GoDaddy is yet again in news for a security breach. GoDaddy is sending email notifications to its customers to alert them about security incident impacting GoDaddy Web Hosting Accounts.
According to GoDaddy’s public statement:
“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”
Fact Check ― Date of Breach: October 19, 2019.
According to the California Department of Justice, the security breach occurred on October 19, 2019 and was reported about six months later on May 3, 2020. It means the attacker had control of GoDaddy customer hosting accounts for about 6-7 months before they were discovered. This is a serious security concern for the website owners using GoDaddy hosting.
SSH Access Breach: How does it affect your website data?
SSH is known as Secure Shell. It is a secure protocol used for executing commands on a server as well for uploading and modifying files.
If an attacker has SSH access to a website, it is “compromised“. The attacker can access the site, create user accounts, upload malicious files, deface the site, inject malicious redirect scripts and the list goes on.
My WordPress website is hosted on GoDaddy and I am noticing some unusual activity on my site. What should I do?
If you have been impacted by this breach and have not already been notified by GoDaddy, you will likely receive an email notification from GoDaddy soon. If you still suspect that your site is hacked, proactively follow these steps:
- Lockdown your site: Change all the critical passwords… MySql, phpmyadmin, hosting cPanel, ssh and WordPress admin backend.
- Delete unauthorized user accounts: Check your user accounts and make sure only the authorized users have required access to the site. Delete all the suspicious user accounts.
- Review Site Content: Go through all your posts and pages and verify that all the content is intact. The unauthorized users tend to publish irrelevant / malicious content on the site.
- Run a Security Scan: After the preliminary steps executed for hardening the site, it is important to run a security scan for detecting any malicious content on the site. We highly recommend using Wordfence and Malcure’s WordPress Malware Scanner. These plugins help in scanning your WordPress files and database for malware, infections, security-threats, viruses, trojans, backdoors, malicious redirects, dolohen, code injections and over 50,000+ security threats & vulnerabilities.
- Ask for professional help: Please contact GoDaddy directly if you have questions about the breach or about the security of your account. You can contact Malcure helpdesk for @ support[at]malcure.com and our security specialists will be happy to assist you with security scanning, malware detection and fixing your hacked WordPress website.
Beware of Phishing Campaigns
Since GoDaddy is one of the world’s largest website hosting providers there will be millions of users out there who might be expecting that they will receive a notification that their hosting account has been breached.
Therefore the chances of a phishing campaign targeting GoDaddy users is pretty high.
Phishing is an attack whereby an attacker creates an email that appears to come from a legitimate source and asks the unsuspecting users to provide sensitive information.
We recommend that under these conditions, GoDaddy customers should be very careful when clicking on links or executing any actions in an email to ensure that they don’t end up as the victim of a phishing attack.
Please share this post with your friends and colleagues who use GoDaddy hosting so that they are aware of this issue and act wisely.