On November 22nd the SEC was informed by Godaddy that an unauthorized third party was able to gain access to Godaddy’s managed WordPress hosting. This hack happened on Nov. 17th as stated by an SEC archive.
The SEC archive stated the following.
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks. - The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords. - For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords. - For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
The investigation is ongoing and isn’t the first time Godaddy has been compromised in recent years. In 2018 AWS error leaked data from Godaddy, as well as in 2020 when a user was able to get access to over 20 thousand accounts. Godaddy was also social-engineered into helping hackers attack cryptocurrency services in 2020. This seems to be the season for data breaches as we’ve already reported in the past month the Robinhood data breach and the FBI data breach.
Godaddy has said they take data very seriously but yet this has been a third major hack in the company in the past 5 years. It makes you think about just how seriously they take their users’ security. We here at NoFaceTech used to use Godaddy on other projects but have since switched due to all the evilness that has been going around within Godaddy lately. We hope this will make users want to switch as we do not condone Godaddy. In fact, we highly recommend Namecheap. Not sponsored in any way but we love Namecheap and would recommend them to anyone interested in purchasing domain names and hosting.