Hacker News new | past | comments | ask | show | jobs | submit login

No surprise at all that this happened. They had not turned on multi-factor authentication and hackers got in through a static password. Over 80% of data breaches are through static passwords.

From the official GoDaddy statement:

Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.

-

This could have been an easily avoidable data breach.




But they said :

> We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously

So that makes it okay right ?


No. You should only work with partners who take that responsibility extremely seriously. "Very" is an order of magnitude too low.


I’m pretty sure 'bilekas was being sarcastic :)


kreeben was continuing the joke


Ouch. Sorry!


Totally makes it okay! I assume that's after the data is stolen and sold.


See, the trick is to sell customer data before the bad guys get it!


> Over 80% of data breaches are through static passwords.

Static passwords are bad, for sure. But do you have a source for this?


See page 5 of the Verizon report and the number is 81%:

https://www.verizon.com/business/resources/reports/2017_dbir...


Awesome, thanks for sharing that link from 2017.

For everyone not going to go to the PDF, the text is "81% of hacking-related breaches leveraged either stolen and/or weak passwords."

So I'm not sure that you can say that all data breaches are related to static passwords, but it sure a big number and a problem.

I looked at the 2020 Verizon report, but unfortunately they changed their methodology or reporting so I didn't see a figure for that year for "hacking-related breaches".


> not sure that you can say that all data breaches are related to static passwords

Nobody said that.


Sorry, you are absolutely correct. I mistyped. The original post ( https://news.ycombinator.com/item?id=29306921 ) said "Over 80% of data breaches are through static passwords."

What I should have said was "So I'm not sure that you can say that ~80% of data breaches are related to static passwords, but it sure a big number and a problem" because:

  * hacking-related breaches != data breaches and
  * stolen and/or weak passwords != static passwords
But the bigger point stands: passwords are a problem.


weak passwords can be mitigated against, and password reuse limits (of one - no password reuse, ever) the attack surface from there, along with using HIBP's breach database. NIST updated their recommendations about passwords, and forcing a change of password every 30 days was removed because it caused other, more leaky behavior in practice.


Over 80% of statistics posted in comments are made on the spot.


no, the correct figure is 78%


The figure that I used was one from the Verizon Data Breach report in 2017 of 81%.

Page 5 in the executive summary:

https://www.verizon.com/business/resources/reports/2017_dbir...


> no, the correct figure is 78%

Not credible. There should be some odd number of tenths: 78.3% is clearly more credible than 78%


An even better solution is webAuthn...I don't understand why it's not supported more than "2nd factor" which very often happens to be a phone/sms verification service, easy to steal as well.


A static password is fine if you have a good strength and rate limiting or other ways to prevent brute forcing


It's really not... Password reuse, other breaches, there's many ways a password can be leaked that isn't bruteforcing. Considering how low the barrier to entry to 2fa is, there really is no excuse these days


And the classic keyloggers which have been known to be around for over 4 decades ever since the typewriter....

https://en.wikipedia.org/wiki/Keystroke_logging#History

https://en.wikipedia.org/wiki/Keystroke_logging


What is a static password?


> This could have been an easily avoidable data breach.

Like Twitter has done it https://en.wikipedia.org/wiki/2020_Twitter_account_hijacking ?

It is super easy to give lessons after the fact




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: