Password and credentials related breaches

Passwords and credentials are coveted by cybercriminals since they are the easiest way to penetrate security controls. This page lists some breach incidents that are related to the misuse of credentials and passwords.

GoDaddy Case 2020 - SSH Keys

A large domain company – GoDaddy announced that they had their servers breached in October 2019. The breach, which was discovered only later in April 2020, affected the SSH credentials of approximately 28,000 of the company’s customers.

All in all, it took the domain company 6 months to discover what went wrong. According to GoDaddy, a hacker broke into their network, bypassed their security controls, and obtained access to SSH login credentials hosted on GoDaddy’s servers. To remedy the situation, the company reset all the exposed credentials and offered 1 year free of charge of premium security services for the affected customers. The unauthorized party was blocked from the server, and there’s no evidence of the attacker tampering with files on the hosted accounts.

The incident happened due to an oversight in critical infrastructure security – SSH keys. SSH keys are a widely used secure remote login method with strong encryption. However, getting hold of an SSH key that grants root-level access often allows the attacker to hop from one environment to another without detection. This is possible because the SSH key itself might be legitimate, even if the user isn't.

Learn why you should treat SSH keys like passwords and policy them accordingly

GoDaddy Case 2021 - Compromised Passwords

In November 2021, a WordPress hosting service provider GoDaddy announced that they’ve detected suspicious activity in their system which has been confirmed to be a cyberattack. The attack, however, started already two months earlier in September.

The unauthorized activity resulted in a data breach of 1,2 million users, including email addresses and customer numbers. Some of the users got also additional credentials exposed, like their credentials for SFTP, SSL private keys, database usernames and passwords.

Based on the investigation, the breach was caused due to a leak of a single compromised password. It appears that GoDaddy was storing users’ passwords as plaintext or in a format that could be easily reversed into plaintext. Even though the company is using SFTP via SSH, which is currently the most secure way to transfer files, storing passwords as plaintext or in reversible format is not a good practice.

World Health Organization (WHO) Case

In April 2020, WHO (World Health Organization) announced that some of the accounts of their employees were accessed without authorization. This case is not a breach per se, since the credentials used for unlawful access were part of a huge database of credentials collected from various leaks. However, some WHO employees had used the company login credentials on third-party services that were breached, and the hackers used the re-used information to gain access.

As a result, 450 active WHO email addresses and their passwords got published on public sites such as Twitter, etc. The attack did not put WHO systems in danger because the bad actor was not able to penetrate critical WHO systems.

Zoom Case

In early 2020, Zoom has announced that 500,000 stolen credentials from its servers were listed for sale. The news scared over 300 million users who were active on Zoom at that time. The investigations revealed that hackers collected the data from online crime forums and dark web supermarkets. Since people tend to re-use their login credentials, the hackers noticed that they could gain access to a lot of Zoom accounts simply by using the information found through other leaks.

Furthermore, Zoom emphasized convenience over security, meaning that options like multi-factor authentication (MFA) were not implemented.

Learn more about how to passwordless access could potentially prevent similar cases like Zoom and WHO

References

https://www.hackread.com/godaddy-data-breach-hackers-access-ssh-accounts/

https://portswigger.net/daily-swig/godaddy-managed-wordpress-hosting-service-breach-exposed-1-2m-user-profiles

https://www.forbes.com/sites/daveywinder/2020/04/28/zoom-gets-stuffed-heres-how-hackers-got-hold-of-500000-passwords/?sh=4eda2ea35cdc

https://www.who.int/news/item/23-04-2020-who-reports-fivefold-increase-in-cyber-attacks-urges-vigilance