GoDaddy Says Data Breach Exposes Up to 1.2 Million Client Accounts

A data breach at web hosting company GoDaddy may have exposed the personal information of up to 1.2 million clients. After discovering unauthorized third-party access to GoDaddy’s Managed WordPress web hosting environment on November 17, the web hosting company immediately began an investigation with the help of an IT forensics firm and contacted law enforcement.

Email addresses and client numbers of current and inactive customers who utilized GoDaddy’s Managed WordPress web hosting service, a service for developing and maintaining WordPress websites, were among the personal information exposed. The exposure of these email addresses presents risk of phishing attacks.

Malicious Access to Provisioning System

Photo Demetrius Comes, CISO at GoDaddy
“We will learn from this security incident and are already taking steps to strengthen our provisioning system with additional layers of protection,” said Demetrius Comes, CISO at GoDaddy.

It started as follows. An unauthorized third party exploited a vulnerability on September 6, 2021, to obtain access to client information via a hacked password. The unauthorized third party gained access to the provisioning system in GoDaddy’s Managed WordPress legacy code base by using this hacked password.

GoDaddy quickly barred the unauthorized third party from their systems after becoming aware of the situation.

The web hosting provider’s investigation is ongoing, says GoDaddy’s Chief Information Security Officer, Demetrius Comes. Impacted customers have been alerted directly with specific details, but clients are also encouraged to contact GoDaddy through their customer support center.

Some of the security measures GoDaddy has already taken include:

  • The original WordPress Admin password was revealed, which was set at the time of provisioning. GoDaddy has reset the passwords if such credentials were still in use
  • sFTP and database usernames and passwords were made public for active clients. Both passwords were reset by GoDaddy
  • The SSL private key was exposed for a subset of active clients. For such clients, GoDaddy is in the process of providing and installing fresh certificates

“We are sincerely sorry for this incident and the concern it causes for our customers,” said Demetrius Comes, Chief Information Security Officer at GoDaddy. “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

Inxy Hosting CDN Marketplace