Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2021-11-23 08:30:29

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 535

GoDaddy Breached

I know there is a general dislike of GoDaddy here but if any of you have accounts with them you may wish to read the below articles. It turns out that sFTP and database usernames and passwords were exposed in the breach.

WordFence: GoDaddy Breached

sec.gov: GoDaddy Announces Security Incident Affecting Managed WordPress Service

Last edited by Algaris (2021-11-23 08:32:51)

Offline

#2 2021-11-23 10:22:48

philwareham
Core designer
From: Haslemere, Surrey, UK
Registered: 2009-06-11
Posts: 3,564
Website GitHub Mastodon

Re: GoDaddy Breached

FYI as a side note we moved Textpattern domain registrations away from GoDaddy at the start of this year (we now use Porkbun as our registrar – which sits more comfortably with the team’s ethics).

Offline

#3 2021-11-23 10:39:04

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: GoDaddy Breached

Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.

Understatement!

Thanks for the link, Ross. The fact we have to store database passwords in plaintext in config.php the same way that WP do is a longstanding bugbear of mine. I would love to find a better way to handle this. Even using different DB passwords for different installations isn’t much use if you can get to the filesystem and read each config.php.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#4 2021-11-23 23:00:59

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: GoDaddy Breached

Bloke wrote #332008:

Understatement!

[…] I would love to find a better way to handle this. Even using different DB passwords for different installations isn’t much use if you can get to the filesystem and read each config.php.

+10.

(the only thing that attenuates the worry is that the CMS that cannot be named in polite conversations does the same. but it does not make me happier!)


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#5 2021-11-24 08:18:47

Algaris
Member
From: England
Registered: 2006-01-27
Posts: 535

Re: GoDaddy Breached

Thanks Bloke =)

It’s been confirmed that the breach has been widened to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.

Link

Offline

#6 2021-11-24 09:06:47

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,578
Website

Re: GoDaddy Breached

Absolutely mind-boggling that login, ftp and mysql details to 7(+?) different large hosting services across the world are accessible in readable format through one password breach. You’d think that even with a large degree of centralization, the data of the different services would be distributed across different servers and infrastructure and that somewhere staff in all these services would have noticed the insecure credentials storage method.

Or are all these separate services post-takeover simply white-labelled versions of the same GoDaddy service?


TXP Builders – finely-crafted code, design and txp

Offline

#7 2021-11-24 09:24:27

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,058
Website

Re: GoDaddy Breached

Algaris wrote #332015:

It’s been confirmed that the breach has been widened to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.

wow! That is realy not pretty. Do they really centralise that much all those services?


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#8 2021-11-24 09:46:02

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,250
Website GitHub

Re: GoDaddy Breached

No way!

I echo the sentiments above. Unbelievable that all the plaintext credentials are centralized to that degree. From an admin POV, sure, if you buy a company it makes sense to consolidate stuff. But to do that and have nobody notice for over two months…?!


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#9 2021-11-24 21:34:34

bici
Member
From: vancouver
Registered: 2004-02-24
Posts: 2,071
Website Mastodon

Re: GoDaddy Breached

so glad i have moved at least 3 friends away from GoDaddy this year alone. One because they were paying 240$ for what they now get for free with my web host: Lets Encrypt!


…. texted postive

Offline

Board footer

Powered by FluxBB