WordPress Admin credentials, FTP credentials (which are used to access web servers), Database credentials (storing client personal data) and SSL private keys were also exposed. If abused this could be used to allow an attacker to impersonate an owner's website. Adding to the sensitivity of this is the fact that the security breach went unnoticed for two months.
Security researchers indicate that the cause of the security breach was due to inadequate security that did not meet industry best practices.
Wordfence explains the vulnerability they discovered:
“GoDaddy stored sFTP passwords in such a way that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords, or providing public key authentication, which are both industry best practices.
"…Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.”
This sounds like the kind of nightmare that could give any website owner or even web design agency a long-lasting headache. Thankfully none of Douglass Digital's data or websites utilise the GoDaddy platform so they are safe from this.
If you have security concerns about your current website please contact us to see how we can help.