Several GoDaddy brands impacted in recent data breach

Pierluigi Paganini November 25, 2021

Recently disclosed data breach impacted several of its brands, including Domain Factory, Heart Internet, Host Europe, Media Temple, tsoHost and 123Reg.

Recently GoDaddy has disclosed a data breach that impacted up to 1.2 million of its customers, threat actors breached the company’s Managed WordPress hosting environment.

Threat actors compromised the company network since at least September 6, 2021, but the security breach was only discovered by the company on November 17.

The intruders used a compromised password to access the provisioning system in the company’s legacy code base for Managed WordPress. The initial investigation revealed that attackers exploited a vulnerability to gain access to the following customer information:

  • Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
  • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords
  • For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
  • For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

Once identifying the intrusion, the company immediately locked the unauthorized third party out of its system.

Now the web hosting giant announced that the security breach impacted several of its brands, including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost.

The company discovered that threat actors also accessed WordPress admin passwords, sFTP and database credentials, and SSL private keys.

Now researchers from WordPress security company WordFence announced to have received confirmation from GoDaddy that multiple brands that resell GoDaddy Managed WordPress have been impacted by the security breach Impacted brands are:

The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident.” said Dan Rice, VP of Corporate Communications at GoDaddy, “No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.

Godaddy data breach
Source Wordfence

“Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords,” states the above data breach notification letters sent to the impacted customers. “What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it.”

In response to the incident, the company reset credentials and forced a password reset for websites users.

This isn’t the first data breach suffered by GoDaddy, in May 2020 the company revealed attackers have compromised users’ web hosting account credentials. The hosting provider submitted a data breach notice with the California Attorney General and revealed that the intrusion took place in October 2019.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GoDaddy)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment