A data breach at GoDaddy exposed SSL keys issued to an undisclosed — but likely large — number of active customers using its Managed WordPress website hosting service. The incident has sparked concerns about attackers hijacking domains for ransomware or spoofing them for credential theft and other malicious purposes.
GoDaddy, a major domain registrar and website hosting company, on Monday announced it had discovered a data breach on Nov. 17 that exposed data belonging to a total of 1.2 million active and inactive customers of Managed WordPress. Exposed data included the email address and customer number associated with the WordPress accounts; the default WordPress admin password that was set when the account was first provisioned; and SFTP and database username and passwords. SSL keys belonging to a subset of the 1.2 million affected customers also were exposed, GoDaddy said in a regulatory statement filed with the Securities and Exchange Commission.
The publicly listed company said it had reset all affected passwords and was in the process of issuing and implementing new certificates for customers whose SSL keys were exposed.
GoDaddy officials say the attackers used a compromised password to access the certificate provisioning system in GoDaddy's legacy code base for Managed WordPress. An investigation showed the attackers gained initial access to its environment on Sept. 6 and remained undetected for more than 70 days, until Nov. 17.
"We are sincerely sorry for this incident and the concern it causes for our customers," GoDaddy's chief information security officer, Demetrius Comes, said in the statement filed with the SEC. "We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection."
It's unclear how that reassurance will resonate with customers given GoDaddy's struggles with security over the past couple of years. In May 2020, the company said it discovered a breach affecting SSH credentials belonging to some 28,000 customers. The breach occurred in November 2019 but wasn't discovered until April of the following year. On at least two other occasions last year, employees at the company provided scammers with control of domains belonging to a handful of customers as the result of social engineering.
Potential for Future Problems
The big concern with its latest breach is the potential for attackers to use the SSL credentials to impersonate domains belonging to legitimate companies for the purpose of credential theft or malware distribution. Attackers also could potentially use the keys to hijack a domain name and attempt to extort a ransom for its return, security experts say.
“Affected companies need to replace those certificates with new ones," says Nick France, CTO of SSL at Sectigo. They should ensure the original certificate is revoked and a completely new private key is generated, he adds.
Certificate revocation itself is a quick process with compromised keys typically needing to be replaced between 24 hours and five days. GoDaddy is a certificate-issuing authority, and if all the exposed SSL keys were issued by the company, then it would be the one doing the revoking and reissuing.
"What has not been made clear is if all of these compromised certificates and keys were all from the GoDaddy CA, or if there are other certificates that have been compromised," France says. Many hosting companies offer their own certificates to customers but also allow customers to bring their own certificate if they choose. "Until we know what the makeup of the compromised certificates looks like — who they were for and who issued them — it's difficult to say exactly who needs to take action," he says.
Murali Palanisamy, chief solutions officer for AppViewX, says breaches like the one at GoDaddy highlight the need for organizations to have a platform that automates the certificate revocation and reissuing process. Such incidents also show why it might be a good idea for organizations to consider using short-lived digital certificates, so even if keys are compromised, the ability for attackers to misuse them is time constrained.
"Typical certificates are valid for a year," Palaniswamy says. If there was an exploit halfway through the certificate's life, the hackers would have more than six months of valid certificates.
"A short-lived certificate like LetsEncrypt is valid for 90 days and gets automatically renewed," he says. The validity period for such certificates can be reduced to just 30 days if needed, he says. "With a short-lived certificate of 30 days," he adds, "there's a shorter window of time that could be used to craft a sophisticated attack on an exploited certificate."