No surprise at all that this happened. They had not turned on multi-factor authentication and hackers got in through a static password. Over 80% of data breaches are through static passwords.
From the official GoDaddy statement:
Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
-
This could have been an easily avoidable data breach.
For everyone not going to go to the PDF, the text is "81% of hacking-related breaches leveraged either stolen and/or weak passwords."
So I'm not sure that you can say that all data breaches are related to static passwords, but it sure a big number and a problem.
I looked at the 2020 Verizon report, but unfortunately they changed their methodology or reporting so I didn't see a figure for that year for "hacking-related breaches".
What I should have said was "So I'm not sure that you can say that ~80% of data breaches are related to static passwords, but it sure a big number and a problem" because:
* hacking-related breaches != data breaches and
* stolen and/or weak passwords != static passwords
But the bigger point stands: passwords are a problem.
weak passwords can be mitigated against, and password reuse limits (of one - no password reuse,
ever) the attack surface from there, along with using HIBP's breach database. NIST updated their recommendations about passwords, and forcing a change of password every 30 days was removed because it caused other, more leaky behavior in practice.
An even better solution is webAuthn...I don't understand why it's not supported more than "2nd factor" which very often happens to be a phone/sms verification service, easy to steal as well.
It's really not... Password reuse, other breaches, there's many ways a password can be leaked that isn't bruteforcing. Considering how low the barrier to entry to 2fa is, there really is no excuse these days
We once had a domain stolen because somebody called GoDaddy and was able to get the 2FA code removed with a phone call and they had some leaked email credentials for the account.
We had to call GoDaddy and cancel the domain transfer, they would give us no information on how it happened.
I can tell you that unfortunately that's not an isolated case. We recover stolen domain names, and it happens quite often (that someone gets into a GoDaddy account and is able to remove 2FA).
Us greybeards have been around long enough to experience several of these bad/evil domain registrars. One common path I see has been:
Network Solutions -> GoDaddy -> Namecheap -> Google Domains OR CloudFlare Domains
Seriously, if anyone is still using Netsol or Godaddy, there are much better alternatives, and it's very easy to make the transition- I've helped a good handful of friends.
I use NameCheap. I would never use a company like Google where I can't at least call and talk to someone. Also, there are stories like this where someone gets their Google account locked for some random reason and all of the sudden your domain is now locked as well: https://news.ycombinator.com/item?id=4825445
Never use google domains either, had a client who's entire domain got hijacked/redirected to googles phishing warning page for a few days because of some automated anti-phishing bot false positive.
No this isn't the normal, you've clicked on a link to example.com on a google.com search page/gmail/whatever and google instead redirects to the safe browsing page.
I'm talking about google domains itself, at the DNS level, will hijack your ENTIRE example.com domain and redirect to a safe browsing page.
That's exactly my transition (although I also used DirectNic for a while after Netsol in the 2000s). I'm happy with NameCheap but CloudFlare has a better interface, more features, and it's a bit cheaper.
Thoughts on Hover vs Namecheap? I've been using Hover for a while now and they haven't given me any issues but I wonder if there's something better out there that I just haven't looked into.
I have historic feels for Hover (they're Tucows, aka OpenSRS a very early domain registrar with reselling as the primary), but having recently moved some domains elsewhere, I find it kind of distressing that Hover didn't remove the domains I moved from the account page and they still send reminders about renewal even though it's not expiring.
At some point of time GoDaddy present me an offer to renew domain for 4 figure price and offered a fantastic discount , so that final price is $10. I paid those 10 bucks to Cloudflare to transfer domain.
• Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
• The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
• For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
• For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Oh dear. No mention of 2FA mechanisms here. So does that mean GoDaddy's security is not good enough or is in fact very poor?
No different to Epik's security breach I guess, but not the worst security breach I've seen in a long time when compared with Twitch [0].
