(CMR) Web hosting giant GoDaddy announced on Monday that email addresses of up to 1.2 million WordPress customers have been exposed in an unauthorized third-party breach on September 6. The company said the incident was discovered on Nov. 17 and the third party accessed the system using a compromised password.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Chief Information Security Officer Demetrius Comes said in a filing with the Securities and Exchange Commission.
GoDaddy’s chief information security officer Demetrius Comes said the company detected unauthorized access to its systems where it hosts and manages its customers’ WordPress servers. WordPress is a web-based content management system used by millions to set up blogs or websites. GoDaddy lets customers host their own WordPress installs on their servers. It has nearly 20 million 20 WordPress customers.
It’s not clear if the compromised password was protected with two-factor authentication but the filing said that it affected both active and inactive managed WordPress user emailed and customer numbers. GoDaddy said this exposure could put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, which could be used to access a customer’s WordPress server, was also exposed.
The company said that active customers had their sFTP credentials (for file transfers), and the usernames and passwords for their WordPress databases, which store all the user’s content, exposed in the breach. In some cases, the customer’s SSL (HTTPS) private key was exposed, which if abused could allow an attacker to impersonate a customer’s website or services.
GoDaddy said it’s reset customer WordPress passwords and private keys, and is in the process of issuing new SSL certificates. They shared that they regretted what happened and promises to protect users, protect passwords, and add more protection measures.