Yesterday, GoDaddy filed a report with the Securities and Exchange Commission (SEC) for a security incident it discovered on November 17, 2021. The filing describes the discovery of unauthorized third-party access to their Managed WordPress hosting environment. According to the report, beginning on September 6, 2021 an unauthorized third party leveraged the vulnerability to gain access to the following customer information:

• Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed.
• The original WordPress Admin password that was set at the time of provisioning was exposed.
• For active customers, sFTP and database usernames and passwords were exposed.
• For a subset of active customers, the SSL private key was exposed.

GoDaddy has reset passwords for affected accounts and is in the process of issuing and installing new certificates as necessary. Members operating WordPress sites hosted on GoDaddy and encouraged to review the details of the incident and address accordingly. Read more at The Record.