New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GoDaddy Wordpress Hosting Breached - Plaintext Passwords - 1.2M Customers Affected
This morning (22nd), GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers..
By WordFence: https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/
any one having their Godaddy MWP (Managed WordPress Hosting) - better change your passwords.
Thanked by 1hnzlet
Comments
Or changing providers could also been an option to consider
indeed, they're selling WordPress Security product called Sucuri which is a WordPress security. They protect your website from hackers. LOL.
https://www.lowendtalk.com/discussion/175311/godaddy-discloses-recent-security-breach-that-exposed-1-2-million-accounts
1.2 million accounts breached = 1.2 million posts on LES :-)
Sucuri is still pretty solid. Good team there still.
Can we have a megathread of all companies that follow bad practices for security? I know Ezoic stores password as plaintext/in a way that can be decrypted for their managed WP platform similar to this Godaddy incident. Comment about companies from where you can retrieve the same password, EPP keys always shown in plain and they never change that, any other security issues.
Security Hall of Shame
1. Godaddy
2. Ezoic
sue them for storing unsalted unhashed plaintext passwords
+1 for this. It will be useful to avoid this kind of problem in the future, I mean from customer perspective
indeed! the list could grow soon! The more the privacy matters, the more are the leaks/bugs in security!
1. Godaddy
2. Ezoic
Yes in https://www.lowendtalk.com/wiki/security-hall-of-shame (if @raindog308 @jbiloh make it happen, ofc).
This is the kind of news you sort of expect from GoDaddy. There are other managed hosts that do the same thing and allow you to click to get the password in the clear.
Well I know what you mean
Password shouldn't be stored at all at plain to get them retrieved by customers. The same customer will blame you if something goes wrong that wanted to get their password back in this way. They want lockdown but if they are to be questioned at the gate they don't like that.
Suck Uri, huh!?
As there were questions ...
https://www.wordfence.com/blog/2021/11/godaddy-tsohost-mediatemple-123reg-domain-factory-heart-internet-host-europe/
ohh! thanks for posting.. those all are sub-brands of godaddy!
indeed they had this breach as their parent.