Users of the web hosting service GoDaddy had their accounts compromised for months before learning about the breach. The attackers were also able to compromise websites’ security certificates.
Hackers targeting GoDaddy were able to access some 1.2 million email addresses affiliated with the domain registrar who used the WordPress web-hosting format, according to a US Securities and Exchange Commission (SEC) disclosure filed on Monday.
The hackers allegedly accessed a “provisioning system” within WordPress by “using a compromised password” associated with the content management system on September 6, interference that wasn’t noticed until two months later.
Upon discovering the breach on November 17, GoDaddy “immediately locked the attacker out,” the web hosting company claimed in the filing, explaining that it subsequently embarked on its own investigation and contacted law enforcement and an unspecified “IT forensics firm.”
“We are sincerely sorry for this incident and the concern it causes for our customers,” chief information security officer Demetrius Comes wrote. “We, GoDaddy leadership and employees, take our responsibility to protect customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
Hackers prowling through the data left accessible to anyone with that compromised password were able to view not just the original WordPress admin passwords, but customers’ private SSL keys – best known as the miniature padlock icon used to reassure customers they are operating over a secure connection if they are shopping online, for example.
Comes pledged that the company had reset its main passcodes and was in the process of issuing and installing new SSL certificates, a thorny process given that web hosts are often warned against submitting personal information in response to inquiries from their hosting platforms, lest the inquiry turn out to be a phishing attack.
GoDaddy acknowledged the latter in another SEC filing, complaining of an “increased level” of “social engineering efforts” targeting the company, some of which were apparently successful.
Think your friends would be interested? Share this story!