GoDaddy was founded by Bob Parsons in 1997 and is an internet domain register as well as a web hosting company. GoDaddy has over 20 million customers and employs more than 7,000 people around the globe, with many working remotely. On November 17, GoDaddy discovered unauthorized third-party access to its Managed WordPress hosting environment, affecting about 1.2 million customers. The incursion was the result of an employee’s compromised password.
How Did GoDaddy Get Hacked?
On November 17, 2021, the company discovered unauthorized third-party access to its Managed WordPress hosting environment. GoDaddy says it immediately took action, starting a forensic investigation, blocking the trespasser from its system.
Demetrius Comes is GoDaddy’s Chief Information Security Officer. He explained how the incursion occurred in a filing with the US Securities and Exchange Commission. “Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”
Although GoDaddy discovered the incident on November 17, Comes added that the attackers had maintained access to its network for months before being discovered. Comes added that GoDaddy’s investigation had already determined that the attack began on September 6, 2021, with the unauthorized party having access to customer information all the way up until November 17.
In the aftermath of the incident, GoDaddy also revealed that up to 1.2 million Managed WordPress customers had their email addresses and customer numbers exposed in the attack, leaving them open to future phishing activity.
The company’s CISO also explained how GoDaddy was looking to protect exposed customers in light of the discovery of the wide-ranging breach. “The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords. For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords. For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.”
The latest attack came almost exactly a year after fraudsters managed to redirect web and email traffic for several of GoDaddy’s cryptocurrency trading clients after tricking the company’s employees into revealing login credentials following a voice phishing (vishing) scam.
On several occasions last year, GoDaddy also revealed that further similar incidents had occurred during 2020. A number of trading platforms were affected by the November 2020 attack. Support staff at GoDaddy received phone calls asking them to log in using employee credentials on a fraudulent GoDaddy webpage.
The company said its investigations had confirmed social engineering activity directed at staff. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.”
The Widespread Password Problem
Credentials will always leave organizations open to phishing attacks. Where there’s a password, there’s a way in for hackers, and that’s partly because employees are lazy. Amazingly, people tend to use the simplest memorable options — here are the ten worst.
Little wonder then that Verizon’s 2021 Data Breach Investigations Report revealed that 89% of hacking connected with web applications and desktop sharing involves some form of user credential abuse. A study by IBM also found that 80% of data breaches involve stolen credentials.
What’s more, fraudsters don’t only target big companies like GoDaddy. Every business is vulnerable to password fraud. SCORE is the largest network of business mentors in the US, established in 1964. It says that 43% of online attacks are aimed at smaller players — and business insurer Hiscox estimates that the average breach costs around $200,000. Perhaps even more worryingly, Inc.com reveals that 60% of small businesses fold within six months of a cyber attack.
The risks haven’t gone unnoticed. As recently as July this year, a rising tide of attacks prompted the United States Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, the Australian Cyber Security Centre, and the UK’s National Cyber Security Centre, to issue a joint warning.
CISA recommends that organizations bolster their security with a range of additional layers. However, the trouble with most available options is that typically, somewhere, there still lurks a password — and that password continues to present a vulnerability for criminals to exploit.
Even sophisticated, costly biometric options typically default to a password when there’s a hardware problem. Single Sign-on (SSO) doesn’t provide what you could call true passwordless authentication either, being more about convenience and speed and still offering a password for hackers to exploit. One-time Password (OTP) solutions rely on SMS or email to deliver — and both email and SMS are incredibly open to attack.
Is There a True Passwordless Alternative?
Private-Public Key technology is the only real alternative to passwords and a completely secure way to protect your business. At the current time, this type of technology is unhackable.
Meveto is an innovative cybersecurity company based in California. Meveto offers a quick, easy-to-integrate passwordless solution that utilizes asymmetric encryption to keep internet fraudsters at bay. Once you register, your mobile device generates a pair of keys. One is public and kept on the company’s server. The other is private and stays on your phone where only you can access it.
Even in the unlikely event that Meveto’s server gets compromised, your public key is entirely worthless to hackers. The private key needed to authenticate is stored only on the client device.
Meveto isn’t just supremely secure; it’s also convenient. It enables ‘one-click logins’ from any device, and you can even log out remotely when you’re not around. You can share accounts with trusted people too. In fact, Meveto’s passwordless option offers all the convenience benefits of the various password-vulnerable alternatives out there — but without the risks.
Ready to Go Passwordless? About Meveto
High-profile attacks like GoDaddy happen often, and smaller businesses get hacked frequently. With increasing awareness of cyberfraud amongst the public, many customers out there are now demanding better security.
Even companies who don’t have much data to lose in the event of a breach can benefit from offering something more secure. Many still put off doing anything about passwords fearing the costs — but the fact is, passwordless is neither expensive nor time-consuming to set up.
Emir Ceric founded Meveto in 2017 with a mission to provide a user-friendly alternative to outdated passwords and vulnerable 2FA solutions. The goal wasn’t just to eliminate password fraud. The company wanted to produce something quick, secure, and easy for customers while being cheap and convenient for companies, too.
If anything, Meveto reduces work for IT departments. It eliminates costs associated with setting up and endlessly resetting passwords, and negates the need for users and employees to remember login credentials, too.
Let’s face it, hackers aren’t going away any time soon, and your customers are becoming more and more aware of the risks they present every day. You can learn more about registration, quick integration and find out more about how Meveto works right here.