Web hosting company GoDaddy said on Monday email addresses of up to 1.2 million active and inactive Managed WordPress customers had been exposed in an unauthorised third-party access.
The company said the incident was discovered on November 17 and the third-party accessed the system using a compromised password.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Chief Information Security Officer Demetrius Comes said in a filing.
The company, whose shares fell about 1.6 percent in early trading, said it had immediately blocked the unauthorised third party, and an investigation was still going on.
Here’s what the company said in the filing:
On November 17, 2021, we discovered unauthorised third-party access to our Managed WordPress hosting environment. Here is the background on what happened and the steps we took, and are taking, in response:
We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress.
Upon identifying this incident, we immediately blocked the unauthorised third party from our system. Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorised third party used the vulnerability to gain access to the following customer information:
•Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
•The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
•For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
•For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help centre (https://www.godaddy.com/help) which includes phone numbers based on country.
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.
Chief Information Security Officer
This blog post contains forward-looking statements regarding GoDaddy Inc. (“we,” “GoDaddy,” or the “Company”) which are subject to the safe harbour provisions of the Private Securities Litigation Reform Act of 1995, including our efforts to investigate and remediate the security incident and our attempts to identify and notify affected customers and implement additional security measures. Our forward-looking statements are based on information known to us at the time of this blog post and are subject to a number of known and unknown risks, uncertainties and assumptions that may cause our actual future results, performance, or achievements to differ materially from any future results expressed or implied in this blog post. Factors that contribute to the uncertain nature of our forward-looking statements include, among others, our ongoing investigation of the incident; our vulnerability to additional security incidents; adverse legal, reputational, and financial effects on the Company resulting from the incident or additional security incidents, including regulatory inquiries; and potential operational disruptions as a result of the incident. Because some of these risks and uncertainties cannot be predicted or quantified and some are beyond our control, you should not rely on our forward-looking statements as predictions of future events. Additional risks and uncertainties that could affect GoDaddy’s business and financial results are included in the filings we make with the Securities and Exchange Commission (“SEC”) from time to time, including those described in “Risk Factors” in our Quarterly Report on Form 10-Q for the quarter ended September 30, 2021 as well as those described in “Management’s Discussion and Analysis of Financial Condition and Results of Operations” in our Annual Report on From 10-K for the year ended December 31, 2020 and in our Quarterly Report on Form 10-Q for the quarter ended September 30, 2021, which are available on GoDaddy’s website at https://investors.godaddy.net and on the SEC’s website at www.sec.gov. Additional information will also be set forth in other filings that GoDaddy makes with the SEC from time to time. All forward-looking statements in this blog post are based on information available to GoDaddy as of the date hereof. GoDaddy does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.
© Thomson Reuters 2021