This morning, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy ...Read More
An attacker gained access to the provisioning system for GoDaddy’s managed WordPress service
Wait, doesn’t Wordpress itself hash passwords? How the hell did they fuck this up?
Apparently it was the database and sFTP passwords that were exposed.
Doesn’t SSH hash passwords too?!
Yeah…but it looks like they were storing the passwords to connect to the sFTP service!!
Sigh. And the worst part is that nearly ever major web framework has a well known library for securely storing passwords.