A misconfigured privacy setting on an Amazon S3 bucket allowed sensitive data about GoDaddy’s offerings and 31,000 server configurations to be leaked.
See what this means for your domain registrar account, and how this data could bring your site, and the internet, to its knees.
A GoDaddy spokesperson reached out to me to help get the facts straight on this report, as they have also done for the articles from which I cited below, and used as my reference. The post has been updated accordingly.
Corrections in brief:
The AWS bucket was not one owned by GoDaddy bucket. It belonged to an AWS sales employee who was doing a consult on package pricing and such for GoDaddy.
The spreadsheet in that bucket had speculative models. While there was some server configuration info, GoDaddy is downplaying the significance of how much this would help a hacker attack their servers specifically. In other words, the information is more damaging to them as far as being available to their competitors rather than the ease it might give a hacker on knowing their server configuration.
Hacking a server is not an easy, or quick thing to do. And there is no guarantee anyone who has the qualifications to do so will get their hands on this info or make the attempt.
The rest of this post, about how fragile the internet is, how DDoS attacks work, and how to protect your site is still valid and is most definitely not only worth reading, but taking the suggested measures to heart and doing them.
Info on GoDaddy’s business was stored on Amazon S3 cloud storage by an AWS sales person who was doing speculative consulting for GoDaddy.
AS3 calls its folders “buckets”.
By default, the access to buckets is set to private. But those settings can be changed.
And the AWS employee’s bucket was set to public.
That bucket contained usage info about GoDaddy’s services, which their competitors can use to get an edge.
But, it also contained the configuration of 31,000 of their own servers. And those servers are the things that host websites.
What’s at Risk?
If GoDaddy is your domain registrar or email, breathe easy. Your account info is not at risk.
But here’s what is at risk – the entire internet.
Here’s what the report on WP Blog said about the server configuration data that was leaked:
“This data could be used to launch an attack so massive, that it can disrupt the global internet traffic. This seems like a movie script but it’s true.”
Here’s how that works.
This data makes it so hackers can tailor an attack on specific GoDaddy servers because they know the configuration of it.
They can then use those server resources to amplify the attack.
That makes 1 person with 1 computer act like 1000 computers in the attack, which can easily overwhelm whatever it hits.
More articles on the breach
What is a DDoS Attack
There is nowhere to hide from a massive DDoS attack (Distributed Denial of Service).
Think of it like a bunch of wide load trucks coming down the highway. They are going to clog and disrupt normal traffic like crazy.
Any host that is targeted with a DDoS attack will come to its knees.
So will any internet hub that routes all internet traffic.
The internet is made of a bunch of wires and hubs (also called routers).
Think of hubs like major airports. When Denver gets snowed in, all airports that connect through it are goofed up and delayed too.
A hub attack is the kind that can cripple the internet.
Why Your Site Goes Down in a DDoS Attack
If an attack is severe enough, hosts and hubs have to shut down their servers to keep them from frying.
If your site is on one of those servers, your site will be down.
On top of that, the host under attack goes on full alert and may turn on supplemental mitigation services for all of its servers that challenge every visitor to that host.
Basically, it’s like a police checkpoint that screens every car’s passenger to ensure it is not a malicious bot. That becomes a bottleneck from hell and radically slows down internet traffic.
So, your site may not be down, but it may be crawling slow for visitors.
What you need to do to protect your site
While you can’t stop a DDoS attack, you can diminish collateral damage to your site.
Get on a better host – Ensure you are on a host that allows full security. The more sites that are protected on a server, the lower the hack potential. This makes it hard for hackers to break into the server and use its system resources against other servers. EIG owned hosts like Hostgator, Bluehost, and then GoDaddy itself do not allow full security measures and are ripe for these kinds of attacks.
Get a site audit – ensure that you have full security measures on your site. If you are a site audit client and it has been more than 1.5 years since your site has been checked, please return for a loyalty audit. All manner of security settings have changed. A checkup is faster and cheaper than the initial audit too.
Get your email off your host – besides adding better security, having your email elsewhere ensures better delivery. And, you can jump to another host using your own backup. In fact, EIG owned hosts don’t allow cPanel migrations anymore, meaning your host email setup cannot be migrated.
Get your site fully secured – make sure a hacker cannot enter the host server through your site because it leaves doors unlocked and windows open. If you’re trusting a security plugin for this, that will not cut it! You need security that starts at the root of the account.
Have a full backup solution – this is THE last safety net in your security.
Ensure it backs up everything including:
- WordPress core
- WordPress files
- Files outside WordPress like .htaccess and robots.txt, plus any 3rd party platform verification files.
Store your backup files off your host. My strong preference is Amazon S3.
If your host server fries, you can kiss your site goodbye. You need to have your own backup, stored off your host, so you can fully restore it quickly.
And keep at least 30 backups, more if possilbe. I keep a year’s worth.
Also ensure you know how to restore your backup.
Another perk of having your own backups and email off your host – if your host goes down for days due to a DDoS attack, you can actually migrate to another host immediately. Just restore your backup to that new host and point your DNS. (If you have Cloudflare involved, there will be an extra step in this process. The point is to keep your setup simple so you can move at a moment’s notice.)
Use Super Strong Passwords – ensure that you are using a super, duper strong password.
It should be:
- 12-16 characters
- Contain multiple special characters, numbers, and capitals
(The hacker algorithms run characters in this order: lower case letter, upper case letters, numbers, special characters. The more of the last ones you can use, and the longer your password is, the harder it is for them to break.)
NEVER use the same password again. Make every one unique.
Ensure every account has its own password.
LastPass is an amazing service that creates and stores strong and unique passwords for every account. It’s free for one device. For just $2/mo you can get access on all devices, plus emergency access.
(Webmasters, we cannot use this service, as we log into the same 3rd party accounts for multiple clients.)
Rotate your passwords – I have a sheet with every online account I have ever opened, all the way down to things like Craigslist. I rotate those passwords at least once a year, taking them in small chunks of 5 minutes at a time. You’ll get through your list quicker than you think!
Get serious about cyber security – hackers don’t just use host servers to amplify their attacks. They also use the Internet of Things (IoT).
The IoT includes:
- Your wifi router
- Cell phone
- Smart TV
- Home security system
- Any “thing” connected to the internet
Ensure they stay updated and have strong and unique passwords too.
My job is to empower DIY site owners to become confident and successful with running their own sites.
That includes education through site audits, so you can see what’s really going on with your site and learn how to manage it better.
I also offer all manner of site services to help with the one-off techie stuff that is far cheaper and safer to outsource than to try on your own.
My Tips Tuesday posts/podcast/livestream are a 100% non-optional read for all DIY site owners so you can stay ahead of the changes and keep calm.