Here’s the rub though. We haven’t hosted any Wordpress with them, or anything for that matter. We only registered some
Vanity domains with them. They aren’t even the registrar on our primary domains.
———————————————-
Dear Company,
We are writing to inform you of a security incident impacting our GoDaddy Managed WordPress environment you once purchased and used. According to our records your Managed WordPress account is no longer active.
On November 17, we identified suspicious activity in our WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and have contacted law enforcement. Our investigation is ongoing, but we have determined that, on or about September 6, 2021, an unauthorized third party gained access to your customer number, email address associated with your previously used Managed WordPress account; and the password you first used when setting up your WordPress Admin login.
If you use that same password for other accounts, we recommend you change your password to those accounts and adopt data security best practices, such as choosing a strong unique password, regularly changing it, and enabling multi-factor authentication where available. We also recommend that you remain vigilant for potentially fraudulent communications sent to your email address purporting to be from GoDaddy or other third parties.
For residents living in California, Colorado, Delaware, Illinois, New York, New Jersey, Oregon, Vermont, Washington, and Wyoming, please visit https://www.godaddy.com/help/a-41004 for additional resources that describe additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.
"If you live in a state other than California, Colorado, Delaware, Illinois, New York, New Jersey, Oregon, Vermont, Washington, or Wyoming, we're under no legal obligation to do anything to help you, so don't bother checking that help article".
Seriously, why list out those specific states rather than just saying 'check our help guide available at https://www.godaddy.com/help/a-41004 for additional resources that describe additional steps you can take to help protect your information, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file.'?
and they won't. You can't ever get the stink of a data breach off your core website seo, so instead they will use other outlets or buy some throw away domain like "godaddyidentityprotection.net". Lord knows they can do that cheaply (though they might have trouble setting up their wordpress site!)
Just a heads up, they'll issue a proper SSL certificate if you ask them. I have had it working on my domain for a couple years.
EDIT: OK, well maybe not proper. They'll add your domain to the Letsencrypt cert being served there I guess (since mine is listed in the list of valid domains on the invalid cert for your site).
I have an account with CloudWays which is very popular in the WP space. Logged in a moment ago and there's a password field for a server's SSH/SFTP that can be revealed. Isn't that the exact thing that GoDaddy have just been stung by?
"GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext."
Goddamn, anyone else, feeling a deep anger rising, when reading this in 2021?
"According to the report filed by GoDaddy with the SEC..."
In 2021, everyone has to be pissed off by javascript popups about cookie storage, but your passwords safety, screw that. Storing SFTP passwords reversible to plaintext, that's still fine, right?
As long as there is a SEC report... We look professional!
> anyone else, feeling a deep anger rising, when reading this in 2021?
Look at most of the stories on the front-page of HN these days. Often some shiny tool to allow front-end JS devs to write and deploy full-stack applications automatically upon commit. I guarantee you they’re making similar newbie mistakes. Instead of SFTP it’ll be a serverless endpoint that returns entire User records, unhashed password and all, without any sort of auth check.
This has nothing to do with newbie mistakes. GoDaddy has been a household name for decades. This was not a newbie mistake, this was negligence and refusal to invest in modern technologies.
I'd rather risk it with the newbies, modern stacks usually have good tutorials and standard solutions to most security sensitive problems.
Last time I dodged a product because its website looked like it was designed in the early 2000's it was SolarWinds just over a year ago..
And they’ve been this bad continuously since the 90s, too, so clearly the market does not have a positive feedback loop for security.
I’m feeling nostalgic remembering helping clients migrate away from their breached shared hosting around the turn of the century, especially how this ended up being cheaper because GoDaddy was way over market rates.
Yep, just left a company where the contractors building out a core solution had just such an endpoint where you could get anyone's data, and worse, personal photos.
And of course, every API key and secret was just hanging out in the repo as well.
As long as companies view security as a worthless expense, and the only penalty is some monitoring (that no one uses) and a brief story everyone will forget, nothing will change. I doubt the stock will even be affected.
Maybe the CEO should be required to be put in stocks in the town square or something. With no real penalty, there is no change.
Stock is down 9% since announcement. It’s an interesting case study because you get clear arithmetic on how much this breach cost shareholders. Almost exactly one billion dollars. May be short lived but useful data nonetheless. Will inform infosec budgets going forward.
No, the point is that even newcomers can learn to do better than the team at godaddy did. They aren’t trying to brag, they’re pointing out that the team behind this compromise was negligent in their practices.
OP here - at least for the link. My colleague Ram Gall wrote the post. Haven't seen an official announcement that mentions all the affected resellers like this. We reached out via a friend who works at GoDaddy who put us in contact with the spokesperson who gave us the quote included in the post. That lists the specifically affected hosts.
Uh oh :( I’ve been using godaddy since like 2005 and never used anywhere else. Of course that’s just for domain names I haven’t hosted with them since VPSs (and the cloud in general) became cheap.
I could Google it, but what else is bad with godaddy and should I switch?
I’ve used quite a few different registrars over the years, and the only one that really stood out as bad was in fact GoDaddy (tacky UX* and dark patterns in registration flow). Most other big name services you choose will be fine; personally I’ve been using Google Domains… but I’m not exactly a Google fan either. As for historical reasons people dislike GoDaddy, here’s a starter: https://en.wikipedia.org/wiki/GoDaddy#Controversies
Huh I guess I should look to switch. I never really cared for their interface either but since I only use it change the DNS over to point towards my own servers I didn’t really consider it could be worse than anywhere else.
Yeah that’ll do (and there and the owners lack of respectful for animal life) I didn’t even know I only use them to hold a few domains I’ve never even looked at or thought about using anyone else. Weird how out of the loop I am on this for being a web developer, but that’s why I asked here.
I used to think the same thing, but considering their name registration isn't even price compatible $13 annually without coupons and their shared hosting is over $10 a month, they are worth considering moving on from. I did because their hosting was just too expensive with them refusing to offer coupons to existing customers to renew hosting or domains. They used to be a lot better.
Yeah honestly I’ve never looked at the competition because I only own about 5 domains personally, but I bought the domains for like 12$ and I definitely pay >100$ a year now, so more than double what I paid for some of them.
Godaddy raising prices made me switch. Namecheap offered 30$ for hosting for a year so I transferred over a year ago. It was very annoying to transfer the domains, but I don't like feeing gouged. Anyway godaddy's hosting was bad and hacked at least twice in three months years ago, back in 2010 or something. Namecheap has softalicious or whatever it is called. Godaddy can't compare.
They recently bought Uniregistry and transferred all of the customer domains. If you had a Uniregistry account, you can't transfer away from GoDaddy for 3 months from the date, coming up in a few weeks.
As much as I am looking forward to getting away from them, I'm not looking forward to jumping through the hoops they'll inevitably put in my way.
I was shocked at how terrible their service and prices were. Whenever I renew a domain I'm met with an absurd stunt billing attempt. Support is horrible, they can't even do email with tickets. Instead they have a chat system which automatically closes and the support staff game it by stalling.
> well we bought five years so let's wait to renew it somewhere else
You do realize you can transfer at any time after the 60-day ICANN change of registrant lock period, and it’ll just add to your five years at the new registrar, right?
0: https://newsroom.godaddy.net/newsroom/overview/default.aspx