WordPress is used by nearly 42% of all websites. It’s always a huge issue when WordPress has a security flaw. Now, GoDaddy, the world’s largest web hosting company with millions of more sites than its competitors, has reported a data breach on 1.2 million of its WordPress customers.
Demetrius Comes, GoDaddy’s chief information security officer (CISO), revealed in a Securities and Exchange Commission (SEC) filing that they’ve found illegal access to their managed WordPress servers. Since September 6, 2021, the hack has exposed 1.2 million active and inactive managed WordPress accounts.
Customers’ email addresses and phone numbers were both exposed. As a result, GoDaddy cautions customers that this exposure may increase their vulnerability to phishing attacks. The initial WordPress admin password, set when WordPress was first installed, has also been disclosed. Hackers had access to your website for months if you never updated your password.
Moreover, active clients’ sFTP and database usernames and passwords were also exposed. Both of these passwords have been reset by GoDaddy. Finally, the private key for certain active clients’ Secure-Socket Layer (SSL) was revealed. For those customers, GoDaddy is now reissuing and installing new certificates.
As per a report from WordFence, GoDaddy may be keeping sFTP passwords in plaintext or in a format that might be reversed into plaintext. They did this instead of employing a salted hash or a public key, which are both regarded industry best practices for sFTP. An attacker might now have immediate access to password credentials without having to crack them.
The inquiry into GoDaddy is still underway, according to the company. The firm is individually contacting all impacted consumers with precise information. Customers may also use GoDaddy’s help center to get in touch with the company. All this is the only information GoDaddy has made public regarding the incident so far.