In this article:
No severity: Informational (in Scoring 2.0)
Low (in Scoring 3.0)
Factor: Network Security
Why this matters
We detected that you are running a website that uses GoDaddy’s Transport Layer Security (TLS) certificates, which are essential for securing internet browser connections and transactions through data encryption. Early in September, 2021, GoDaddy suffered a data breach that exposed the SSL keys of user accounts, affecting more than 1 million active and inactive users, who had their email addresses and customer numbers compromised. This exposure could put users in your organization at greater risk of phishing attacks.
Note: This is one of two informational types related to the GoDaddy September, 2021, breach. See also Website hosted by GoDaddy's Wordpress.
How we discovered it
During a network scan and web crawl, we check if GoDaddy issued the TLS certificate for your website.
How you can remediate it
Take the following actions to help prevent further compromise:
- Consult with GoDaddy to find out if your website has been impacted by the breach.
- Have users in your organization change their website login credentials.
- Train your organization to recognize and report phishing emails.
- Rotate your TLS certificates in the event that some of them were compromised.
How you can resolve it in SecurityScorecard
Tip: Although this informational issue type does not impact your score, resolving it and providing explanatory comments demonstrates your cybersecurity engagement to organizations that are following your Scorecard.
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Website Hosted By GoDaddy's Wordpress findings:
I have fixed this
- Comment that you have taken recommended remediation actions.
I have a compensating control
- If your website was deprecated and had no user accounts—even inactive ones—prior to the September GoDaddy breach, indicate this in your comment.
This is not my IP or domain
- Indicate that the affected website does not belong to your organization.
I cannot reproduce this issue and I think it’s incorrect
- Provide a reason that the finding is inaccurate.
Read about the GoDaddy breach: