GoDaddy Breach Exposes 1.2M Customer Email Addresses

‘We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down,’ says GoDaddy Chief Information Security Officer Demetrius Comes.

Hackers have since September accessed usernames, passwords, email addresses and SSL private keys for GoDaddy customers by compromising their Managed WordPress hosting environment.

The Tempe, Ariz.-based Internet domain registrar and web hosting company said an unauthorized third party accessed GoDaddy’s provisioning system in its legacy code base for Managed WordPress using a compromised password. The adversary began exploiting the vulnerability on Sept. 6, and GoDaddy discovered the unauthorized access on Nov. 17, according to the company.

“We are sincerely sorry for this incident and the concern it causes for our customers,” GoDaddy Chief Information Security Officer Demetrius Comes said in a statement. “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.

[Related: AWS Accidentally Exposes GoDaddy Server Usage, Pricing Information]

GoDaddy’s stock is down $3.15 (4.42 percent) to $68.16 per share in trading Monday afternoon.

Hackers used the compromised password to access the email addresses and customer numbers for up to 1.2 million active and inactive Managed WordPress customers. The exposure of email addresses presents risks of phishing attacks, according to GoDaddy.

In addition, a subset of active customers had their SSL private key exposed. GoDaddy said it’s in the process of issuing and installing new certificates for those customers. Active customers, meanwhile, had their sFTP and database usernames and passwords exposed, and GoDaddy reset both passwords.

Also, GoDaddy said the original WordPress Admin password set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy said it reset those passwords.

GoDaddy said it contacted law enforcement and investigated the breach with the help of an IT forensics firm. Upon identifying the attack, GoDaddy said it immediately blocked the unauthorized third party from its system. GoDaddy said its investigation is still ongoing, noting it has contacted all impacted customers directly with specific details.

“We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection,” Comes said.