Hacker News Re-Imagined

GoDaddy Security Breach

  • 285 points
  • 12 hours ago

  • @sumstock
  • Created a post
  • • 92 comments

GoDaddy Security Breach


@game_the0ry 11 hours

Replying to @sumstock 🎙

I saw a couple of comments saying to not use godaddy - why is that? I am a godaddy customer and have not been dissatisfied so far (excluding this data breach).

I also see namecheap being recommended a lot. Are they the go-to for domain name registration?

Reply


@1cvmask 11 hours

Replying to @sumstock 🎙

No surprise at all that this happened. They had not turned on multi-factor authentication and hackers got in through a static password. Over 80% of data breaches are through static passwords.

From the official GoDaddy statement:

Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.

-

This could have been an easily avoidable data breach.

Reply


@sebow 11 hours

Replying to @sumstock 🎙

>This looks interesting, godaddy breach reported by sec, let me click:

>Wordpress

>Oh... nevermind

Reply


@bilekas 11 hours

Replying to @sumstock 🎙

> For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.

> For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

Wow.. That's quite severe.. From September 6th to November 17th.. I wonder will they do a full impact summary after they figure it out internally.

Reply


@joecool1029 8 hours

Replying to @sumstock 🎙

Can we not editorialize the titles?

This is the title: GoDaddy Announces Security Incident Affecting Managed WordPress Service

Saying this is a breach sounds more generalized and makes exponentially more people click the bait to see if their domain accounts were hit (they weren't).

Reply


@nathanaldensr 8 hours

Replying to @sumstock 🎙

> Chief Information Security Officer

> Our WordPress password was leaked or exposed--likely due to utter imcompetence--and no 2FA was in use.

Man, when can I become a Chief Information Security Officer? I could do a better job in my sleep.

Reply


@imroot 8 hours

Replying to @sumstock 🎙

There was a fair amount of fallout from this with other services as well -- customers who were hosted on GoDaddy but had their accounts compromised had other services spun up with their domain and their credentials.

I know that the company I work for was hit at least once by this, until we implemented stronger KYC checks.

Reply


@ed25519FUUU 11 hours

Replying to @sumstock 🎙

At least they didn’t try and blame their incompetence on “sophisticated foreign hackers, possibly Russian”

Reply


@jodrellblank 9 hours

Replying to @sumstock 🎙

I had a domain with them for years, a couple months ago they ditched their entire IMAP/POP3/SMTP email platform and moved all customers to a trial of Microsoft Office365.

I guess that was another part of their ‘legacy platform’?

I transferred the domain to Gandi which offers a couple of email addresses with each domain, something I kept putting off expecting GoDaddy to make it difficult, but it was fine.

But I do wonder how competent a registrar/web/email tech company is if they can’t run email services, and now apparently can’t run websites securely either? I spent a while mulling Fastmail and Rollernet and Mxroute vs paying for Office365 and thinking about how impossible it is to know if a company has the tech skills to back their product offering - and then if they actually do use them - or are just marketing.

Reply


@rvz 11 hours

Replying to @sumstock 🎙

   • Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.

   • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.

   • For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.

   • For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

Oh dear. No mention of 2FA mechanisms here. So does that mean GoDaddy's security is not good enough or is in fact very poor?

No different to Epik's security breach I guess, but not the worst security breach I've seen in a long time when compared with Twitch [0].

[0] https://news.ycombinator.com/item?id=28771465

Reply


@cpach 11 hours

Replying to @sumstock 🎙

IMO: Friends don’t let friends use GoDaddy.

Reply


@rockbruno 9 hours

Replying to @sumstock 🎙

GoDaddy has the weirdest tech stack/tech support combination I have ever seen. I once had an issue where I was unable to update my credit card information, so I contacted their support. Their support process is basically having you give them full access to your account and then having the support person navigate your account like a regular user to see what problem you're facing. So, because I had a problem with the payment flow, she literally asked for my credit card information so she could see which error I was seeing. I was cool headed enough to explain why that was a ridiculous request but hanged up after that. No wonder they got hacked.

Reply


@dang 5 hours

Replying to @sumstock 🎙

There's a summary here, which seems to be reporting on the OP: https://www.wordfence.com/blog/2021/11/godaddy-breach-plaint....

(Via https://news.ycombinator.com/item?id=29311286, but no comments there)

Reply


@CodinM 9 hours

Replying to @sumstock 🎙

Story Time A few years ago I woke up before going to work and noticed I have a few emails for automatic renewal for some domains I didn't remember buying on GoDaddy - which I wasn't using anymore for anything important.

Upon investigating I found out a turkish person was using my account for some scams with crypto alongside a few real-world websites he built for business in Ankara. I went to the police, gave them all the evidence (just so I'm safe legally from the scams he was running in my name, with stolen credit cards that were using my address - but in Ankara not my location), and GoDaddy failed to answer to the local authorities, after 1 year the investigation was shutdown because of lack of cooperation from GoDaddy's side.

Reply


@IYasha 6 hours

Replying to @sumstock 🎙

Good place to ask for alternatives, I suppose. Are there any?

Is NameSilo any better? I can't just go for OpenNIC domain because I have to have email accessible to other servers. :(

Reply


@ushakov 11 hours

Replying to @sumstock 🎙

<removed>

Reply


@Turing_Machine 8 hours

Replying to @sumstock 🎙

Seriously, any flavor of WordPress is just a breach waiting to happen. It's not a question of "if", it's a question of "when".

I understand that it's easy to use from a writer's point of view (after you get it installed, or if someone else is installing it for you), and that there are all kinds of third-party plugins and support available, but man, that codebase is a gigantic steaming pile of technical debt.

Reply


@iamricks 9 hours

Replying to @sumstock 🎙

We once had a domain stolen because somebody called GoDaddy and was able to get the 2FA code removed with a phone call and they had some leaked email credentials for the account.

We had to call GoDaddy and cancel the domain transfer, they would give us no information on how it happened.

Reply


@marcc 11 hours

Replying to @sumstock 🎙

Why are we reading this on the SEC site and not the GoDaddy site? I did a quick search and can't find a disclosure on their site. If it's there, it's not easy to find.

Security incidents are going to happen. This particular incident looks to be avoidable (static passwords!). What we should judge the company on is their response and transparency. GoDaddy disclosed, but a new customer on the site wouldn't find this. They also used phrases like "affects our Legacy WordPress Platform" probably to attempt to shift a little blame from the current team or minimize the fall out.

When you have a security incident, be transparent, own it, and deal with it. We can tell when you are trying to sweep it under the rug and hide, and that's bad. This is an opportunity for an org to show that they put customers first and shine.

Reply


@legrande 9 hours

Replying to @sumstock 🎙

From my experience with GoDaddy, the amount of dark patterns using the service was astonishing. It made me move to better hosting providers. They always try to up-sell you stuff, and tack on all these additional features that you have to opt out of when buying something. You have to be real careful on there in-case you buy something you didn't want. Also their UI is really messy and things are buried in multiple deep links and menus. One out of five, do not recommend. It's no wonder they suffered a breach.

Reply


About Us

site design / logo © 2021 Box Piper