Security News > 2021 > November > GoDaddy admits to password breach: check your Managed WordPress site!
GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we're hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence.
We're assuming, if the passwords had been salted-hashed-and-stretched, as you might expect, that GoDaddy would have reported the breach by saying so, given that properly-hashed passwords, once stolen, still need to be cracked by the attackers, and with well-chosen passwords and a decent hashing process, that process can take weeks, months or years.
Researchers at WordFence, a company that focuses on WordPress security, say that they were able to read out their own sFTP password via the official MWP user interface, something that shouldn't have been possible if the passwords were stored in a "Non-reversible" hashed form.
GoDaddy has now reset all affected passwords, and says it's in the process of replacing all potentially stolen web certificates with freshly generated ones.
In particular, crooks who know your sFTP password could, in theory, not only download the files that make up your site, thus stealing your core content, but also upload unauthorised additions to the site.
In this case, the attackers apparently breached security using a vulnerability, but to get back into users' accounts later using exfiltrated passwords is much harder if the password alone is not enough to complete the authentication process.