GoDaddy has the weirdest tech stack/tech support combination I have ever seen. I once had an issue where I was unable to update my credit card information, so I contacted their support. Their support process is basically having you give them full access to your account and then having the support person navigate your account like a regular user to see what problem you're facing. So, because I had a problem with the payment flow, she literally asked for my credit card information so she could see which error I was seeing. I was cool headed enough to explain why that was a ridiculous request but hanged up after that. No wonder they got hacked.
They used to randomly call us, and then ask US to verify our accounts, passcodes in order for them to tell us a domain was close to expiration.
Not an email. An unsolicited phone call where I have to validate my information.
I told them that was phishing 101 tactic and a bad practice to train users on. And if a call is standard, a user may reasonably assume an email may be too.
Ultimately they just removed my from their call list.
It was one of the most asinine things I’ve seen. It reminds me I need to move my companies domains to hover.
From my experience with GoDaddy, the amount of dark patterns using the service was astonishing. It made me move to better hosting providers. They always try to up-sell you stuff, and tack on all these additional features that you have to opt out of when buying something. You have to be real careful on there in-case you buy something you didn't want. Also their UI is really messy and things are buried in multiple deep links and menus. One out of five, do not recommend. It's no wonder they suffered a breach.
The dark patterns are so ridiculous I almost get a little enjoyment out of it like playing a game. When you sign up for a domain name it's a mini mission to get past the 5 separate screens of upselling and clicking the small Skip link and not the big green Continue button. If you're not paying close attention you get to your cart and there's extra crap in there, and you have to restart the level.
Why are we reading this on the SEC site and not the GoDaddy site? I did a quick search and can't find a disclosure on their site. If it's there, it's not easy to find.
Security incidents are going to happen. This particular incident looks to be avoidable (static passwords!). What we should judge the company on is their response and transparency. GoDaddy disclosed, but a new customer on the site wouldn't find this. They also used phrases like "affects our Legacy WordPress Platform" probably to attempt to shift a little blame from the current team or minimize the fall out.
When you have a security incident, be transparent, own it, and deal with it. We can tell when you are trying to sweep it under the rug and hide, and that's bad. This is an opportunity for an org to show that they put customers first and shine.
Management doesn’t put customers first. They put themselves (management) first closely followed by investors. The SEC recently indicated they’d be focusing enforcement on cybersecurity incident disclosures. Particularly on timely disclosures (not waiting 6 months from discovery to disclosure, for example).
That might be the only reason we’re even reading about this at all.
>> Why are we reading this on the SEC site and not the GoDaddy site?
This is typically by design and public relations 101. If you don't link "bad" content to your domain it's easier to make it disappear in the future. It's why a company purchases "our-data-breach.net" to handle a public incident instead of just a sub domain or deeply linked page. No long-lived anti-SEO
The URL contains "gddyblogpostnov222021" - and at the bottom the FLS mentioned blog post, so I guess the SEC didn't adhere to their press embargo on the blog post? ;)
I realise that you are talking about behavior as a registrar, but it's somewhat ironic that you mention google and no unethical behavior in the same sentence.
This is the title: GoDaddy Announces Security Incident Affecting Managed WordPress Service
Saying this is a breach sounds more generalized and makes exponentially more people click the bait to see if their domain accounts were hit (they weren't).
I saw a couple of comments saying to not use godaddy - why is that? I am a godaddy customer and have not been dissatisfied so far (excluding this data breach).
I also see namecheap being recommended a lot. Are they the go-to for domain name registration?
I wouldn't say most, but some do not look bad for them. Some do look very bad for them IMO though, and some of those are why I've not used them for many years (some of them happened after I moved my things elsewhere).
The point of that list is to enumerate significant controversies involving GoDaddy, not just those where they look particularly bad.
I bought domains through them many years ago and transferring them out was an absolute and utter (intentional on GoDaddy's part) nightmare.
Even today, I have one domain that I inherited that has been nearly impossible to transfer out, even after talking to support personnel. They keep blaming the receiving registrar even though all the evidence points to GoDaddy's system). I don't know if it's malice or incompetence, but it's kind of hard to tell the difference at this point and give then very real malice in their past, I'm disinclined to give them too much benefit of the doubt.
