GoDaddy Security Breach Exposes 1.2 million WordPress Users’ Data


Web hosting company GoDaddy said on Monday that the email addresses of 1.2 million active and inactive managed WordPress customers were exposed to unauthorized third-party access.

The company said the incident was detected on November 17 and that third parties accessed the system using a compromised password.

“We have identified suspicious activity in our managed wordpress hosted the environment and immediately launched an investigation with the help of an IT forensics firm and contacted law enforcement,” said Chief Information Security Officer Demetrius Cums. in a filing,

The company, whose shares fell about 1.6 percent in early trading, said it had blocked unauthorized third parties immediately, and an investigation was still ongoing.

Here’s what the company said in the filing:

On November 17, 2021, we discovered unauthorized third-party access to our managed WordPress hosting environment. Here’s background on what happened here and the steps we’ve taken and are taking in response:
We identified suspicious activity in our managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a tampered password, an unauthorized third party accessed the provisioning mechanism in our legacy code base for managed WordPress.
Upon detection of this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that, as of September 6, 2021, an unauthorized third party exploited the vulnerability to gain access to the following customer information:
• Up to 1.2 million active and inactive Managed WordPress customers had their email address and subscriber count exposed. Exposure to email addresses presents a risk of phishing attacks.
• The original WordPress admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
• For active clients, sFTP and database usernames and passwords were exposed. We reset both passwords.
• For a subset of active clients, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing and we are contacting all affected customers directly with specific details. Customers can also contact us through our Help Center (, which includes country-based phone numbers.
We are sincerely sorry for this incident and for causing concern to our customers. We, the leadership and employees of GoDaddy, take the responsibility of protecting our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional levels of security.
Demetrius arrives
chief information security officer

forward-looking statements
In this blog post, GoDaddy Inc. (“We,” “GoDaddy,” or “the Company”) contains forward-looking statements that are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including our efforts to investigate. and improve our efforts to identify and notify security incidents and affected customers, and to implement additional security measures. Our forward-looking statements are based on information known to us at the time of this blog post and are subject to a number of known and unknown risks, uncertainties and assumptions that could cause our actual future results, performance or achievements to differ materially. any future consequences expressed or implied in this blog post. Factors contributing to the uncertain nature of our forward-looking statements include, among others, our ongoing investigation of the incident; our sensitivity to additional security incidents; Adverse legal, reputational and financial impact on the Company as a result of the incident or additional security incidents, including regulatory inquiries; and potential operational disruption as a result of the incident. Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Additional risks and uncertainties that could affect GoDaddy’s business and financial results are contained in our filings with the Securities and Exchange Commission (“SEC”) from time to time, including our Quarterly Report on Form 10 Contains details described in “Risk Factors”. -Q as described in “Management’s discussion and analysis of the financial position and results of operations” in our annual reports for the quarter ended September 30, 2021 as well as for the year ended December 31, 2020. Report on Form 10-Q for the quarter ended September 30, 2021, available on the GoDaddy website at and the SEC’s website at Additional information will also be set out in other filings that GoDaddy makes with the SEC from time to time. All forward-looking statements in this blog post are based on information available to GoDaddy as of the date herein. GoDaddy assumes no obligation to update the forward-looking statements provided to reflect events or circumstances that exist after the date they were made.

© Thomson Reuters 2021