Popular web hosting and domain registration company GoDaddy has just come clean about a data breach it suffered back in September which could affect up to 1.2 million accounts.
GoDaddy itself announced the breach yesterday as part of a regulatory filing to the Securites and Exchanges Commission, the US version of the Information Commissioner’s Office, to whom UK business would have to report any similar breach. In the filing GoDaddy revealed that their systems were first breached as far back as 6th September 2021, but the breach wasn’t discovered until 17th November.ata breach it suffered back in September which could affect up to 1.2 million accounts.
How did the breach happen?
GoDaddy has revealed that an unauthorised person used a stolen password to gain access to their systems, an action which was not immediately noticed. GoDaddy says it has reset the relevant credentials and is still investigating the incident.
What data has been exposed?
The breach is centred on GoDaddy customers using WordPress to build or manage their websites via GoDaddy web hosting. This is thought to account for up to 1.2 million people and includes customer email addresses, account numbers and passwords.
How serious is this for businesses using GoDaddy?
Potentially very serious, especially if your business website is run on WordPress via GoDaddy web hosting. For cybercriminals in receipt of email, account number and password details for a GoDaddy hosting account it is then a relatively simple task to gain access to both the website and email accounts and use them to either defraud your business, or launch convincing phishing attacks on your customers.
Although data being “exposed” doesn’t necessarily mean the data has been stolen, the long gap between breach and detection would allow the hackers ample time to fill their boots.
Register for a FREE Dark Web &
Mailbox Security Scan
Am I affected?
Unless you have an account with GoDaddy you are likely not affected.
However, with such a large breach of critical account information, a likely effect for everyone is an increase in phishing attacks coming from compromised accounts. These could take the form of very convincing brand and domain impersonation attacks which, because they come directly from accounts you would ordinarily trust, can evade basic cybersecurity tools, and be very convincing to the end users.
If you don’t have phishing and ransomware specific protection, now might be a good time to upgrade.
I think I might be affected. What should I do next?
Regardless of whether you use their web hosting platform or not, if you have a GoDaddy account you should:
- Immediately change your account password.
- Apply Multi-Factor Authentication to your GoDaddy account.
If you do use GoDaddy for either web or email hosting you should:
- Check outgoing email for emails not sent by you.
- Check you can still gain access to your WordPress back office.
- If you can, change the password for your top-level Admin accounts and apply MFA.
- Check activity on your website for changes since 6th September that you did not make, especially to Wordpress plugins.
- Consider applying a cloud firewall for your website which can help miminise the effects of any breach.
If you are at all concerned that you have been breached and are not yourself an experienced web developer, consider engaging a reputable WordPress specialist to help you to investigate.
What can we learn from this incident?
At this point we don’t know if this data was actually stolen, just that it was exposed. GoDaddy has engaged a private IT forensics team and will presumably report back in due course.
For such a large amount of data to be potentially exposed, the stolen credentials have to have been at an administrator level or had some admin privileges. Gaining admin credentials is the holy grail for hackers, so all businesses should be extra cautious and extra vigilant about how they grant, and monitor user access.
Business should be asking themselves:
- Do I know who has admin privileges for every one of our systems, right now?
- How many people in my organisation can grant admin rights, and how are they monitored?
- Do our admin privileges automatically expire, or have a regular review date?
- Do we grant privileges based on the Principle of Least Privilege? (https://www.beyondtrust.com/blog/entry/what-is-least-privilege)
- Are our current cybersecurity tools sufficient to protect us from increasingly sophisiticated phishing?
- Do we train our teams sufficiently to spot and report potential phishing attacks?
- Do you check if your accounts are being traded on the Dark Web using Dark Web scanning service?
If you or your management team can’t provide the answers to these questions, you may need help in bringing your business cybersecurity up to scratch.
Our consultants can help. Get in touch to schedule your cybersecurity review.
For UK business gaining Cyber Essentials accreditation is a good way to systematically address the issues highlighted above.
Dawn Brown, V & P Solutions
Fast, efficient service – problem was quickly resolved.
Brilliant Service, Quick Fixing, Wonderful Customer Service.
Robert Prince, St. Bedes College
Quick response times and excellent customer service.