back to article SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using 'compromised password'

GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys. In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an "unauthorized third-party" had …

  1. heyrick Silver badge

    Why are they even holding "passwords"?

    In this day and age, shouldn't these things go though a gibberishificator, so your password is known to you and only you, and the server sees a long complicated looking number instead?

    For miscreants to potentially see passwords implies passwords in clear text, what the fuck?

    1. Skiron Bronze badge

      Re: Why are they even holding "passwords"?

      ...and what the hell are they all doing being stored in wordpress?

    2. Androgynous Cupboard Silver badge

      Re: Why are they even holding "passwords"?

      It’s the SSL private keys I’m wondering about.

      1. FILE_ID.DIZ

        Re: Why are they even holding "passwords"?

        It's a WordPress server, not a HSM.

    3. doublelayer Silver badge

      Re: Why are they even holding "passwords"?

      They could be doing it wrong, but they might just mean that the properly hashed passwords were exposed. However, if I remember correctly, Word Press uses MD5 without salting for the passwords. That's a lot better than plain text, but not good enough.

      1. Skiron Bronze badge

        Re: Why are they even holding "passwords"?

        "They could be...".

        No could about it.

        1. doublelayer Silver badge

          Re: Why are they even holding "passwords"?

          Specifically how the passwords were stored. The article and their statement does not make it clear whether they hashed the passwords or not. Hence, they could be doing it wrong, but there is a chance that they did that part correctly.

          Their broader security though, that they're definitely doing wrong.

          1. Snake Silver badge

            Re: Ah, they could be "doing it wrong"

            "We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection," the exec added.

            'We will close the barn door now that the horse has bolted', states GoDaddy's InfoSec robot-of-the-month. "This time we will use actual wood, the Japanese-style paper walls looked very stylish during our office parties but they seemed to have some structural issues"

    4. HildyJ Silver badge
      Facepalm

      Re: Why are they even holding "passwords"? - Because

      Like so many companies involved in so many data breaches they were too lazy to do it right.

      1. Kabukiwookie Silver badge

        Re: Why are they even holding "passwords"? - Because

        Having had some experience with Godaddy, this lack of care in regards to security us right in line with their other assholery.

        Bot sure how this company is still in business other than having a captive customer base.

    5. FILE_ID.DIZ
      Holmes

      Re: Why are they even holding "passwords"?

      The quote in the SEC disclosure is "Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress..."

      This likely was a password stored on a post-it note. Or worst, brute force because they weren't watching if people were kicking in their front door.

    6. Anonymous Coward Silver badge
      Thumb Down

      Re: Why are they even holding "passwords"?

      Reading between the lines, and this is purely my interpretation of the details released...

      The exposed passwords were the original ones from when the site was created, not necessarily live ones.

      It's quite possible that there's an archive of sent email which includes the "your site is now live. Access it <here> Your username is <something> and password (which you should change immediately) is <something>"

      Those emails shouldn't have been stored in full; potentially not at all. But it's very different to all live passwords being stored in plain text.

      I still wouldn't touch GoDaddy with someone else's bargepole.

    7. CrazyOldCatMan Silver badge

      Re: Why are they even holding "passwords"?

      Because they are GoDaddy and doing stuff properly involves having IT staff that know what they are doing and paying them properly rather than having nu-meeja lovvie types running it..

    8. bombastic bob Silver badge
      Devil

      Re: Why are they even holding "passwords"?

      shouldn't these things go though a gibberishificator

      well the way Linux and BSD do/have done it with a one-way hash+salt usually does the job. Just store the hash+salt, send credentials via SSL only. The hash can be publicly readable, too, won't matter if it's using a decent hash algorithm. I would expect MOST systems to do it this way, or very similar. No reversible password decryption ability, EVAR.

      (anything LESS than that is completely insecure and unacceptable)

  2. J. Cook Silver badge

    Glad I dumped Godaddy long ago for hosting my own web site. between the unexplained outages (ie, the site was down, but by the time I got a ticket opened it was back up, with no explanation for the outage) and the funky home-brewed backend for managing it (or putting files up and down on it), I finally said 'screw it' and moved to Dreamhost and have been more or less happy since.

    at least for web hosting. Email, that's another kettle of fish.

    1. chivo243 Silver badge
      Unhappy

      GoShady

      My better half dropped GoDaddy, some things in the Danish Datacenter started to smell...

    2. bombastic bob Silver badge
      Devil

      I host my company web+mail using a simple ssh-shell shared hosting service. E-mail setup is very easy. It has PostgreSQL available too. But at this point I'm only using simple php and mail.

      Point is there are MANY hosting options. Godaddy bought the service I was using, and this one was set up using former operators of the old service. You can probably guess who they are now. Godaddy basically moved the hosting and stopped supporting PostgreSQL and LetsEncrypt, so I went elsewhere. Something like that. (but i would probably have stayed with them if they had kept the features I wanted)

  3. John Robson Silver badge

    Revoking certs?

    They really ought to be revoking the old certs as well as issuing new ones...

  4. JavaJester

    Always be in doubt when asked your details

    "Now would be a good time for GoDaddy users to be on alert for suspicious emails asking them to log in to, say, confirm their details: if in doubt, go straight to the GoDaddy website."

    Any email asking to confirm your details is always suspicious. There is no "if" about that.

    1. bombastic bob Silver badge
      Black Helicopters

      Re: Always be in doubt when asked your details

      and don't read those "confirm your identity" phishing e-mails in HTML format - they'll have deceptive links in them, most likely

  5. Potemkine! Silver badge

    Let me guess

    GoDaddy highly values the security and confidentiality of its clients’ works and is taking steps to further enhance its existing security measures. It will continue to assess additional measures that may further ensure the security and confidentiality of its clients’ works

    I think I master BS enough to postulate to PR, don't I?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022