GoDaddy Says Security Incident Exposed Data of 1.2M WordPress Users
Internet domain registration and web services company GoDaddy reported today that it has discovered a security breach that could affect up to 1.2 million active and inactive WordPress customers. The breach exposed the customers’ email address and customer numbers, making them vulnerable to possible phishing attacks.
The company disclosed the incident in a filing with the Securities and Exchange Commission.
GoDaddy said that beginning on September 6 an unauthorized third-party gained access to its Managed WordPress hosting environment using a compromised password. GoDaddy said it learned of the incident on November 17 and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. It also immediately blocked the unauthorized third party from its system.
The company said its investigation, which is ongoing, determined that, beginning on September 6, the unauthorized third party used the vulnerability to gain access to the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. GoDaddy reset both passwords.
- For a subset of active customers, the SSL private key was exposed. GoDaddy is in the process of issuing and installing new certificates for those customers.
The company said it is contacting all impacted customers directly with specific details. Customers can also contact its help center.
WordPress is a popular publishing platform.
“We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection,” stated Demetrius Comes, GoDaddy’s chief information security officer, in announcing the incident.