28,000 GoDaddy Hosting Accounts Compromised
This entry was posted in WordPress Security on May 5, 2020 by Chloe Chamberland 1 Reply. 28,000 GoDaddy Hosting Accounts Compromised
This is a public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.
SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.
It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”
The breach itself appears to have occurred on October 19, 2019.
What Should I Do?
Immediate Action
If you have been impacted by this breach and have not already been notified by GoDaddy, you will likely be notified in the near future.
GoDaddy indicates that they have updated the account passwords and removed the attacker’s public key. While this should prevent the attacker from accessing impacted sites via SSH, we strongly recommend changing your site’s database password, as this could have easily been compromised by an attacker without modifying the account.
Compromised database credentials could be used to gain control of a WordPress site if remote database connections are enabled, which GoDaddy allows on many of its hosting accounts. You may also wish to check your site for unauthorized administrative users, as these could have been created without modifying any files on the site.
Remain Vigilant
Breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users.
Phishing, by general definition, is an attack whereby an attacker will create an email that appears to come from a legitimate source, but is intended to obtain sensitive information from an unsuspecting user. Although only 28,000 hosting accounts appear to have been affected, it is estimated that millions of sites are hosted by GoDaddy. This means that there are millions of users out there who might be worried that they will receive a notification that their hosting account has been breached.
Therefore the likelihood of a phishing campaign targeting GoDaddy users is high. We recommend that under these conditions, GoDaddy customers take care when clicking on links or executing any actions in an email to ensure that they don’t end up as the victim of a phishing attack.
There Are A Few Key Things You Can Check To See If You Are The Target Of A Phishing Attack:
- Check the email header. If the source of the email does not come from a registered GoDaddy domain, then it most likely did not come from GoDaddy and is an attempt at phishing.
- Look for a large amount of typos or misspellings in the email content itself. This can indicate the presence of an attacker. Professional emails will contain minimal typos or misspellings, if any.
- Modified verbiage used to scare you into providing personal information. GoDaddy’s security incident disclosure email should not appear to scare you, or ask you to provide any information. It should simply inform you that you may have been impacted by a breach. If you receive an email that appears to be scaring you into providing information, then it may be a phishing attempt.
If you can not verify the source of an email or its legitimacy, it is best to go directly to the GoDaddy site and contact them via their standard support channels. This will allow you to verify that your account is secure.
This is a public service announcement by the Wordfence Threat Intelligence team. We are providing this as a courtesy to our own customers, and to the larger WordPress community. Please contact GoDaddy directly if you have questions about the breach or about the security of your account. If you have friends or colleagues who use GoDaddy hosting, we suggest that you share this post with them to ensure they are aware of this issue.
Thank you to Wordfence Senior QA Engineer Ram Gall for his joint contributions and research to this post.
Related Articles:
Some States Dabble In Online Voting, Weighing Pandemic Against Cybersecurity Concerns
Antonopoulos: Chainalysis Is Helping World’s Worst Dictators & Regimes (#GotBitcoin?)
Survey Shows Many BTC Holders Use Hardware Wallet, Have Backup Keys (#GotBitcoin?)
Blockfolio Quietly Patches Years-Old Security Hole That Exposed Source Code (#GotBitcoin?)
Apple iPhone May Be Vulnerable To Email (Mail) Hack
Gates Foundation, WHO And Wuhan Institute of Virology All Hacked!
Google Hack Requires That You Updated Chrome Browser Now To Version: 81.0.4044.113
Privacy-Oriented Browsers Gain Traction (#GotBitcoin?)
Can Blockchain Technology Counter US Anti-Message Encryption Bill? (#GotBitcoin?)
Chinese Military Turns To U.S. University To Conduct Covert Research
CIA Has Had Keys To Global Communication Encryption Since WWII
Hostile Spies Target U.S. With Cyber, Encryption, Big Data, Report Finds
Hackers Stole And Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Ex-CIA Engineer Goes On Trial For Massive Leak
Multi One Password (Portable App)
After He Fell For A $40K Phone Scam, His Bank Offered To Help—If He Stayed Quiet (#GotBitcoin?)
Your PGP Key? Make Sure It’s Up To Date
Bezos’ Phone Allegedly Hacked By Account Associated With Crown Prince
Major Companies Shared Vulnerability Used In Travelex Cyberattack (#GotBitcoin?)
Microsoft Releases Patch To Patch Windows Flaw Detected By NSA
VPN Tier List 2020 (Comparison Table)
SEC Market-Surveillance Project Hits Snag Over Hacker Fears
Inside China’s Major US Corporate Hack
Twitter Bug Exposed Millions of User Phone Numbers
U.S. Cyber Officials Give Holiday Shopping Advice For Consumers
Is Cayla The Toy Doll A Domestic Spy?
Google’s “Project Nightingale” Faces Government Inquiry Over Patient Privacy.
Which Password Managers Have Been Hacked?
DNS Over HTTPS Increases User Privacy And Security By Preventing Eavesdropping And Manipulation
Russia Steps Up Efforts To Shield Its Hackers From Extradition To U.S.
Barr Revives Debate Over ‘Warrant-Proof’ Encryption (#GotBitcoin?)
Should Consumers Be Able To Sell Their Own Personal Data?
Doordash Says Security Breach Affected Millions Of People (#GotBitcoin?)
Fraudsters Used AI To Mimic CEO’s Voice In Unusual Cybercrime Case (#GotBitcoin?)
Pearson Hack Exposed Details on Thousands of U.S. Students (#GotBitcoin?)
Cyber Hack Got Access To Over 700,000 IRS Accounts (#GotBitcoin?)
Take A Road Trip With Hotel Hackers (#GotBitcoin?)
Hackers Target Loyalty Rewards Programs (#GotBitcoin?)
Taxpayer Money Finances IRS “Star Trek” Parody (#GotBitcoin?)
IRS Fails To Prevent $1.6 Billion In Tax Identity Theft (#GotBitcoin?)
IRS Workers Who Failed To Pay Taxes Got Bonuses (#GotBitcoin?)
Trump DOJ Declines To Charge Lois Lerner In IRS Scandal (#GotBitcoin?)
DMV Hacked! Your Personal Records Are Now Being Transmitted To Croatia (#GotBitcoin?)
Poor Cyber Practices Plague The Pentagon (#GotBitcoin?)
Tensions Flare As Hackers Root Out Flaws In Voting Machines (#GotBitcoin?)
Overseas Traders Face Charges For Hacking SEC’s Public Filings Site (#GotBitcoin?)
Group Hacks FBI Websites, Posts Personal Info On Agents. Trump Can’t Protect You! (#GotBitcoin?)
SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)
Leave a Reply
You must be logged in to post a comment.