Lastly I can't prove it, but about 10 years ago or so I'm pretty sure they bought a domain name that I had been searching using their search tool but was on the fence about buying. When I finally did decide to buy it, it had been registered but was "available" to buy through GoDaddy at a nice markup. I saw online (at the time) several other anecdotes of the same thing.
For those wondering what I use now: hover.com has been great to me for many years. I do have an increasing number on Cloudflare as well.
At one point GoDaddy used a lot of dark patterns in their checkout and cancellation flows. Amazon's worst is relatively tame. I don't know if they cleaned up their act, but that's likely the source.
Cloudflare offers domain registration now (not just transfers), and it's at cost, so I don't see a reason to not use it unless you need to set your own nameservers. That's a paid add-on with Cloudflare's registrar service.
I used to work with a lot of former GoDaddy employees, based on what I was told they treat their employees horribly internally and are very much focused on nickle and diming their customers as much as possible without any desire to provide more than the bare minimum of service to prevent them from being sued for breach of contract.
They are not a company I would ever do business with on the basis of that alone.
GoDaddy has been in the news over the past twenty years for questionable business practices.
I prefer Dynadot (US company). I’ve also heard good things about Gandi (French company). You can also transfer (but not register) domains to Cloudflare.
There’s no excuse to ask for an ID scan to “verify identity” when you can buy a really really good quality automatically generated fake id scan for $5.
Would maybe be defensible if they asked for actually verifiable information, like a dump of the cryptographically signed contents of your chipped passport (haha).
GoDaddy has a done a lot of shady shit in the past at least. I got a couple of own incidents with them. One where I paid the fee for domain brokerage/negotiation with the owner where they took the money and never responded again.
> For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
> For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Wow.. That's quite severe.. From September 6th to November 17th.. I wonder will they do a full impact summary after they figure it out internally.
I've met Demetrius and he's a smart, capable security professional who has already done a lot to bring GoDaddy up to shape. This is a an unfortunate miss for them after years of hard work to rectify these kinds of issues.
Unfortunately, 20 years of treating customers like dirt can't be washed-away by hiring one capable security professional. For dirt customers like me, the best way of judging a service provider is past form.
I don't buy from companies with a bad history. It's not some kind of behaviour-modification strategy; it's just self-preservation.
I had a domain with them for years, a couple months ago they ditched their entire IMAP/POP3/SMTP email platform and moved all customers to a trial of Microsoft Office365.
I guess that was another part of their ‘legacy platform’?
I transferred the domain to Gandi which offers a couple of email addresses with each domain, something I kept putting off expecting GoDaddy to make it difficult, but it was fine.
But I do wonder how competent a registrar/web/email tech company is if they can’t run email services, and now apparently can’t run websites securely either? I spent a while mulling Fastmail and Rollernet and Mxroute vs paying for Office365 and thinking about how impossible it is to know if a company has the tech skills to back their product offering - and then if they actually do use them - or are just marketing.
> they ditched their entire IMAP/POP3/SMTP email platform and moved all customers to a trial of Microsoft Office365
For browser access to your mailbox, yes they did move to Office365 (free, not a trial), but POP3 and SMTP still work just fine, no change required.
I have been using GoDaddy for many years for a handful of domains, including my own business, and have had no problems using their interface and avoiding paying for add-on products.
Perhaps if you pay them for email already in some way? They sent me emails saying "We're retiring Workspace and moving your email to a new platform. For each of the following accounts you'll get a two-month free trial to test Microsoft 365 from GoDaddy. Asterisk Asterisk your free trial will expire at the end of two months, if you'd like to continue using the product after that you'll be billed at the current rate".
After the move, I had to update my email client to connect to Microsoft servers for POP3/SMTP, it didn't keep working pointing at GoDaddy's securemail address.
Then after two months, they sent me emails saying "Your free trial is expiring soon" and "Urgent: you'll lose access to your email; you'll need to move to a paid plan from your free trial, or you'll lose access to your emails." and when I logged in to the domain management page, a banner saying I'd lose access to my email unless I paid $28/year for a Microsoft Office 365 emails basics plan.
