28,000 GoDaddy Hosting Accounts Compromised

28,000 GoDaddy Hosting Accounts Compromised

This is a public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

What should I do?

Immediate Action

If you have been impacted by this breach and have not already been notified by GoDaddy, you will likely be notified in the near future.

GoDaddy indicates that they have updated the account passwords and removed the attacker’s public key. While this should prevent the attacker from accessing impacted sites via SSH, we strongly recommend changing your site’s database password, as this could have easily been compromised by an attacker without modifying the account.

Compromised database credentials could be used to gain control of a WordPress site if remote database connections are enabled, which GoDaddy allows on many of its hosting accounts. You may also wish to check your site for unauthorized administrative users, as these could have been created without modifying any files on the site.

Remain Vigilant

Breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users.

Phishing, by general definition, is an attack whereby an attacker will create an email that appears to come from a legitimate source, but is intended to obtain sensitive information from an unsuspecting user. Although only 28,000 hosting accounts appear to have been affected, it is estimated that millions of sites are hosted by GoDaddy. This means that there are millions of users out there who might be worried that they will receive a notification that their hosting account has been breached.

Therefore the likelihood of a phishing campaign targeting GoDaddy users is high. We recommend that under these conditions, GoDaddy customers take care when clicking on links or executing any actions in an email to ensure that they don’t end up as the victim of a phishing attack.

There are a few key things you can check to see if you are the target of a phishing attack:

  • Check the email header. If the source of the email does not come from a registered GoDaddy domain, then it most likely did not come from GoDaddy and is an attempt at phishing.
  • Look for a large amount of typos or misspellings in the email content itself. This can indicate the presence of an attacker. Professional emails will contain minimal typos or misspellings, if any.
  • Modified verbiage used to scare you into providing personal information. GoDaddy’s security incident disclosure email should not appear to scare you, or ask you to provide any information. It should simply inform you that you may have been impacted by a breach. If you receive an email that appears to be scaring you into providing information, then it may be a phishing attempt.

If you can not verify the source of an email or its legitimacy, it is best to go directly to the GoDaddy site and contact them via their standard support channels. This will allow you to verify that your account is secure.

This is a public service announcement by the Wordfence Threat Intelligence team. We are providing this as a courtesy to our own customers, and to the larger WordPress community. Please contact GoDaddy directly if you have questions about the breach or about the security of your account. If you have friends or colleagues who use GoDaddy hosting, we suggest that you share this post with them to ensure they are aware of this issue.

Thank you to Wordfence Senior QA Engineer Ram Gall for his joint contributions and research to this post.

Did you enjoy this post? Share it!

Comments

29 Comments
  • We've seen an uptick in GoDaddy phishing spam for a couple months, likely as a result of data from this breach being sold on the internet. They are usually of the form "Your service has been canceled", "please verify your account" or fake renewal warnings with malicious links. Great advice from the Wordfence team. Be careful people.

  • Yep, one of my clients was one of them...sad. Godaddy has been around long enough to know how to prevent that...28K account? How does this happen?

    • Hi Donna,

      There's currently not enough information available to determine the cause of the incident so we'll refrain from conjecture with regards to this particular case, but we'll keep this article updated in case we're able to find out more. We do know that in many cases breaches are the result of credential stuffing - that is, usernames and passwords from other breaches being usable on multiple sites. As such we strongly recommend using a password manager and a unique password for each site you use.

  • Wow, six months before it was discovered!

    • This are exactly my sentiments also.
      28,000 accounts affected back in October 2019:and it was only identified 6 months later!
      Shocking!

  • Just wanted to give you guys an head up that you're doing great.

  • It was right that I hosted my website on another hosting in a few days ago, otherwise my hosting could also be hacked. 🙂

  • Hello, Wordfence team.

    Thanks for the PSA.

    Is it possible this might also affect people using ManageWP which is owned by GoDaddy?

    Thanks for the good work.

    • Hi Karl,

      This should not affect any users of ManageWP. From GoDaddy's given statements, this only affected hosting accounts.

  • I've experienced so many attacks from GoDaddy servers over the past few months that I've had no option but to block all IP addresses from GoDaddy servers. I've attempted to contact GoDaddy all of the attack information and to date I've never received a response from GoDaddy. So no other option but to block ALL IP addresses from the company.

