No surprise at all that this happened. They had not turned on multi-factor authentication and hackers got in through a static password. Over 80% of data breaches are through static passwords.
From the official GoDaddy statement:
Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
-
This could have been an easily avoidable data breach.
For everyone not going to go to the PDF, the text is "81% of hacking-related breaches leveraged either stolen and/or weak passwords."
So I'm not sure that you can say that all data breaches are related to static passwords, but it sure a big number and a problem.
I looked at the 2020 Verizon report, but unfortunately they changed their methodology or reporting so I didn't see a figure for that year for "hacking-related breaches".
What I should have said was "So I'm not sure that you can say that ~80% of data breaches are related to static passwords, but it sure a big number and a problem" because:
* hacking-related breaches != data breaches and
* stolen and/or weak passwords != static passwords
But the bigger point stands: passwords are a problem.
weak passwords can be mitigated against, and password reuse limits (of one - no password reuse,
ever) the attack surface from there, along with using HIBP's breach database. NIST updated their recommendations about passwords, and forcing a change of password every 30 days was removed because it caused other, more leaky behavior in practice.
An even better solution is webAuthn...I don't understand why it's not supported more than "2nd factor" which very often happens to be a phone/sms verification service, easy to steal as well.
It's really not... Password reuse, other breaches, there's many ways a password can be leaked that isn't bruteforcing. Considering how low the barrier to entry to 2fa is, there really is no excuse these days
From the official GoDaddy statement:
Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
-
This could have been an easily avoidable data breach.