WordPress is far more than just blogs. It powers over 42% of all websites. So whenever there’s a WordPress security failure, it’s a big deal. And now GoDaddy, which is the top global web hosting firm with tens of millions more sites than its competition, reports that data on 1.2 million of its WordPress customers has been exposed.
In a Securities and Exchange Commission (SEC) filing, GoDaddy’s chief information security officer (CISO) Demetrius Comes said they’ve discovered unauthorized access to its managed WordPress servers. To be exact the breach opened information on 1.2 million active and inactive managed WordPress customers since September 6, 2021.
This managed service, according to WordPress, is streamlined, optimized hosting for building and managing WordPress sites. GoDaddy handles basic hosting administrative tasks, such as installing WordPress, automated daily backups, WordPress core updates, and server-level caching. These plans start at $6.99 a month.
Customers had both their email addresses and customer numbers exposed. As a result, GoDaddy warns users that this exposure can put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, has also been exposed. So, if you, like too many, never changed that password hackers have had access to your website for months.
In addition, active customers had their sFTP and database usernames and passwords exposed. GoDaddy has reset both these passwords. Finally, some active customers had their Secure-Socket Layer (SSL) private key exposed. GoDaddy is currently reissuing and installing new certificates for those customers.
At this time, that’s all the information GoDaddy has made public about the breach.