GoDaddy, a USA-based major domain registrar and website hosting company, on Monday, November 22, 2021, announced it had discovered an ongoing data breach on November 17 that exposed user data of 1.2 million active and inactive customers of Managed WordPress.
According to GoDaddy, the breached data includes email address and customer number associated with the WordPress accounts; the default WordPress admin passwords that were set when the account was first provisioned; and SFTP and database username and passwords. SSL keys belonging to a subset of the 1.2 million affected customers also were exposed, GoDaddy said in a regulatory statement filed with the Securities and Exchange Commission.
GoDaddy’s biggest concern with its latest breach is the potential for attackers to use the SSL credentials to impersonate domains belonging to legitimate companies for the purpose of credential theft or malware distribution. Attackers also could potentially use the keys to hijack a domain name and attempt to extort a ransom for its return.
GoDaddy mentioned that further investigation is ongoing and that all impacted customers will be contacted directly with specific details.
GoDaddy security chief Demetrius Comes said the company is taking steps to strengthen its provisioning system with additional layers of protection.
- Is this the first time GoDaddy Data has been breached?
This is not the first time GoDaddy has notified customers of a data breach. Back in May 2020, the company confirmed an incident that exposed web hosting account credentials.
- How do I prevent my user account and the hosting data from getting hacked?
In my honest opinion, no computer system is flawless or ‘unhackable’ but prevention is always better than cure. Below are some of the steps you may take to further strengthen your web hosting account:
- Always change the default passwords that were set when your hosting account was first provisioned.
- Avoid using usernames like admin, administrator, etc. for your WordPress or any CMS account. These types are common and can be easily guessed by anyone.
- According to Google, 24% of Americans use simple words like “password,” “Qwerty” or “123456” as passwords. These types of passwords can be easily guessed. Instead, consider using strong passwords with 16 or more characters long and having a combination of upper and lower case alphabets mixed with numbers and symbols i.e., jp9!zW45bY=.vcHD, etc.
Use password generators like https://passwordsgenerator.net/ if you aren’t sure about the strength of your password.
- Store your user credentials in a credible password manager like Google Passwords https://passwords.google.com/ It’s free and automatically checks and notifies you about the security of passwords you’ve saved to your Google Account.
- Avoid reusing passwords on more than one website. Breaching just one of the websites exposes your common password and thus can be dangerous.
- As a web admin, ensure that your website does have a valid SSL certificate and users are forcibly redirected to the HTTPS version.
- GoDaddy website administrators should immediately revoke their existing SSL certificates and replace them with fresh certificates. Certificate revocation is a quick process with compromised keys typically needing to be replaced between 24 hours and five days.
- Most of the SSL certificates are valid for a year or more. And if there was an exploit halfway through the certificate’s life, the hackers would have more than six months of valid certificates. Therefore, consider using short-lived SSL certificates like LetsEncrypt which is valid for 90 days only and gets automatically renewed. You may even reduce the validity to 30 days and thus allowing a shorter timeframe to craft a sophisticated attack on an exploited certificate.
- Managed WordPress Hosting is a streamlined, optimized hosting solution for building and managing WordPress sites. However, consider hosting your website in Google Cloud, Amazon AWS which allow many advanced features to keep your website protected.