On May 4, 2020, GoDaddy disclosed that the credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an attacker.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

What Should You Do?

If you have been impacted by this breach and have not already been notified by GoDaddy, you will likely be notified in the near future.

GoDaddy indicates that they have updated the account passwords and removed the attacker’s public key. While this should prevent the attacker from accessing impacted sites via SSH, we strongly recommend changing your site’s database password, as this could have easily been compromised by an attacker without modifying the account.

Compromised database credentials could be used to gain control of a WordPress site if remote database connections are enabled, which GoDaddy allows on many of its hosting accounts. You may also wish to check your site for unauthorized administrative users, as these could have been created without modifying any files on the site.

Remain Vigilant

Breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users.

Although only 28,000 hosting accounts appear to have been affected, it is estimated that millions of sites are hosted by GoDaddy. This means that there are millions of users out there who might be worried that they will receive a notification that their hosting account has been breached.

The likelihood of a phishing campaign targeting GoDaddy users is high.

We recommend that under these conditions, GoDaddy customers take care when clicking on links or executing any actions in an email to ensure that you don’t end up a victim of a phishing attack.

Here are a few key things you can check to see if you are the target of a phishing attack:

  • Check the email header.If the source of the email does not come from a registered GoDaddy domain, then it most likely did not come from GoDaddy and is an attempt at phishing.
  • Look for a large amount of typos or misspellings in the email content itself.This can indicate the presence of an attacker. Professional emails will contain minimal typos or misspellings, if any.
  • Modified verbiage used to scare you into providing personal information.GoDaddy’s security incident disclosure email should not appear to scare you or ask you to provide any information. It should simply inform you that you may have been impacted by a breach. If you receive an email that appears to be scaring you into providing information, then it may be a phishing attempt.

If you cannot verify the source of an email or its legitimacy, it is best to go directly to the GoDaddy site and contact them via their standard support channels. This will allow you to verify that your account is secure.

This was a public service announcement by the Wordfence Threat Intelligence team. They are providing this as a courtesy to their customers, and to the larger WordPress community.

Please contact GoDaddy directly if you have questions about the breach or about the security of your account. If you have friends or colleagues who use GoDaddy hosting, we suggest that you share this post with them to ensure they are aware of this issue.

This entry was posted in WordPress Security on May 5, 2020 by Chloe Chamberland