Why the GoDaddy breach doesn't surprise me
Head of Hacking
It happened again. It's not that surprising either.
This time the web hosting giant, GoDaddy, was breached. According to a filing they released to the US Securities and Exchange Commission (SEC), they “discovered unauthorised third-party access to our managed WordPress hosting environment.”
The company detected suspicious activity and soon found that an intruder had accessed their legacy codebase using a compromised password. As a result, up to 1.2 million Managed WordPress customers had their personal information exposed.
This isn’t a new thing for GoDaddy. In 2018, a misconfigured S3 bucket exposed data on GoDaddy servers. In 2019, GoDaddy was breached again when a hacker used an altered SSH file to compromise 28,000 hosting accounts.
A “compromised password” is just too simple a mistake for a company like GoDaddy to make. The hacker who breached GoDaddy probably found a huge dump of usernames and passwords from another data breach. Then they used them against high-authority GoDaddy accounts. Clearly, it worked. Large enterprises could and should test pro-actively for such attacks.
There’s a simple fix for this - a password manager. It creates strong passwords and can change them regularly, thus taking the problem of weak passwords out of the user's hands. Alternatively, a reliable red team can easily discover compromised credentials. Hadrian’s offensive tools, for example, can autonomously simulate a credential stuffing attack on hundreds of machines and accounts to see which credentials have been exposed.
There’s something here which represents a reliable truth about digital security. It’s commonly the simple things which get you.
Small problems like this regularly provide easy wins for hackers. Cybercriminals will use a username/password from a previous data dump, they’ll see that a cloud instance hasn’t been properly secured, they’ll spot an unpatched server or they’ll just go phishing.
According to Verizon’s 2021 Data Breach Investigations Report (DBIR) stolen credentials are used in around 25 percent of data breaches. It is also one of the most sought after types of data for hackers and credentials are compromised in just under 60 percent of breaches.
I’ve been doing bug bounties since I was 13 years old. I would find vulnerabilities and report them to those companies, who would then hopefully fix the problem. It didn’t take long for me to find a vulnerability that an adversary could exploit. This approach however, is unscalable and requires an element of luck. What these companies need is a holistic view of their environment, so they can spot the small oversights that would let an attacker in.
This is why the hacker's perspective is so important. Organisations need to know where their weak spots are and how they can be attacked. Red teaming and penetration testing is the only way to do that.
GoDaddy’s attitude towards bug bounty hunters hasn’t always been receptive. As you might have seen above - I’ve had my own disappointing interactions with them. Other security researchers have noted their lack of responsiveness when approached with new vulnerabilities to address.
American bug hunter Sam Curry tweeted about the incident
If GoDaddy had taken more care to deal with simple oversights like a “compromised password”, then this would not have happened. Digital security is no easy task but any sensible security strategy should start with denying attackers easy wins like this.
If organisations don’t want to succumb to basic, fixable problems like “compromised passwords”, then they have to understand where their weak spots lie. Hadrian is offering a pro-active automated way of testing digital infrastructure from the outside-in, and spotting problems like these before they turn into breaches.