So, if it did actually keep working no change, I'll chalk this up to another GoDaddy dark pattern, and the push to finally move me away from them.
I stand corrected; yes apparently I am paying something extra for email support. Even though I renewed my business domain as usual in March 2021, I now see I paid another invoice for "Microsoft 365 Email Essentials Basic - Renewal" in late June, in the amount of $28.68 (annual). It's now coming back to me that I even conversed with an online operator at GoDaddy to confirm this charge was necessary for me.
Now that I recognize that, I suppose I see it as acceptable. My SMTP and POP3 mail service has continued uninterrupted, and when I log in to GoDaddy webmail every 3 weeks or so to check for spam that I care about, I just click on the "Outlook" web icon to see my mailbox via the web browser.
This was my excuse to move to Fastmail - I was "forwarding" (actually POP3ing) my email into Gmail from GoDaddy. Now it's all in Fastmail. It was also losing the catch-all address that was unacceptable at the time.
They broke my catchall too; Gandi don't have catchall, but they do have unlimited aliases with wildcard support after two characters, so there's all possible AA%, AB%, AC% etc ~1300 aliases listed on this blog which will act like a catchall https://robsblog.robertwatts.com/2020/02/25/gandi-catchall-e...
RollerNet.us has a really nice setup, I've used them at work for years and they don't get much discussion on HN. They say "Roller Network accounts are very different from our competitors: we don’t charge you for domains, mailboxes, users, aliases, etc. All of those settings and configurable items are intangible items in our database. We only track tangible resources: data transfer, data processing, and data storage."
They do primary and secondary DNS (they will slave to your DNS servers), and SMTP relaying (they will be secondary MX and store and forward email to your higher priority MX if they go offline, or store and ETRN if you have some intermittent connection), SMTP frontend (forwarding and relaying and filtering), outbound SMTP relay, and mailbox server. They have a web interface to maillog and a simple REST API. It's just that they're not a domain registrar and their personal account is $50/year, and I have no personal use for most of the features; Gandi was $15 for a year of domain hosting and email, so it won.
Story Time
A few years ago I woke up before going to work and noticed I have a few emails for automatic renewal for some domains I didn't remember buying on GoDaddy - which I wasn't using anymore for anything important.
Upon investigating I found out a turkish person was using my account for some scams with crypto alongside a few real-world websites he built for business in Ankara. I went to the police, gave them all the evidence (just so I'm safe legally from the scams he was running in my name, with stolen credit cards that were using my address - but in Ankara not my location), and GoDaddy failed to answer to the local authorities, after 1 year the investigation was shutdown because of lack of cooperation from GoDaddy's side.
There was a fair amount of fallout from this with other services as well -- customers who were hosted on GoDaddy but had their accounts compromised had other services spun up with their domain and their credentials.
I know that the company I work for was hit at least once by this, until we implemented stronger KYC checks.
Seriously, any flavor of WordPress is just a breach waiting to happen. It's not a question of "if", it's a question of "when".
I understand that it's easy to use from a writer's point of view (after you get it installed, or if someone else is installing it for you), and that there are all kinds of third-party plugins and support available, but man, that codebase is a gigantic steaming pile of technical debt.
It is much better than it used to be. They seem to have finally gotten automatic updates of the core and plugins working reasonably. But, yes, there's some pretty ugly stuff in there. Like things that appear to be proper parameterized SQL queries, but are not if you look behind the curtain: https://github.com/WordPress/WordPress/blob/807cba060e30a670...
I been using iwantmyname.com for years. It's simple to search, simple to add integrations, and always been reliable on domain renewals for me. It's New Zealand based I believe.
Simply calling a thing you don't like "a scam" is lazy and unproductive. If you have an argument to make against Godaddy (there are plenty to be made), please do so.
From the official GoDaddy statement:
Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
-
This could have been an easily avoidable data breach.