Wordfence Security blog announced today that GoDaddy was compromised.
This was no simple compromise but a 2 month long security breach where plaintext sFTP and database passwords of active accounts were visible to the attacker. “sFTP’ is the Secure File Transfer Protocol and provides you, (and the attacker) access to files for your website that are hosted on your GoDaddy account. “Database” means information that is stored in a large file, usually in what is called a MySQL database file. This file contains the information your WordPress or other CMS uses to populate your website when someone visits your site. CMS (Content Management System).
If you have WordPress or any other CMS, all of the files in your website were subject to editing, insertion of malware, and deletion. If you have not changed these important passwords since the breach, they still may be subject to tampering by malicious entities. But you can do something about that now!
Wordfence stated: “During the period from September 6, 2021, to November 17, 2021, the sFTP and database usernames and passwords of active customers were accessible to the attacker. “
This attack provided access to passwords which GoDaddy incorrectly stored and displayed in accounts in plaintext format
Plaintext format means the passwords were readable to anyone looking at the control panel for the site and is opposite to industry standards for encrypting sensitive data.
What can you do now? You can change these passwords. Change them in your GoFDaddy account control panel and your PHP MyAdmin and WordPress congig.php file. Call me at 808 283 7651 for a consult if you have a GoDaddy hosted website.
That’s right, you’ll want to change your WordPress or CMS database passwords, your WordPress or CMS user account passwords, and your sFTP passwords. Additionally if you use these same passwords anywhere else, you should change those passwords on those accounts too. Use smart password management and never use the same password on more than one site.
I manage around 800 username/password combinations as well as other secure data for myself and clients. There are so many smart password managers available online. I rely on LASTPASS password manager and I can access my account from any device or web browser. I can access all my passwords from my phone, tablet, laptop, desktop, or anyone else’s devices by remembering just one master password. And so can you. . You can get LastPass, free and Premium via . Get LastPass now for the freedom you deserve.
The data is encrypted and will only be decrypted on the device when I am logged in. It is never sent, up or down, except when encrypted. This is the safest way to store my passwords and as a web developer, host manager, and for many other roles that I perform.