Skip links

SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using ‘compromised password’

GoDaddy has admitted to America’s financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys.

In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an “unauthorized third-party” had been roaming around part of its Managed WordPress service, which essentially stores and hosts people’s websites.

GoDaddy’s chief information security officer Demetrius Comes said his company “immediately began an investigation with the help of an IT forensics firm and contacted law enforcement.”

Those infosec sleuths, we’re told, found evidence that an intruder had been inside part of GoDaddy’s website provisioning system, described by Comes as a “legacy code base,” since September 6, gaining access using a “compromised password.”

The miscreant was able to view up to 1.2 million customer email addresses and customer ID numbers, and the administrative passwords generated for WordPress instances when they were provisioned. Any such passwords unchanged since the break-in have been reset.

According to GoDaddy, the sFTP and database usernames and passwords of active user accounts were accessible, too, and these have been reset as well.

“For a subset of active customers, the SSL private key was exposed,” Comes added. “We are in the process of issuing and installing new certificates for those customers.” GoDaddy has not responded to a request for further details and exact numbers of users affected.

“We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection,” the exec added.

GoDaddy’s not exactly earning A+ grades so far. Last year it admitted to losing the SSH usernames and passwords for around 28,000 users.

Comes didn’t say if any data had actually been exfiltrated from GoDaddy’s servers, though did warn that the pairing of “email addresses and customer numbers” puts customers at risk of phishing. Now would be a good time for GoDaddy users to be on alert for suspicious emails asking them to log in to, say, confirm their details: if in doubt, go straight to the GoDaddy website. ®