Dec 7, 2021
What the GoDaddy Security Breach Means for Your Digital Privacy
Last month, it was announced that there had been a GoDaddy security breach.
A hack of a large corporation’s servers can leave us feeling vulnerable and at risk of having our online accounts hacked, personal information stolen, financial accounts compromised accessed, and identities stolen.
We wanted to use the GoDaddy security breach to talk about what these types of attacks mean for your online data and how you can go about securing and maintaining your digital privacy.
How did the GoDaddy security breach happen?
The announcement revealed that GoDaddy had been storing the passwords of a specific subset of customers in an unsecure format used against industry standards.
The security violation meant countless user usernames and passwords were jeopardized. The worst part: the hacker had access to GoDaddy’s servers for two months before their intrusion was noticed.
The GoDaddy digital data breach was the result of one compromised password.
Think about it; one hacker acquired one password of one customer and was able to gain access to an entire database of customer information.
Why would the hacker want this information and what, if anything, could they do with it once they had it? We looked into answering this question; here’s what we found.
What kind of data did the hacker gain access to?
Because the GoDaddy security breach involved access to customer email addresses, customer IDs, the original admin passwords on accounts, and database login info for their websites, the extent of the damage would be extensive.
What this means is that the hacker theoretically had access to do whatever they wanted to the affected owner’s websites.
If your account was one of the victims of the breach, your site could have been in the hands of a hacker with lots of time to do whatever they wanted with it.
What could the hacker do with the lifted digital information?
From the GoDaddy security breach, the attacker could have:
- Installed malware to your site,
- Created a new user on your site with administrative privileges they could use to go back and mess with your site later. (How many of us would overlook the addition of a new user? We bet quite a few.)
- Taken it down completely in which case you’d lose access to it forever,
- Turned it into an online porn or any other type of website they wanted to,
- Use your email address to try to gain access to other accounts you own.
Who exactly was affected by the GoDaddy security breach? We looked into this too.
What type of customers were affected by the attack?
The good news is that the digital break-in involved only a subset of GoDaddy customers, specifically those with WordPress sites managed by the company.
To get an idea of the scope of the hack, we reviewed GoDaddy’s press release about the breach and their full-year report for 2020; here’s what we learned.
Who was affected by the GoDaddy Security Breach?
GoDaddy reportedly had 20.6 million customers as of December 31, 2020. Out of those, 1.2 million users have WordPress sites managed by the company, the type of account affected by the November 2021 breach—that’s a lot of potentially compromised user information.
If you’ve come to the realization that you’re one of those 1.2 million customers, you may be wondering what should you do? We have some suggestions; keep reading.
What should you do if you have a WordPress site managed by GoDaddy?
If you’re one of the unlucky GoDaddy customers whose information was exposed in the attack, it’s important you be proactive in protecting your digital privacy.
Here are the steps we recommend you take to protect your website and your data.
1. Contact GoDaddy
The company announced that they had proactively reached out to customers to let them know about the steps they were taking to fix the problem and restore security to their users accounts. If they haven’t in your case, contact them.
2. Contact Your Customers
If you run an eCommerce store as part of your site, consider your customer’s data compromised as well. Even if you don’t think that’s the case, contact them anyway. Transparency goes a long way to building trust and good customer relations.
As the old adage goes, it’s better to be safe than sorry.
3. Change your website password
Change your WordPress passwords and, if possible, force a password reset for all your other site users and customers.
4. Communicate with and educate your customers
Recommend to your customers that they change their password to something completely different than any of their other account passwords.
Consider this a great opportunity to connect with and educate your customers on good digital security best-practices.
5. Start using 2-factor authentication
Don’t know what 2-factor authentication is? Keep reading, we cover it later in this article.
6. Check your site user accounts
Now’s the time to check your WordPress site for any unauthorized user accounts, administrator or otherwise. Take it one step further and delete any old user accounts that may still exist, e.g., former employees, etc.
Put yourself on a schedule to check user accounts regularly going forward.
7. Scan your site
Scan your site to ensure the hacker didn’t install malware, or nefarious software. Use a security scanner to do the scan. Not sure how to do this? Give us a ring.
8. Watch your inbox
Keep an eye out for suspicious emails.
No matter what measures GoDaddy and you have taken to secure your data, the attacker could still have your email address. There’s no guarantee they wouldn’t try to use it to collect other types of information from you.
Phishing has become quite sophisticated in recent years. Emails from fraudsters come in pretty, professional-looking packages.
Don’t assume an email from GoDaddy, or another trusted source, is in fact from that company. Double check the ‘from’ email address and never share sensitive information in an email.
How to protect yourself against GoDaddy-like security breaches
It may seem hopeless when it comes to protecting your data from cyber attacks.
We’re here to tell you that there are in fact many things you can do to secure your digital privacy—and the best part is they’re easy to do!
By making a few simple tweaks to how you access accounts and use your devices, you can protect your information against unwanted attempts to access it.
Keep reading to learn several ways to prevent your personal information from being misused.
