Web registrar and hosting company GoDaddy submitted a filing to the Securities and Exchange Commission (SEC) on Monday, revealing that email addresses of up to 1.2 million Managed WordPress customers of the company had been accessed by an unauthorized third party.
GoDaddy said the breach, perpetrated by the attackers via a compromised password, was initially discovered by the company on November 17.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Chief Information Security Officer Demetrius Comes said in a disclosure to the SEC.
According to the statement, attackers were able to access the following GoDaddy customer information as a result of the security incident:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. GoDaddy reset both passwords.
- For a subset of active customers, the SSL private key was exposed. GoDaddy are in the process of issuing and installing new certificates for those customers.
“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
– Demetrius Comes, Chief Information Security Officer at GoDaddy
GoDaddy said the company had immediately blocked the attacker, and a security investigation was still in progress.
A simple precaution against most data breaches
Geoff Bibby, the CMO of email security solutions provider Zix, notes that data breaches like this are becoming commonplace for many companies. “Organizations that handle massive amounts of customer data are increasingly being targeted by cybercriminals hoping to access the incredibly sensitive and valuable information they possess,” says Bibby.
“Organizations that handle such valuable information must ensure they are taking appropriate measures to protect their data, especially since the affected customers are now at risk of additional phishing attacks.”
For organizations that wish to prevent data breaches that result from compromised passwords, Bibby highly recommends implementing two-factor authentication (2FA).“2FA provides an extra layer of security by making users confirm their identity. Organizations should also leverage end-to-end email encryption for any messages containing confidential or personally identifiable information,” says Bibby.
“GoDaddy should also encourage customers to implement 2FA themselves and never reuse the same password on different services because if the service is compromised, attackers will try that same password for others,” he concludes.