Data Breach Spreads To Six Web Hosts

Data Breach Spreads To Six Web Hosts
Data breach intrusion discovered at six more web hosts in addition to GoDaddy. Incident exposed sFTP and database credentials for two months undetected

Roger Montti Roger Montti / November 24, 2021 / 3 min read
338
SHARES
16K
READS
Data Breach Spreads To Six Web Hosts
ADVERTISEMENT
The GoDaddy data breach that affected up to 1.2 million web hosts has expanded to six more web hosts serving customers worldwide. The six additional compromised web hosts are resellers of GoDaddy’s hosting services. The extent of the intrusion appears to be the same as with GoDaddy, with matching dates of when the security intrusion began.

The six compromised web hosting providers are:

123Reg
Domain Factory
Heart Internet
Host Europe
Media Temple
tsoHost
ADVERTISEMENT
CONTINUE READING BELOW
Precise Dates of Intrusion
The state of California published notification of a security breach submitted by GoDaddy on November 23, 2021.

In the California notification GoDaddy provided specific dates for the security intrusions.

The dates of intrusion are:

09/06/2021
09/07/2021
09/08/2021
09/09/2021
09/10/2021
09/11/2021
11/07/2021
Those dates are important because customers of at least two of the hosting providers were sent notices that referenced the same date of intrusion, September 6, 2021 according to information published by Wordfence. That implies that the root cause of additional data breaches are connected, if at least by date if not more.

ADVERTISEMENT
CONTINUE READING BELOW
The notifications sent to GoDaddy customers and to at least two of the additional web hosts are also similar.

This is the text of part of the email sent to GoDaddy customers:

“We are writing to inform you of a security incident impacting your GoDaddy Managed WordPress hosting service.

On November 17, we identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of a third-party IT forensics firm and have contacted law enforcement.

Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, your customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and
database usernames and passwords.

What this means is the unauthorized party could have obtained the ability to access your Managed WordPress service and make changes to it, including to alter your website and the content stored on it.”

Benchmark Your Google Search and Shopping Results
Compare your CPCs, CTRs & more with your industry. See how your CVR, AOV, bounce rate, and other KPIs stack up. Compare performance for each channel.

Get Started
ADVERTISEMENT
The notice sent to GoDaddy customers is similar to the email notice sent to MediaTemple customers.

This is a part of the email sent to MediaTemple customers:

“…we have determined that, on or about September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, specifically, the customer number and email address associated with your account; your WordPress Admin login set at inception; and your sFTP and database usernames and passwords.”

The administrators of the respective web hosts have reset passwords and recommend that customers reset their passwords. Those whose SSL certificate data was exposed may have to have their certificates reinstalled.

ADVERTISEMENT
CONTINUE READING BELOW
Customers Face Possibly Compromised Websites?
Customers of the additional six web hosting providers that were subject to a data breach may face the possibility of further security issues given that their sensitive data was exposed for two months undetected, giving hackers time to install backdoors, add rogue administrative accounts and upload malicious scripts.