No surprise at all that this happened. They had not turned on multi-factor authentication and hackers got in through a static password. Over 80% of data breaches are through static passwords.
From the official GoDaddy statement:
Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
-
This could have been an easily avoidable data breach.
But they said :
> We, GoDaddy leadership and employees, take our responsibility to protect our customersā data very seriously
So that makes it okay right ?
No. You should only work with partners who take that responsibility extremely seriously. "Very" is an order of magnitude too low.
Iām pretty sure 'bilekas was being sarcastic :)
Totally makes it okay! I assume that's after the data is stolen and sold.
See, the trick is to sell customer data before the bad guys get it!
> Over 80% of data breaches are through static passwords.
Static passwords are bad, for sure. But do you have a source for this?
See page 5 of the Verizon report and the number is 81%:
https://www.verizon.com/business/resources/reports/2017_dbir...
Awesome, thanks for sharing that link from 2017.
For everyone not going to go to the PDF, the text is "81% of hacking-related breaches leveraged either stolen and/or weak passwords."
So I'm not sure that you can say that all data breaches are related to static passwords, but it sure a big number and a problem.
I looked at the 2020 Verizon report, but unfortunately they changed their methodology or reporting so I didn't see a figure for that year for "hacking-related breaches".
Over 80% of statistics posted in comments are made on the spot.
no, the correct figure is 78%
An even better solution is webAuthn...I don't understand why it's not supported more than "2nd factor" which very often happens to be a phone/sms verification service, easy to steal as well.
A static password is fine if you have a good strength and rate limiting or other ways to prevent brute forcing
It's really not... Password reuse, other breaches, there's many ways a password can be leaked that isn't bruteforcing. Considering how low the barrier to entry to 2fa is, there really is no excuse these days
And the classic keyloggers which have been known to be around for over 4 decades ever since the typewriter....
We once had a domain stolen because somebody called GoDaddy and was able to get the 2FA code removed with a phone call and they had some leaked email credentials for the account.
We had to call GoDaddy and cancel the domain transfer, they would give us no information on how it happened.
I can tell you that unfortunately that's not an isolated case. We recover stolen domain names, and it happens quite often (that someone gets into a GoDaddy account and is able to remove 2FA).
IMO: Friends donāt let friends use GoDaddy.
Or Network Solutionsā¦ which, dare I say, is even worse.
Pretty much all of them are bad/evil in some way, but some are worse than others.
Us greybeards have been around long enough to experience several of these bad/evil domain registrars. One common path I see has been:
Network Solutions -> GoDaddy -> Namecheap -> Google Domains OR CloudFlare Domains
Seriously, if anyone is still using Netsol or Godaddy, there are much better alternatives, and it's very easy to make the transition- I've helped a good handful of friends.
ā¢ Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
ā¢ The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
ā¢ For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
ā¢ For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
No different to Epik's security breach I guess, but not the worst security breach I've seen in a long time when compared with Twitch [0].
GoDaddy has the weirdest tech stack/tech support combination I have ever seen. I once had an issue where I was unable to update my credit card information, so I contacted their support. Their support process is basically having you give them full access to your account and then having the support person navigate your account like a regular user to see what problem you're facing. So, because I had a problem with the payment flow, she literally asked for my credit card information so she could see which error I was seeing. I was cool headed enough to explain why that was a ridiculous request but hanged up after that. No wonder they got hacked.
Godaddy has some bad practices.
They used to randomly call us, and then ask US to verify our accounts, passcodes in order for them to tell us a domain was close to expiration.
Not an email. An unsolicited phone call where I have to validate my information.
I told them that was phishing 101 tactic and a bad practice to train users on. And if a call is standard, a user may reasonably assume an email may be too.
Ultimately they just removed my from their call list.
It was one of the most asinine things Iāve seen. It reminds me I need to move my companies domains to hover.
Iām almost afraid to ask but... how long ago did this happen?
About 3 years ago I'd say
There's a summary here, which seems to be reporting on the OP: https://www.wordfence.com/blog/2021/11/godaddy-breach-plaint....
(Via https://news.ycombinator.com/item?id=29311286, but no comments there)
From my experience with GoDaddy, the amount of dark patterns using the service was astonishing. It made me move to better hosting providers. They always try to up-sell you stuff, and tack on all these additional features that you have to opt out of when buying something. You have to be real careful on there in-case you buy something you didn't want. Also their UI is really messy and things are buried in multiple deep links and menus. One out of five, do not recommend. It's no wonder they suffered a breach.
The dark patterns are so ridiculous I almost get a little enjoyment out of it like playing a game. When you sign up for a domain name it's a mini mission to get past the 5 separate screens of upselling and clicking the small Skip link and not the big green Continue button. If you're not paying close attention you get to your cart and there's extra crap in there, and you have to restart the level.
After using them for simple domain name registration, I can't imagine using them for something more complex, like hosting.
The UI is so bad that just figuring out how the contact info they collect in multiple places is used is near-impossible.
Why are we reading this on the SEC site and not the GoDaddy site? I did a quick search and can't find a disclosure on their site. If it's there, it's not easy to find.
Security incidents are going to happen. This particular incident looks to be avoidable (static passwords!). What we should judge the company on is their response and transparency. GoDaddy disclosed, but a new customer on the site wouldn't find this. They also used phrases like "affects our Legacy WordPress Platform" probably to attempt to shift a little blame from the current team or minimize the fall out.
When you have a security incident, be transparent, own it, and deal with it. We can tell when you are trying to sweep it under the rug and hide, and that's bad. This is an opportunity for an org to show that they put customers first and shine.
Management doesnāt put customers first. They put themselves (management) first closely followed by investors. The SEC recently indicated theyād be focusing enforcement on cybersecurity incident disclosures. Particularly on timely disclosures (not waiting 6 months from discovery to disclosure, for example).
That might be the only reason weāre even reading about this at all.
>> Why are we reading this on the SEC site and not the GoDaddy site?
This is typically by design and public relations 101. If you don't link "bad" content to your domain it's easier to make it disappear in the future. It's why a company purchases "our-data-breach.net" to handle a public incident instead of just a sub domain or deeply linked page. No long-lived anti-SEO
The URL contains "gddyblogpostnov222021" - and at the bottom the FLS mentioned blog post, so I guess the SEC didn't adhere to their press embargo on the blog post? ;)
That's at least the 2nd funny thing happening with GoDaddy. I stopped using them years ago.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.