Data belonging to up to 1.2 million WordPress customers has been exposed in a security incident at GoDaddy.
The domain registrar web-hosting company said on Monday that an unauthorized third party had gained access to its systems by exploiting a compromised password. The intrusion began in September but wasn’t detected until last week.
GoDaddy has hired an IT forensics firm to investigate the incident. While that investigation remains ongoing, cybersecurity specialists have determined that the unauthorized third party gained access to email addresses and customer numbers belonging to Managed WordPress customers with active or inactive accounts.
In a November 22 filing regarding the data incident, GoDaddy’s chief information security officer, Demetrius Comes, wrote that “the exposure of email addresses presents risk of phishing attacks.”
GoDaddy said that original WordPress admin passwords that were set at the time of provisioning were exposed.
“If those credentials were still in use, we reset those passwords,” said Comes in the filing.
GoDaddy also reset active WordPress customers’ passwords for the Secure File Transfer Protocol (SFTP) and database, after the usernames and passwords for both were exposed in the security incident.
The details of SSL (Secure Sockets Layer) private keys belonging to an unspecified number of active customers were also exposed to the unauthorized third party. The company is currently in the process of issuing and installing new certificates for those customers.
Once the incident was discovered, the intruder was blocked from the system. The investigation into the incident found that the unauthorized third party had been able to access WordPress customers’ data since September 6.
“On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment,” wrote Comes.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.”
Comes added that the company intends to learn from the incident and is taking steps to further protect its system.