Return to list of client alerts
In an SEC filing GoDaddy announced that their WordPress hosting environment was compromised by hackers at least as far back as September.
The email address of 1.2 million customers was exposed, but is not really the big issue.
Also compromised are the original admin passwords (which I am sure lots of people don’t change) for those users.
Even more important, for active customers, the sFTP credentials, including unencrypted userids and passwords were compromised. The userid and password for access to customer databases were also exposed. This is true even if the initial passwords were changed.
This seems to mean that either GoDaddy was storing passwords unencrypted or encrypted with a key that also compromised.
For a subset of customers, their SSL private keys were also stolen.
The hackers had free roam of the environment for over two months.
While they are still investigating the extent of the damage, take 1.2 million customers, at least some of whom operated multiple websites and you have a mess of gigantic proportions.
If GoDaddy is hosting your WordPress site, you have some damage control to do and you may be legally required to notify your customers of a breach.
Credit: SEC