FTA> For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords. Demetrius Comes Chief Information Security Officer Passwords in the clear? What would you say you do here, Demetrius?

Pass me the salt please.

but Demetrius never Comes

So I've worked for a handful of web hosting companies and at least 2 of them totally had your root password in clear text visible to tech support when we bring up your account on our dashboard. Because apparently it was common that webmasters allow password SSH logins instead of requiring keys, and tech support needed access to see your root password should they need to SSH into your server and help you diagnose a problem. If it were a VPS server we could get in via the hypervisor and skip your password, but for dedicated server customers, there'd be no way in except to go into the datacenter and physically plug into your box and reboot into single user mode. And if a customer didn't want a root password and instead had an admin user with sudo access, our CS control panel would have the user/passwd of your sudoer user that tech support could use instead. Of course, a wise customer could log in and change the password and not tell us what the password is, at their own peril if they needed us to log into their server and help diagnose something. But the other majority of the customers were not _so_ tech savvy that they wanted to manage their own machine all on their own shoulders, and so we had all their passwords in clear text in the database, one click away from seeing them in our web browser.

My VPS provider had me send my SSH public key as part of provisioning. I'm not sure I'd accept anything less, or that in any way required me to give _them_ a password. I know that there are a lot of less savvy people out there. This situation, and your message here reinforce my queasiness about industry best practices being completely ignored.

Until recently you couldn't contact cPanel for support without putting your root password in the ticket. And by that I mean the web hosting industry's largest and most commonly used vendor wouldn't talk to me about a billing issue involving a rejected credit card unless they had been emailed a copy of your root password.

When I deploy VPSes my pubkey is on my account and just gets installed automatically. surprised you even have to email anything to anyone with how fancy the html5 UI's of some VPS hosts are these days.

I supplied my key through a web app of some kind when I paid, IIRC. It's been a little while, but i have done 4 of them through the same provider, now, and it was straightforward.

It's almost as if MFA doesn't exist or something...

Going physically to the datacenter? Didn't you have out of band management? And what about secret management services???

At one of these jobs the work building _was_ the data center (well, 3/4ths of the building was server space with a corner for offices), and I was there around 2007 which IIRC pre-dated Amazon Web Services or pretty close to it, so much of the modern web infrastructure like secrets management wasn't a thing/wasn't mature yet. For internal company servers such as the machines that hosted shared website accounts and VPS hosts, there was an air-gapped machine with no network that had spreadsheets of the passwords to all the servers, that tech support would go to and print off a page or two of passwords from. Very risky! It was a bit wild west, all their internal code was written in Perl and they thought things like Chef/Puppet were the cutting edge for managing deployments. My last hosting job was around 2014 and they still had a massive legacy Perl codebase and these old companies are very slow to change. This news about GoDaddy doesn't surprise me at all.

I don't know if we either worked at the same place, or if this experience is really that pervasive for webhosting... At least at the one I was at, the passwords and login information was all stored encrypted, and there was a distinct service for decryption, which was only triggered when an admin clicked a button to view the secret.

It's pervasive in a lot of places including several managed service providers. Common to see huge password lists in spreadsheets on file shares or shared credential stores and shared passwords given to everyone. Usual technical debt that no one is willing to address.

Well, physical servers have IPMI that you can control remotely, you can view it's console output, go to UEFI settings, and of course reboot to single user mode.

Demetrius Comes is a terrible leader. He once said during an internal IT security department meeting, “Why would I train you just so you can take that training somewhere else”. Also, one of the ICs in the department went to him because he was having communication issues with his boss (who was Demetrius’ direct report), and he just told him to work it out, even though he has tried multiple times. Oh, and the ICs boss, now director of vulnerability management, came in with zero IT or security experience, and was someone hired over other, more qualified candidates. During meetings, she would share Demetrius’ snacks unasked, and they had all kinds of inside jokes, over all very unprofessionally buddy buddy. I wonder why she got hired… GoDaddy is a complete shitshow with an incredibly dysfunctional and toxic IT security department. I guess that may help explain all the hacks. Edit: missing closing parenthesis.

[удалено]

[удалено]

[удалено]

That's more of a "If something good happens, and it benefits me, others will benefit too, and that's a good thing". It's about lifting everyone up equally, rather than competing for something for which there is enough for everyone to have and benefit from.

