GoDaddy data breach impacts 1.2 million WordPress site owners

Internet infrastructure company GoDaddy said on Monday that a hacker gained access to the personal information of more than 1.2 million customers of its WordPress hosting service.

In documents filed with the U.S. Securities and Exchange Commission earlier today, GoDaddy said it discovered the breach last week, on November 17, after noticing "suspicious activity" on its Managed WordPress hosting environment.

The subsequent investigation found that a hacker had access to its servers for more than two months, since at least September 6.

Based on current evidence, GoDaddy said the hacker gained access to the following information:

  • Up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer numbers exposed.
  • The original WordPress Admin password that GoDaddy issued to customers when a site was created.
  • For active customers, sFTP and database usernames and passwords were exposed.
  • For a subset of active customers, the SSL private key was exposed.

GoDaddy said it already reset sFTP and database passwords exposed in the hack. It also reset the admin account password for customers who were still using the default one that GoDaddy issued when their sites were created.

The company said it's still in the process of issuing and installing new SSL certificates for affected customers, a process that is a little bit more complicated than resetting passwords.

GoDaddy said it notified law enforcement and is working with an IT forensics firm to investigate the incident further. Customer notifications have also been sent out today, The Record has learned from two site owners. The notices were sent by companies that GoDaddy acquired in the past and are responsible for its managed WordPress offerings, such as MediaTemple and tsoHost. Other managed WordPress resellers that re-package GoDaddy services are also most likely impacted.

"We are sincerely sorry for this incident and the concern it causes for our customers," said Demetrius Comes, Chief Information Security Officer at GoDaddy.

This is the company's second breach in the past two years, after a hacker accessed SSH accounts for some customers in early 2020, according to a letter [PDF] filed with state officials in May 2020.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.