GoDaddy announced 11/23 that they had had a major security breach involving their Managed WordPress hosting. Their notice was followed by one from WordFence, the security software we put on all of the sites we do maintenance for. See the emails below.
To protect my clients and YCL, I have:
- Changed the password to log into the GoDaddy accounts themselves.
- Changed the YCL password to log into the WordPress website.
- Changed the client password to log into the WordPress site or sent a Reset Password email to each user.
Look for this email and change the passwords ASAP!
I started these changes yesterday. I will finish today.
You need to visit your site a few times over the next few weeks and check to see that the site is functioning properly and that there is no unusual activity on it. YCL will continue monitoring via WordFence.
If you used the same password for the WordPress login that you use on other accounts, YOU NEED TO CHANGE THE OTHER PASSWORDS IMMEDIATELY. The hackers will be trying to use the user names and passwords they got at banks, Facebook, Amazon, etc. to see if they can use your password to access these other accounts.
Each password at each site should be unique.
GoDaddy announcement
We are writing to inform you of a security incident impacting your GoDaddy Managed WordPress hosting service.
We recently identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of a third-party IT forensics firm and have contacted law enforcement. Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords. What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it. The exposure of your email address may also present a heightened risk of phishing attacks.
We are taking several steps to protect you and your data. First, we have blocked the unauthorized third party from our systems.
Second, we have reset your WordPress Admin login credentials, sFTP password and your database password. Your website is still up and running, but you won’t be able to edit content until you reset your passwords.
Here are the instructions on how to reset each password:
• WordPress Admin Login, please visit: https://www.godaddy.com/help/a-26916.
• sFTP or data password, please visit: https://www.godaddy.com/help/a-40804.
• WordPress database password, please visit: https://www.godaddy.com/help/a-24573.
If you use the same password for other accounts, we recommend you change your password to those accounts and adopt data security best practices, such as choosing a strong unique password, regularly changing it, and enabling multi-factor authentication where available. We also recommend that you remain vigilant for potentially fraudulent communications sent to your email address purporting to be from GoDaddy or other third parties.
Finally, because the private key of your existing Managed WordPress SSL certificate was exposed, the certificate will need to be revoked. We are in the process of installing a free DV SSL certificate on your website for one year to minimize potential site downtime.
If you would like to continue using your existing SSL certificate product, please follow the directions below to rekey a new certificate: https://www.godaddy.com/help/a-4976.
If you have any other questions, or you need further assistance, please call (480) 505-8870.
For residents living in California, Colorado, Delaware, Illinois, New York, New Jersey, Oregon, Vermont, Washington, and Wyoming, please visit https://www.godaddy.com/help/a-41004 for additional resources that describe additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.
Thank you,
Demetrius Comes
Chief Information Security Officer
WordFence Notice
GoDaddy announced this morning that they have been breached. Our team took a deep dive into the breach and found that GoDaddy appears to have stored passwords in plaintext, or in a format that could be reversed back into plaintext, which is not an industry best practice.
We confirmed this by signing into a GoDaddy Managed WordPress Hosting Account and verifying that we were able to view our own sFTP password. That means the attacker didn’t need to crack the passwords and could likely retrieve them directly.
According to GoDaddy’s own SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.“
The attacker had access to GoDaddy’s systems for over two months before they were discovered.
We have published a detailed post explaining how customers are affected, and what to do. Please pay special attention to our comments regarding your own customer notification obligations, if your site(s) are affected by this.
Click here to read our post about this breach on the official Wordfence blog…..