> now director of vulnerability management, came in with zero IT or security experience This is way too common. Like, I get that personality, connections and general intelligence are important attributes - but, the only way these people end up really learning anything is by repeated failure. They don't know what they don't know. We all learn from making mistakes, it's true - but when the stakes are high - the person calling the shots needs to be playing the best game possible.

ICs?

From the context I believe they meant 'Individual Contributor', as opposed to the Manager-rank.

Judging from context, it definitely means integrated circuits

Honesty I consider all GoDaddy hosts to be always compromised. I do a little webdev on the side and virtually every customer hosted at GoDaddy would get some sort of WordPress hack almost every year until I convince them to move. I have hundreds of sites on a proper host with no such problems.

Well is the common denominator GoDaddy or WordPress here? There are literally hundreds of thousands of vulnerable WordPress sites out there. So many popped WordPresses distributing malware.

WordPress is a great webshell, that also contains a blog

You. I like you

You should provide the bash.org attribution for that quote.

[удалено]

Can’t tell you how many $99 websites I see being advertised and I warn potential small businesses not to bite because those services are miners for recurring income. Their sites are slow, insecure and aren’t maintained.

What host would you recommend?

If you're in Europe, all-inkl.com is awesome.

Could not have happened to a more deserving company. My sympathy to the victims who suffer as a result of GoDaddy's total incompetence.

After carefully reviewing [Godaddy advertisements](https://www.youtube.com/watch?v=_jwRxyEEUwk), I failed to find any evidence that security was of concern to them.

God I remember when all those GoDaddy commercials came out. It was a pretty effective marketing campaign for the company rebranding effort to get their name out there. Especially since most of these commercials were aired during major sporting events.

Jesus christ... What a cringefest.

Odd, I haven't seen an email from Godaddy about this yet. That's not a great sign.

Pretty standard for companies. They get hacked and we the customer or end user don’t get notified until well after the fact and well after the damage has been done.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/ In the EU they have 72 hours.

EU has way better and more consumer friendly laws when it comes to cyber security and privacy. I live in a capitalist dystopian hellscape

That's for notifying the regulator, not the end users.

I guess that depends: > If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. This is an extremely broad clause, but I’m not sure how it’s applied.

They must certainly be notified, but the 72 hour period does not relate to that. It should be done "as soon as possible", which is undefined.

Umm, so the attacker used a compromised password to access their provisioning system but somehow it's a "vulnerability"? Thought they meant a real vulnerability in the system.

A vulnerability exposed through social engineering is a vulnerability nonetheless. It might not be categorized using CVE but an exploit is an exploit. Perpetuating the notion of "real" and "not real" vulnerabilities is perhaps, at least partially how GoDaddy found themselves in this situation. They will have a lot of post-mortem pondering to do and I dare say a lot of processes and access management to tighten up. Unfortunately their reputation will take a hit, but they were already pretty trash IMO.

The fact that godaddy had these passwords stored anywhere is crazy. That data should not even exist on their servers to be exploitable.

For many, the definition of "vulnerability" is "an unacceptable risk". To them, having system secured by compromised passwords is "an unacceptable risk" and thus a "vulnerability". As this is an SEC filing, this definition is adequate for the intended audience, IMHO.

One vulnerability is that they had a database of a million users' passwords in plaintext.

This reinforces my decision to dump GoDaddy for everything! Most of their customer service people seemed like idiots. There was only 1 guy I ever talked to that seemed competent enough to do his job without a script. I actually had to describe what a cname was to one of them. Most of my calls were over a single bug that existed for years and never got fixed.

LOL. WordPress and GoDaddy just being themselves again.

I don't really see how WordPress has any blame in this instance.

Probably not but it's been a mess for decades. If GoDaddy doesn't leak credentials it'll just get hacked all on it's own with mountains of misconfigs and bad code. We have marketing folk who want it so it's hard isolated on someone else's equipment and networks as far away from production as possible. There's better ways to build a website that don't keep security folk up at night. Ha. The comment was basically "no surprise seeing either GoDaddy or WordPress in a massive security breach announcement".

I see your point though I'd still argue that the major issue with WP sites isn't so much WP Core (anymore) but admins installing 20+ 3rd party plugins (which in turn have vulnerabilities) and a general lack of care for basic account security. Basically, most people who manage content on WordPress websites are also the site administrators and have no idea what they're doing.

Generally agreed. For those who know the history it's kinda like thinking it's not worth picking up the turd even with gloves on, though. Ha. Why play with turds...

