You may or may not of heard about the recent events that unravelled this week at Go Daddy. Over a million users could be impacted by this breach which exposes customer numbers and email addresses, not only this but WordPress Admin credentials FTP credentials (what is used to access web servers) Database credentials (storing client personal data) and SSL private keys were also exposed. If abused this could be used to allow an attacker to impersonate an owners website. Adding to the sensitivity of this is the fact that the security breach went unnoticed for two months. Security researchers indicate that the cause of the security breach was due to inadequate security that did not meet industry best practices.
Wordfence explains the vulnerability they discovered:
“GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.
…Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.”
This sounds like the kind of nightmare that could give any website owner or even web design agency a long lasting headache. Thankfully none of Douglass Digital data or websites utilise the GoDaddy platform so we are safe from this.
If you have security concerns about your current website please contact us to see how we can help.