A data breach at GoDaddy exposed SSL keys issued to an undisclosed — but likely large — number of active customers using its Managed WordPress website hosting service. The incident has sparked concerns about attackers hijacking domains for ransomware or spoofing them for credential theft and other malicious purposes.
GoDaddy, a major domain registrar and website hosting company, on Monday announced it had discovered a data breach on Nov. 17 that exposed data belonging to a total of 1.2 million active and inactive customers of Managed WordPress. Exposed data included the email address and customer number associated with the WordPress accounts; the default WordPress admin password that was set when the account was first provisioned; and SFTP and database username and passwords. SSL keys belonging to a subset of the 1.2 million affected customers also were exposed, GoDaddy said in a regulatory statement filed with the Securities and Exchange Commission.
The publicly listed company said it had reset all affected passwords and was in the process of issuing and implementing new certificates for customers whose SSL keys were exposed.
GoDaddy officials say the attackers used a compromised password to access the certificate provisioning system in GoDaddy’s legacy code base for Managed WordPress. An investigation showed the attackers gained initial access to its environment on Sept. 6 and remained undetected for more than 70 days, until Nov. 17.
“We are sincerely sorry for this incident and the concern it causes for our customers,” GoDaddy’s chief information security officer, Demetrius Comes, said in the statement filed with the SEC. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
It’s unclear how that reassurance will resonate with customers given GoDaddy’s struggles with security over the past couple of years. In May 2020, the company said it discovered a breach affecting SSH credentials belonging to some 28,000 customers. The breach occurred in November 2019 but wasn’t discovered until April of the following year. On at least two other occasions last year, employees at the company provided scammers with control of domains belonging to a handful of customers as the result of social engineering.