Anatomy of a Breach

Anatomy of a Breach: GoDaddy — 1.2 Million WordPress Customer Credentials Exposed for Months

> series: anatomy_of_a_breach —— part: 155 —— target: godaddy —— customers: 1,200,000 —— exposed: admin_passwords_ssl_keys_sftp_creds<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2021 13 min read
data-breach godaddy wordpress managed-hosting plaintext-passwords ssl-keys 1-2-million series
Breach #155

1.2 million WordPress sites. Admin passwords in plaintext. SSL keys exposed. For over two months.

In November 2021, GoDaddy disclosed that an unauthorised party had gained access to its Managed WordPress hosting environment through a compromised password on 6 September 2021 — and that the access had persisted for over two months before detection on 17 November. The breach affected approximately 1.2 million active and inactive Managed WordPress customers.

The exposed data was devastating in its scope: email addresses and customer numbers for all 1.2 million customers; the original WordPress Admin passwords (which GoDaddy had stored in plaintext, not hashed); sFTP and database usernames and passwords for active customers; and SSL private keys for a subset of customers. The exposure of admin passwords, database credentials, and SSL keys for over a million WordPress sites simultaneously created an enormous attack surface — any of those sites could be accessed, modified, or used to serve malware using the stolen credentials. GoDaddy subsequently linked this breach to a broader, multi-year campaign targeting its infrastructure.

Plaintext Passwords — In 2021
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

GoDaddy stored WordPress admin passwords in plaintext.

Plaintext Admin Passwords
GoDaddy stored the original WordPress Admin passwords in plaintext — not hashed, not encrypted. In 2021. After thirteen years of this series documenting the consequences of poor password storage from <a href="/blog/anatomy-of-a-breach-linkedin">LinkedIn</a> (unsalted SHA-1) to <a href="/blog/anatomy-of-a-breach-facebook-plaintext-passwords">Facebook</a> (plaintext in logs). Our <a href="/penetration-testing/web-application">application testing</a> verifies that passwords are never stored in plaintext or reversible encryption.
SSL Private Keys Exposed
SSL private keys enable attackers to impersonate the affected websites, intercept encrypted traffic, and issue fraudulent certificates. The exposure of SSL keys for customer sites required mass certificate reissuance. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses certificate and key management.
1.2 Million Sites as Attack Vectors
With admin passwords, database credentials, and sFTP access to 1.2 million WordPress sites, attackers could inject malware, redirect visitors, host phishing pages, or deface sites at massive scale. Each compromised site becomes an attack vector against its visitors. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for website compromise indicators.
Two Months Undetected
The breach persisted from 6 September to 17 November — over two months of undetected access to 1.2 million customer environments. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that detects unauthorised access to hosting environments.
Lessons

Your hosting provider stores your credentials. Are they storing them properly?

The GoDaddy breach demonstrated that hosting providers hold the keys to their customers' kingdoms — admin passwords, database credentials, SSL certificates — and that the provider's own security practices directly determine whether those keys are protected or exposed. For UK organisations using managed WordPress hosting or any hosting provider, the provider's credential storage, access controls, and monitoring capabilities must be evaluated.

Cyber Essentials addresses hosting security requirements. Our web application testing assesses WordPress security and credential management. Infrastructure testing evaluates hosting environment security. SOC in a Box monitors for website compromise. And UK Cyber Defence provides incident response when hosting provider breaches affect your sites.

Hosting Security

GoDaddy stored 1.2 million admin passwords in plaintext. How does your hosting provider store yours?

Our <a href="/penetration-testing/web-application">application testing</a> assesses WordPress and hosting security. <a href="/cyber-essentials">Cyber Essentials</a> mandates credential security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for site compromise.

Commission a Web Application Test Next: 2021 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
Anatomy of a Breach 30 April 2023

Anatomy of a Breach: Western Digital — My Cloud Offline for Two Weeks and 10TB of Internal Data Stolen

Breach #172. In April 2023, Western Digital — one of the world's largest data storage companies — disclosed that attackers had breached its network and stolen approximately 10 terabytes of internal data. The breach forced Western Digital to take its My Cloud consumer cloud storage service offline for approximately two weeks, locking millions of users out of their personal data. The attackers — a group calling themselves ALPHV/BlackCat — published screenshots of internal emails, videoconference screenshots, and evidence of access to Western Digital's SAP backend and internal tools. A company whose entire business is storing and protecting data could not protect its own.

data-breach western-digital
12 min read
Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
All Posts Get in Touch