The breach affected users of WordPress, a web-based content management system used by bloggers and websites, according to the web hosting company's SEC notification. The systems were first compromised on September 6 when an unauthorized user used a stolen password to gain access, but the breach was not discovered until November 17.
Account passwords exposed could put GoDaddy users at risk of having their accounts taken over by cybercriminals, while email addresses compromised increase the likelihood that they will eventually be used in phishing attacks.
According to GoDaddy, up to 1.2 million active and inactive managed WordPress customers' email addresses and customer account numbers were exposed. Furthermore, the original WordPress administrative passwords generated during the account setup process were exposed. If those credentials were still in use, the company stated that they had been reset.
Active customers's FTP and database usernames and passwords were also compromised. GoDaddy has since reset them as well. In addition, some customers' SSL private keys were exposed. GoDaddy stated that it is currently issuing and installing new certificates for those customers.
GoDaddy stated that its investigation is still ongoing and that it is contacting affected customers. Customers can also contact the company via its online help center.