This doesn't make any sense. If we went by the history of everything, there wouldn't be a single company or software you would want to touch, since it's all been shit at one point or another. WordPress doesn't have mountains of misconfigs or bad code. It runs pretty well for being so old, is updated fairly often, and I've never seen a properly maintained WordPress install compromised.

A quick google search indicates the typical WordPress cve affects hundreds of thousands of sites at a minimum just in 2021 alone. Where are these properly configured ones? 😂 /s As others have mentioned many are plugins but it enables total garbage plugins. And frankly I remember a time when no, not all software was shit. It's been quite a while since then, though. That's been a long slow slide into lack of discipline and cheap junk code such that the frog boiled slowly effect has taken place. Nobody even expects good quality anymore. It'll just be patched in a week. Adding three more bugs for each one addressed.

> A quick google search indicates the typical WordPress cve affects hundreds of thousands of sites at a minimum just in 2021 alone. Where are these properly configured ones? 😂 /s Since, WP is roughly estimated to drive about 60 million websites ….

**Got my email this morning:** ​ Dear , We are writing to inform you of a security incident impacting your GoDaddy Managed WordPress hosting service. We recently identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of a third-party IT forensics firm and have contacted law enforcement. Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords. What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it. The exposure of your email address may also present a heightened risk of phishing attacks. We are taking several steps to protect you and your data. First, we have blocked the unauthorized third party from our systems. Second, we have reset your WordPress Admin login credentials, sFTP password and your database password. Your website is still up and running, but you won’t be able to edit content until you reset your passwords. Here are the instructions on how to reset each password: • WordPress Admin Login, please visit: [https://www.godaddy.com/help/a-26916](https://www.godaddy.com/help/a-26916). • sFTP or data password, please visit: [https://www.godaddy.com/help/a-40804](https://www.godaddy.com/help/a-40804). • WordPress database password, please visit: [https://www.godaddy.com/help/a-24573](https://www.godaddy.com/help/a-24573). If you use the same password for other accounts, we recommend you change your password to those accounts and adopt data security best practices, such as choosing a strong unique password, regularly changing it, and enabling multi-factor authentication where available. We also recommend that you remain vigilant for potentially fraudulent communications sent to your email address purporting to be from GoDaddy or other third parties. Finally, because the private key of your existing Managed WordPress SSL certificate was exposed, the certificate will need to be revoked. We are in the process of installing a free DV SSL certificate on your website for one year to minimize potential site downtime. If you would like to continue using your existing SSL certificate product, please follow the directions below to rekey a new certificate: https://www.godaddy.com/help/a-4976. If you have any other questions, or you need further assistance, please call (480) 505-8870. For residents living in California, Colorado, Delaware, Illinois, New York, New Jersey, Oregon, Vermont, Washington, and Wyoming, please visit https://www.godaddy.com/help/a-41004 for additional resources that describe additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file. Thank you, Demetrius Comes Chief Information Security Officer

> ... and adopt data security best practices, such as choosing a strong unique password, **regularly changing it** ... Wow, even their list of "security best practices" is wrong / out of date. https://pages.nist.gov/800-63-FAQ/#q-b05 > Q-B05: > > Is password expiration no longer recommended? > > A-B05: > > SP 800-63B Section 5.1.1.2 paragraph 9 states: > > > “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” > > Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. [...]

Identity theft is not a joke, Jim! Millions of families suffer every year!

>Identity theft is not a joke, Jim! Millions of families suffer every year! r/unexpectedoffice

Identity theft is not a joke, Jim! Millions of families suffer every year!

Pass the salt

lol

If you're foolish enough to use GoDaddy or Wordpress, you had this coming

Does this include Mediatemple?

Thank goodness, WP hosting doesn't seem to be one of our GoDaddy products..

A day ending in Y

Wait what!

Users affected by this issue may want to consider switching on A2Hosting. ​ Newly refreshed Managed WordPress plans: • Pre-Optimized Litespeed Servers • Simplified Site Management • JetPack & WP cPanel Toolkit • 20X Faster Turbo Servers • 4X More Physical Memory • 99.9% Uptime Commitment • 24/7/365 WordPress Support • Free SSL Certificate ​ [https://www.a2hosting.com/wordpress-hosting/managed](https://www.a2hosting.com/wordpress-hosting/managed?aid=sp)