There are several kinds of sFTP, and this confirms that they’re using sFTP via SSH, which is encrypted, and designed to be one of the most secure ways to transfer files. You’ll also note that the system is using port 22, which is Secure File Transfer Protocol.
When using public-key authentication or salted hashes, it is not possible to view your own password like this because the hosting provider simply does not have it. We confirmed this by accessing the user interface for GoDaddy Managed Hosting and were able to view our own password, shown in the screenshot below. GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices. All of these could be of use to an attacker, but one item, in particular, stands out:ĭuring the period from September 6, 2021, to November 17, 2021, the sFTP and database usernames and passwords of active customers were accessible to the attacker. The SEC filing indicates that the attacker had access to user email addresses and customer numbers, the original WordPress Admin password that was set at the time of provisioning, and SSL private keys. We attempted to contact GoDaddy for comment and to confirm our findings, but they did not immediately respond to our requests for comment.
This allowed an attacker direct access to password credentials without the need to crack them.Īccording to their SEC filing: “ For active customers, sFTP and database usernames and passwords were exposed.” They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP.
It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext.
While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.Īccording to the report filed by GoDaddy with the SEC, the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on Novemat which point their access was revoked. This morning, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers.
There is an update available here: GoDaddy Breach Widens to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe