Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2021-11-23 08:30:29
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 553
GoDaddy Breached
I know there is a general dislike of GoDaddy here but if any of you have accounts with them you may wish to read the below articles. It turns out that sFTP and database usernames and passwords were exposed in the breach.
sec.gov: GoDaddy Announces Security Incident Affecting Managed WordPress Service
Last edited by Algaris (2021-11-23 08:32:51)
Offline
Re: GoDaddy Breached
FYI as a side note we moved Textpattern domain registrations away from GoDaddy at the start of this year (we now use Porkbun as our registrar – which sits more comfortably with the team’s ethics).
Offline
Re: GoDaddy Breached
Storing plaintext passwords, or passwords in a reversible format for what is essentially an SSH connection is not a best practice.
Understatement!
Thanks for the link, Ross. The fact we have to store database passwords in plaintext in config.php the same way that WP do is a longstanding bugbear of mine. I would love to find a better way to handle this. Even using different DB passwords for different installations isn’t much use if you can get to the filesystem and read each config.php.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Online
Re: GoDaddy Breached
Bloke wrote #332008:
Understatement!
[…] I would love to find a better way to handle this. Even using different DB passwords for different installations isn’t much use if you can get to the filesystem and read each config.php.
+10.
(the only thing that attenuates the worry is that the CMS that cannot be named in polite conversations does the same. but it does not make me happier!)
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
#5 2021-11-24 08:18:47
- Algaris
- Member
- From: England
- Registered: 2006-01-27
- Posts: 553
Re: GoDaddy Breached
Thanks Bloke =)
It’s been confirmed that the breach has been widened to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.
Offline
Re: GoDaddy Breached
Absolutely mind-boggling that login, ftp and mysql details to 7(+?) different large hosting services across the world are accessible in readable format through one password breach. You’d think that even with a large degree of centralization, the data of the different services would be distributed across different servers and infrastructure and that somewhere staff in all these services would have noticed the insecure credentials storage method.
Or are all these separate services post-takeover simply white-labelled versions of the same GoDaddy service?
TXP Builders – finely-crafted code, design and txp
Offline
Re: GoDaddy Breached
Algaris wrote #332015:
It’s been confirmed that the breach has been widened to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.
wow! That is realy not pretty. Do they really centralise that much all those services?
Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
Offline
Re: GoDaddy Breached
No way!
I echo the sentiments above. Unbelievable that all the plaintext credentials are centralized to that degree. From an admin POV, sure, if you buy a company it makes sense to consolidate stuff. But to do that and have nobody notice for over two months…?!
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Online
Re: GoDaddy Breached
so glad i have moved at least 3 friends away from GoDaddy this year alone. One because they were paying 240$ for what they now get for free with my web host: Lets Encrypt!
…. texted postive
Offline
Pages: 1