Nov 22—A major domain registrar recently suffered a data breach, which provided hackers with over 1 million email addresses of customers who purchased WordPress services from the company. According to a Securities and Exchange Commission (SEC) filing, the breach contained information on 1.2 million users (active and inactive users) since September 6, 2021.
The hacker used a compromised password to acquire access to the company’s provisioning system, which assists customers in creating new websites. The company discovered the hack on November 17th and immediately locked out the threat actor.
Not only could the attacker see the email addresses, they also had access to the credentials for the SFTP systems, active user databases, and WordPress admin passwords. The leak also resulted in SSL keys being exposed.
The registrar is currently resetting the leaked passwords and regenerating security certificates. They have also contacted all victims of the leak.
A WordPress security company, called WordFence, has an idea as to how the leak occurred: “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”
So what can we learn from this? If history is any indicator, nearly all companies are liable to being breached. As a result, you should at the very least follow password security best practices: change your password frequently and use a unique password per website.