Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.

    Support MFO

  • Donate through PayPal

WordPress Security Breach & MFO

At the bottom of MFO Home, it says "Proudly Powered by WordPress",

Then there is news on security breach at GoDaddy's WordPress that says that emails, passwords, etc were compromised. What is MFO advising its members to do?

"GoDaddy recently learned that the impacts of a compromised password can be far-reaching. The domain registrar and web hosting platform revealed on Monday that it had experienced a security breach that disclosed up to 1.2 million email addresses for active and inactive Managed WordPress customers, as well as those customers’ WordPress administrator passwords."


  • edited November 2021
    First, don’t panic.

    GoDaddy is only one of a multitude of web hosting companies that offers WordPress to its customers. GoDaddy doesn’t own WordPress or control WordPress accounts that are hosted elsewhere.

    This breach only affects WordPress accounts which are hosted by GoDaddy. Since I do not believe that GoDaddy hosts MFO, this breach should not be of consequence to MFO or its users.
  • Thanks. That is a relief, I think.
    Media references to GoDaddy WordPress confused me. I wonder why WordPress hasn't issued a clarifying release.
    I learned more about and from this link. It seems that people can run WordPress software anywhere, including on their own servers. I also edited my post - it is WordPress, not WorldPress.
  • Any statement from WordPress would be needlessly confusing. They (and their software) aren’t the cause of the breach - it’s clear that this is solely a GoDaddy issue. It wouldn’t surprise me if other software packages on GoDaddy’s platform have similar issues.
  • edited November 2021
    A hacker was able infiltrate GoDaddy's WordPress provisioning system using a compromised password.
    These are the consequences and actions taken as of 11/22/2021.

    Upon identifying this incident, we immediately blocked the unauthorized third party from our system.

    Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.

    The original WordPress Admin password that was set at the time of provisioning was exposed.
    If those credentials were still in use, we reset those passwords.

    For active customers, sFTP and database usernames and passwords were exposed.
    We reset both passwords.

    For a subset of active customers, the SSL private key was exposed.
    We are in the process of issuing and installing new certificates for those customers.

    Our investigation is ongoing and we are contacting all impacted customers directly with specific details.

    This was a serious breach for GoDaddy.
    Their security team, an independent IT forensics firm, and law enforcement are still investigating.
    Hopefully, the culprit(s) will be brought to justice and prosecuted to the full extent of the law.
  • This is another perfect example of why one should utilize a password manager and not rely on auto-password fill via browser or worse - use the same password for multiple sites. If you use a password manager like LastPass, you need to remember one password and not 200. Plus, it runs continual checks on all sites and when a site has a compromise, it prompts you to change that unique password - The Wordpres or GoDadd breach has zero impact if you have unique passwords that auto-change or manual change on each unique site after prompt. Two-Step verification is also a must - especially for financial sites. The new apple ios update supporting temp email addresses also solves the "email" exposure / spam / phishing issue.
  • Hi, all.

    A few pieces of information that I hope are helpful -

    Our regular website does indeed run on WordPress, however, we do not use GoDaddy for hosting. So far as I know, the Mutual Fund Observer site has not been breached. I added the "So far as I know," because in most cases, a company's security has been breached for a period of time before they realize it.

    This discussion board does not run through WordPress. It uses an open-source software called Vanilla Forums, which is not nearly so big a target as WordPress. Your password here never gets stored in WordPress.

    That said, no site is ever safe from compromise. The advice from @JonGaltIII is spot on. 1. Use a password manager.
    2. Do not recycle the same password over and over on multiple sites.
    3. Use Two Factor Authentication whenever you're sharing personal or financial information.
    4. Despite the convenience, don't allow shopping sites to store your credit card information if that's an option.

    Happy holidays and stay safe!

  • @Chip- Thanks, and happy holidays to you and David!
Sign In or Register to comment.