GoDaddy Breach Widens to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe
Yesterday GoDaddy disclosed a massive data breach impacting over 1.2 Million customers. Today, we received confirmation from GoDaddy that multiple brands that resell GoDaddy Managed WordPress were impacted. The brands impacted include:
According to Dan Rice, VP of Corporate Communications at GoDaddy,
“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.”
tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe were acquired by GoDaddy as part of Host Europe Group in 2017[1], while Media Temple was bought by GoDaddy in 2013[2].
We have been provided with a copy of the Notice of Security Incident email sent by Media Temple:
As well as a copy of the Notice of Security Incident email sent by tsoHost:
All of the impacted hosting providers are using URLs starting with
https://myh.secureserver.net/#/hosting/mwp/v1/
for provisioning, account management, and configuration of their Managed WordPress offerings, and store sFTP passwords that can be retrieved in plaintext:
As this is a developing story, we will continue to provide more information as it becomes available. To receive updates, you can join our WordPress security mailing list on this page.
References:
- https://aboutus.godaddy.net/newsroom/press-releases/press-release-details/2017/GoDaddy-Completes-Acquisition-Of-Host-Europe-Group/default.aspx
- https://mediatemple.net/blog/press/godaddy-acquires-mt-media-temple-to-accelerate-web-pro-expertise/
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments
3:18 pm
Ram, Chloe, Mark an all the staff. Top sleuthing as usual. Keep up the "Excellent" work. One Premium subscription coming up.
3:22 pm
I have an old website that I let go. I thought I shut everything down, but I still got an email from GD today about this.
I shut everything down two years ago. They were my original host, etc., but I left them for CloudFlare after a year or two (transferred the lot- CNAME, A/AAAA, DNS, the whole 9 yards). After that second year, they really were just where I'd registered the domain. I wonder what that means for me?
4:42 pm
GoDaddy and so many high-profile websites do not use best practices. The other issue that may plague us all, even with upgraded antivirus, with Malware prevention, VPN's, Ad-blocking, and Identity protection our websites are still vulnerable. They are only as good as the hosting companies we choose.
3:21 am
For the longest time, they wouldn't make the latest PHP versions available.
9:04 pm
I am not able to log in to the admin page for my website on wordpress. It does not accept my password and is not sending an email to me to reset the password. Is it related to the security breach?
6:15 am
** This also affected www.domainspricedright.com just FYI :)
6:56 am
** I mean domains that are housed with Domains Priced Right
7:15 am
Hi,
Yes, it does look like domainspricedright.com (which is one of the oldest GoDaddy whitelabels) offers the same Managed WordPress plans - it's likely that customers of any whitelabel resellers that offered these plans would also be impacted.
10:38 am
Just want to share this information with others.
I purchase my domain name from GoDaddy, but my website is hosted elsewhere. Today I received in snail mail a solicitation from another domain name vendor which included not only my domain name, but the names of the servers associated with my domain. This information could only have been gotten if someone had access to my website information at GoDaddy.com.
I tried to contact GoDaddy to let them know about this, but there seems to be no way to reach them. No one is responding to their chat, and the phone number that used to be available is no longer listed on their website.