Data breach spreads to six web hosts


The GoDaddy data breach that affected up to 1.2 million web hosts has spread to six other web hosts serving customers around the world. The other six compromised hosts are resellers of GoDaddy’s hosting services. The extent of the intrusion appears to be the same as with GoDaddy, with corresponding dates of the onset of the security intrusion.

The six compromised web hosting providers are:

  • 123Reg
  • Domain factory
  • Internet heart
  • Host Europe
  • Media temple
  • tsoHost

Advertising

Continue reading below

Precise intrusion dates

The State of California released a security breach notification submitted by GoDaddy on November 23, 2021.

In the California notification, GoDaddy provided specific dates for the security intrusions.

The intrusion dates are:

  • 06/09/2021
  • 07/09/2021
  • 08/09/2021
  • 09/09/2021
  • 09/10/2021
  • 09/11/2021
  • 07/11/2021

These dates are important because customers of at least two of the hosts have received notices referring to the same date of intrusion, September 6, 2021 according to information published by Wordfence. This implies that the root cause of the additional data breaches is logged, at least by date if not more.

Advertising

Continue reading below

The notifications sent to GoDaddy clients and at least two of the additional web hosts are also similar.

Here is the text of part of the email sent to GoDaddy customers:

“We are writing to inform you of a security incident affecting your WordPress hosting service operated by GoDaddy.

On November 17th, we identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of a third party computer forensics company and contacted law enforcement.

Our investigation is ongoing, but we have determined that on or around September 6, 2021, an unauthorized third party gained access to certain credentials for back office services, in particular, your customer number and e-mail address. mail associated with your account; your WordPress Admin ID defined at the start; and your sFTP and
database usernames and passwords.

This means that the unauthorized party might have been given the ability to access and make changes to your managed WordPress service, including modifying your website and the content stored there.

The notification sent to GoDaddy customers is similar to the email notification sent to MediaTemple customers.

This is part of the email sent to MediaTemple customers:

“… we have determined that on or around September 6, 2021, an unauthorized third party gained access to certain authentication information for administrative services, in particular the customer number and email address associated with your account ; your WordPress Admin ID defined at the start; and your sFTP and database usernames and passwords.

The administrators of the respective web hosts have reset the passwords and recommend that customers reset their passwords. Those whose SSL certificate data has been exposed may need to reinstall their certificates.

Advertising

Continue reading below

Are customers facing potentially compromised websites?

Customers of the other six web hosting providers who have experienced a data breach may face additional security concerns as their sensitive data has been exposed for two months undetected, resulting in gives hackers time to install backdoors, add malicious administrative accounts, and download malicious scripts. .

Quotes

Read the Wordfence security advisory

GoDaddy Breach expands to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet and Host Europe

California Data Security Breach Notification

Sample email sent by GoDaddy (PDF)

Previous Holi-dos and recycling don'ts
Next Bay Street is expected to have a moderate start