GoDaddy Devastated by Hack Exposing 1.2 Million Accounts, SSL Private Keys

By Kalina Valqurey | November 24, 2021
184 0
GoDaddy suffered a major hack only a week before Black Friday as 1.2 million accounts were compromised. Some lost their SSL Private Keys.
The GoDaddy banner hangs outside of the New York Stock Exchange as the website hosting service goes public on April 1, 2015 in New York City. On Nov. 22, the company alerted the SEC that it had suffered a serious data breach of 1.2 million accounts, some of which had their SSL certificate private keys exposed. (Image: Spencer Platt/Getty Images)

On Nov. 17, just one week before Cyber Monday, the popular Internet hosting company GoDaddy was breached, according to a SEC filing published five days later on Nov. 22. The company warned the event increases the risk of phishing attacks, as well as posing a more direct threat to a “subset of active customers” whose SSL certificate private keys were compromised.

These certificates are important because they ensure against man-in-the-middle attacks, the theft of financial information from customers ordering on websites, and are what ensure that banking websites are secure and that financial transactions can be safely conducted online. 

According to GoDaddy, email addresses, customer numbers, sFTP and database usernames and passwords, together with an undisclosed number of SSL private keys, comprise the bulk of the list of exposed data points.

RELATED ARTICLES:

The company says it has now proactively reset many account passwords, describing the breach as its “Managed WordPress hosting environment” having been compromised by an “unauthorized third party” with access. 

GoDaddy, represented by Chief Information Security Officer Demetrius Comes, told the SEC that after discovering the breach, the company immediately “began an investigation with the help of an IT forensics firm and contacted law enforcement.” 

Some details in the filing alert should caution the hosting giant’s users as to what may be at stake. GoDaddy reported that an increased risk of phishing attacks is present for “up to 1.2 million active and inactive Managed WordPress customers” because they have had their email addresses and customer numbers exposed to hackers.

However, that is not the extent of the breach.

The company explained that “the original WordPress Admin password that was set at the time of provisioning” was left unguarded. In response, GoDaddy initiated a reset of any of those passwords that were still in use. However, active customers have had sFTP and database usernames and passwords exposed. The company reset these two categories of passwords as well. 

Secure Sockets Layer significance

GoDaddy obfuscated the gravity of a significant portion of the breach—those whose SSL private keys were “exposed”—by referring to them merely as a “subset.” The company said in the SEC filing, “We are in the process of issuing and installing new certificates for those customers.”

Browsers help to defend users, such as holiday online shoppers, against fake websites spoofing reputable ones. They defend them by detecting bogus security certificates. 

However, exposed SSL keys would undermine all of that, allowing an attacker to use a stolen certificate from a compromised site. Actually, while it’s not hard to steal certificates, they usually can’t be used by attackers due to the SSL technology’s encryption method, which requires a private key to unlock.

Hackers then often have to use their own certificate, which sends up red flags in almost all but the most out-of-date browsers. The SSL private key of the site’s certificate is what makes a modern “https” site safe. 

However, when there is a stolen key that can be used to unlock the real SSL, browsers such as Firefox, Chrome, Safari and others will no longer be able to discern between a site with a swiped certificate and the real deal. The ensuing breach, if used to falsely transmit or receive data, is called a man-in-the-middle attack.

Unlike a phishing site, which often has a recognizably different domain, there is no way to tell if an “https” site is undergoing a man-in-the-middle attack if the certificate appears to be functioning as intended.

What protects users from these full-blown attacks is their rarity. 

Of course, the company says it is already in the process of replacing the breached certificates. If holiday shoppers are curious as to whether a website is a GoDaddy site, the domain can be entered in the search box at ICANN to confirm.

If the hosting company listed is indeed GoDaddy, if one chooses to patronize, one can only hope the site is not among those still affected, and users can make their own decisions as time progresses.