  • The most important sign of a phishing email is that whatever link you're supposed to click in order to "log in" doesn't belong to the real domain you might expect. Note that if you're viewing your email as html then the text layer may show one URL, but the underlying link may point to a different address.

  • Wow, six months before it was discovered!

  • I support 5 websites for one client and 1 each for 3 other clients all running on GoDaddy shared servers. Apparently GoDaddy only allows you to turn off TLS 1.1 if you are on a VPS -- whereas, I believe Dreamhost and Hostgator (probably among others) do not even allow you to turn TLS 1.1 on (unless you are on a VPS). My understanding is that TLS 1.1 is not secure anymore. Are the TLS 1.1 vulnerabilities possible vectors for this type of hosting account compromise?

    • Hi Glenn,

      Unfortunately, at this point there is very little information available to help us determine what caused this compromise. However, based on the information we do have, I do not believe that any vulnerabilities in TLS 1.1 were a possible vector for this compromise.

  • Please can you confirm of Cloudways is affected. I use their hosting service and I have been under attack of recent....

    Though they have been helpful in resolving some of the issues.. I guess not all being reveal to me...

    Thanks for your plugin wordfence...has really helped...

    • Hi Opeyemi,

      Sites hosted by Cloudways are not affected by this compromise, only GoDaddy hosting accounts were affected.

  • Hi
    Thanks for the information. My 2 sites are hosted at Godaddy business plan . After reading this post I did update the database passwords for the sites and noticed that the SSH was open. I wasn't able to disable it and contacted support to do this for me but apparently, they weren't able to do it either but told me not to worry that they have it under control. Would you say that this is normal?

    • Hi Fatima! While we can't be sure of the technical parameters of your precise hosting account with GoDaddy, it should be feasible to have SSH turned off on your account. We might suggest having that issue escalated if you don't use SSH, and at the very least ensure you have a very strong password on that account.

  • I am using ManageWP and I guess mine's not affected. Still it's a good reminder to stay vigilant. Your months and years of hard work to vanish just like that... well, that's just sad.

  • Chloe,

    You are, of course, right about the presence of typos in scam emails that should warn us.

    However, I read somewhere that the typos are actually intentional to draw in the more gullible and keep the more aware people away. I.e., if a skeptical person started the process by clicking and engaging the scammer they would soon enough pick up on the scam. But the more gullible would continue on. So the typos are a way of narrowing the market so the scammers don't waste their time on the skeptical.

    Reverse scam or scam baiting campaigns are fighting back as evidenced in this article - https://www.theverge.com/2017/11/10/16632724/scam-chatbot-ai-email-rescam-netsafe. Their aim is to keep the scammers and telemarketers tied up so they can't dupe victims.

    • Hi Jan,

      Thank you for providing us with your insight! It's true that typos in phishing campaigns can be intentional, while others are simply due to attackers crafting phishing emails in a non-native language. Regardless, the presence of these typos are always a clear red flag.

  • GoDaddy doesn't have an email address for the customer support. Only through telephone you can contact them. I have seen my account details changed to African address.

  • People should also check and compare files. Compare the files backed-up before October 2019 with current files. They should check the newly created files and changed files created after Oct-19 for malicious code.

    • Hi Nikunj, good point! Checking file integrity is a great way to determine if there has been any malicious file changes on a system.

  • Security matters could be better

  • Hi, if one were to start a new WP website today (blog/forum-type) - what would are the most recommended security settings have - to avoid being hacked? (Particularly with GoDaddy domains, but I'm sure other people will be interested to know for other hosts too). ie. what are the essential fields to fill correctly, and how, etc. I realize it's more complicated than a simple reply, so if needed please direct me to the most informative links describing the perfect security settings. (I'd like to start a new site, but am a little afraid after reading this plud the other post about "Nearly a Million WP Sites Targeted..."). Thanks!

    • Hi there,

      We have a plethora of information available to help you secure your site available in our learning center: https://www.wordfence.com/learn/

      If you have Wordfence premium, you can reach out to our customer support team at support.wordfence.com where they would be happy to provide you with additional security insight to help you optimally secure your WordPress environment.

  • I saw this the other day, this gives some better details. This isn't a great look for Godaddy right now. I've invested more in my cyber security lately too.

  • I had some domains hosted there, but thankfully I removed it.

    The last one I took was this project from a client, https://pokerbrasil.net/