GoDaddy has suffered a data breach exposing up to 1.2 million email addresses and customer numbers, the company said on Monday.
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress,” the firm says in a Securities and Exchange Commission filing acknowledging the incident.
The email exposure “presents risk of phishing attacks,” the firm adds.
The incursion started on Sept. 6, and was identified by GoDaddy on Nov. 17. The company blocked the unauthorized third party, contacted law enforcement and began an investigation with the help of an IT forensics firm.
GoDaddy notes that for active customers, “sFTP and database usernames and passwords were exposed. We reset both passwords.
“For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers."
In addition, the firm says the “original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.”
GoDaddy states it is “sincerely sorry for this incident and the concern it causes for our customers. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”