This morning, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.
According to the report filed by GoDaddy with the SEC , the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on November 17, 2021 at which point their access was revoked. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.
It appears that GoDaddy was storing SFTP credentials as plaintext, rather than using a salted hash, or a public key, both of which are considered industry best practices. This allowed an attacker direct access to password credentials without the need to crack them.
We attempted to contact GoDaddy for comment and to confirm our findings, but they did