Tools you can use to protect your data online
Make smart use of the tools available to protect your devices from hackers, prevent your personal information from being stolen, and keep your data safe online.
Here are 4 simple ways to prevent your personal information from being stolen.
1. Secure your accounts
Data breaches and password leaks from the accounts of large, reputable companies are unfortunately becoming the norm.
If you’ve even created an account to, say, shop online, then we’re sorry to say you’re at risk of having your data stolen.
(Want to know if your account has been compromised? Go to Have I Been Pwned? and enter your email address in the search bar.)
Not to fear. We’re here to tell you you don’t have to give up your online Etsy shopping habit. Instead, we highly encourage you to secure your accounts.
How to secure your accounts: Use a password manager
We consider this the single most important thing you can do to protect their privacy and security today. A password generator will create and remember a slew of unique, complex passwords for every one of your accounts.
Our favourite password manager is LastPass. (No, we don’t get any perks for telling you that.)
2. Use Two-Step Authentication and an Authentication App
Without question, use two-step authentication whenever possible for your online accounts.
It may sound fancy and complicated, but we assure you that once you start using two-step authentication, you’ll wonder why you waited so long to do so.
As the name suggests, two-step authentication, also known as 2-step verification or multi-factor authentication, requires two things to access an account: 1) your account password, and 2) a number only the account holder (that’s you) can access.
2-Step Authentication works like this:
- Step 1: Log in to an account with your username and password. The account you’re logging into will then send you a temporary security code via text message or authenticator app.
- Step 2: You enter the code on the login page and—voilà!—you’ve logged in securly.
- Step 3: …only kidding. There isn’t a step 3!
An authentication app is used along with a site’s two-step authentication process, or in the absence of one.
You log in to an account (say Amazon), the authenticator app sends you a code via the app, and then you have a short amount of time to use the code to finish the login process.
Both LastPass and Google offer authentication apps.
3. Protect Yourself While Web Browsing
Every time you use a web browser to search for something, shop, click on a button or ad, or visit your social media accounts, your behaviour and preferences are tracked.
Companies and websites collect your data to figure out how best to advertise to you the next time around.
What’s a web user to do to prevent this type of data gathering? Block it.
How to use web browser blockers
We recommend you install a web blocker or browser extension to stop the tracking of your online behaviour.
Extensions like uBlock Origin block ads, malware, and data collection. You can turn the extension on and off as well which makes it useful when visiting trustworthy websites.
When a website gives you the option to receive notifications, say no. When a site asks whether they can collect data, opt-out. When you can disable ads on a site like Twitter, Facebook, or Instagram, do it.
It takes a bit of time but it’s well worth the effort to keep your preferences and habits safe.
Added security when you’re out in public
Here are tips to ensure added privacy when working on a public network and using a public Wi-Fi account, like at the airport, a café, or a hotel.
1. Use a VPN: A VPN, or virtual private network, is a must for those who travel for work or work remotely. By remotely, we don’t mean at home, we mean out in public.
A VPN adds an excellent extra layer of security when browsing. It also reduces the ability to track your computer’s IP address (kinda like a mailing address, only it’s virtual and every computer that uses the net has one). The VPN we recommend is NordVPN.
2. Only visit secure websites: All secure websites will have a Secure Sockets Layer (SSL) Certificate attached to them. In fancy terms, that means they’re a trusted site. You can recognize these sites by the ‘https’ at the beginning of the web address (versus ‘http’).
To be sure you’re going to a safe site, add ‘https://’ at the beginning of the web address.
If a website doesn’t have a secure version, and most trustworthy sites will, you’ll get a warning from your browser asking you if you want to proceed to the site. If that happens, back away; don’t continue to the website.
3. Install a secure website extension: For a faster option, install the HTTPS Everywhere extension to your browser. This extension will automatically direct you to the secure version of a website without you having to check for the ‘https’.
Bonus tip: You can even use a website blocker like BlockSite to stay focused while working.
4. Use antivirus software
Unfortunately, computer viruses still exist. The good news here is that it’s very easy to protect your workstation from malicious malware.
Here are several antivirus software options depending on the type of your computer:
If your computer runs Windows 10, use Microsoft’s built-in antivirus software, Windows Defender. If you run an older version of Windows, we recommend updating to Windows 10; this will do the most to improve your computer’s security. If that isn’t an option for you, install Malwarebytes Premium.
Mac users are normally taken care of by the protection that comes built into macOS. If you own a Mac and want an added layer of security, Malwarebytes Premium is also available for Mac.
We recommend avoiding antivirus apps on your phone. The best way to protect your data on mobile is to download apps from trusted stores only.
A final, positive word on data security
We hope this guide to protecting your digital identity has empowered you to take the steps needed to keep yours safe.
If you have any questions about this article and how to implement the steps, or if you’d like the help of a professional to help you secure your company’s data, contact us.
We have been working with and ensuring the protection of our client’s data for over 10 years; we’d be happy to help you secure yours.
Read the official GoDaddy press release about the security breach here.