the breach back then or the company has just found out on November 17, 2021, as it revealed in its blog post.
According to GoDaddy, email addresses, customer numbers, usernames, passwords, and SSL private keys of up to 1.2 million active and inactive Managed WordPress customers were exposed. “The exposure of email addresses presents risk of phishing attacks,” GoDaddy stated.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” said Demetrius Comes, GoDaddy’s Chief Information Security Officer.
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
“Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help) which includes phone numbers based on country.”
Below is the full Statement from GoDaddy:
On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment. Here is the background on what happened and the steps we took, and are taking, in response:
We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
Upon identifying this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help) which includes phone numbers based on country.
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.
Demetrius Comes
Chief Information Security Officer
Forward-Looking Statements
This blog post contains forward-looking statements regarding GoDaddy Inc. (“we,” “GoDaddy,” or the “Company”) which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including our efforts to investigate and remediate the security incident and our attempts to identify and notify affected customers and implement additional security measures. Our forward-looking statements are based on information known to us at the time of this blog post and are subject to a number of known and unknown risks, uncertainties and assumptions that may cause our actual future results, performance, or achievements to differ materially from any future results expressed or implied in this blog post. Factors that contribute to the uncertain nature of our forward-looking statements include, among others, our ongoing investigation of the incident; our vulnerability to additional security incidents; adverse legal, reputational and financial effects on the Company resulting from the incident or additional security incidents, including regulatory inquiries; and potential operational disruptions as a result of the incident. Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Additional risks and uncertainties that could affect GoDaddy’s business and financial results are included in the filings we make with the Securities and Exchange Commission (“SEC”) from time to time, including those described in “Risk Factors” in our Quarterly Report on Form 10-Q for the quarter ended September 30, 2021 as well as those described in “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on From 10-K for the year ended December 31, 2020 and in our Quarterly Report on Form 10-Q for the quarter ended September 30, 2021, which are available on GoDaddy’s website at https://investors.godaddy.net and on the SEC’s website at www.sec.gov. Additional information will also be set forth in other filings that GoDaddy makes with the SEC from time to time. All forward-looking statements in this blog post are based on information available to GoDaddy as of the date hereof. GoDaddy does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.