This is a public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website hosting providers, disclosed that the SSH credentials of approximately 28,000 GoDaddy hosting accounts were compromised by an unauthorized attacker.

SSH, while extremely secure if configured correctly, can allow logins with either a username/password combination, or a username and a public/private key pair. In the case of this breach, it appears likely that an attacker placed their public key on the affected accounts so that they could maintain access even if the account password was changed.

It is unclear which of GoDaddy’s hosting packages were affected by this breach. According to GoDaddy’s public statement:

“On April 23, 2020, we identified SSH usernames and passwords had been compromised by an unauthorized individual in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed an authorized SSH file from our platform, and have no indication the individual used our customers’ credentials or modified any customer hosting accounts. The individual did not have access to customers’ main GoDaddy accounts.”

The breach itself appears to have occurred on October 19, 2019.

What should I do?

Immediate Action

If you have been impacted by this breach and have not already been notified by GoDaddy, you will likely be notified in the near future.

GoDaddy indicates that they have updated the account passwords and removed the attacker’s public key. While this should prevent the attacker from accessing impacted sites via SSH, we strongly recommend changing your site’s database password, as this could have easily been compromised by an attacker without modifying the account.

Compromised database credentials could be used to gain control of a WordPress site if remote database connections are enabled, which GoDaddy allows on many of its hosting accounts. You may also wish to check your site for unauthorized administrative users, as these could have been created without modifying any files on the site.

Remain Vigilant

Breaches like this can create a prime target for attackers who use phishing campaigns as a means to infect users.

Phishing, by general definition, is an attack whereby an attacker will create an email that appears to come from a legitimate source, but is intended to obtain sensitive information from an unsuspecting user. Although only 28,000 hosting accounts appear to have been affected, it is estimated that millions of sites are hosted by GoDaddy. This means that there are millions of users out there who might be worried that they will receive a notification that their hosting account has been breached.

Therefore the likelihood of a phishing campaign targeting GoDaddy users is high. We recommend that under these conditions, GoDaddy customers take care when clicking on links or executing any actions in an email to ensure that they don’t end up as the victim of a phishing attack.

There are a few key things you can check to see if you are the target of a phishing attack:

• Check the email header. If the source of the email does not come from a registered GoDaddy domain, then it most likely did not come from GoDaddy and is an attempt at phishing.
• Look for a large amount of typos or misspellings in the email content itself. This can indicate the presence of an attacker. Professional emails will contain minimal typos or misspellings, if any.
• Modified verbiage used to scare you into providing personal information. GoDaddy’s security incident disclosure email should not appear to scare you, or ask you to provide any information. It should simply inform you that you may have been impacted by a breach. If you receive an email that appears to be scaring you into providing information, then it may be a phishing attempt.

If you can not verify the source of an email or its legitimacy, it is best to go directly to the GoDaddy site and contact them via their standard support channels. This will allow you to verify that your account is secure.

This is a public service announcement by the Wordfence Threat Intelligence team. We are providing this as a courtesy to our own customers, and to the larger WordPress community. Please contact GoDaddy directly if you have questions about the breach or about the security of your account. If you have friends or colleagues who use GoDaddy hosting, we suggest that you share this post with them to ensure they are aware of this issue.

Thank you to Wordfence Senior QA Engineer Ram Gall for his joint contributions and research to this post.