NPC Security Alerts
GoDaddy Data Breach May Also Affect Managed WordPress Users’ Customers - NPC Security Alerts


GoDaddy Data Breach May Also Affect Managed WordPress Users’ Customers

December 3, 2021

What is the issue?

On November 22, 2021, GoDaddy reported to the US Security and Exchange Commission (SEC) that a compromised password allowed an unauthorized third party to access their Managed WordPress hosting environment. The security breach exposed the email addresses and customer numbers of 1.2 million active and inactive users of the service, including the original WordPress Admin passwords. Also exposed were the sFTP (secure file transfer protocol) usernames and passwords for active customers, and private SSL (secure sockets layer) keys of an unknown number of active users.

sFTP is used for file access, transfer, and management on a website’s server and SSL certificates are used on websites to create a secure link with visitors and to encrypt any data sent or received using a private key.

The breach was detected on November 17, 2021, but an investigation revealed that data may have been compromised as early as September 6, 2021. After detection of the breach, GoDaddy reset exposed passwords, and were issuing and installing new certificates for customers whose SSL keys were exposed. However, given the fact that the breach was not known for two months means updating passwords is not enough. GoDaddy customers need to review their account and website for any suspicious activities during that time and be aware for phishing attacks.

What does it mean for me?

The breach doesn’t seem to have exposed any personally identifiable information (PII) or payment details that GoDaddy had on any of its customers. However, the exposure of email addresses means GoDaddy’s Managed WordPress customers need to be on alert for phishing scams.

What is most concerning is that the security breach went unnoticed for over two months. During that time the exposure of sFTP credentials could have given access to information stored on any of these Managed WordPress websites, including information from visitors or customers. Access to these servers could also allow the ability to modify the website, the theft of other types of data, the uploading of malware, or the addition of a false administrative user for easier access later.

For users whose SSL private key was exposed, it could be possible for an attacker to intercept and decrypt traffic using the key, provided they could successfully perform a man-in-the-middle (MITM) attack between a site visitor and an affected site.

What should I do?

Businesses that use GoDaddy’s Managed WordPress should review their webpages, website analytics, and account settings for any unauthorized activity.

For GoDaddy Managed WordPress customers, the company has already reset affected admin passwords, users’ sFTP & database credentials, and have started issuing and installing new SSL certificates. But given the severity of the issue and the data the attacker had access to, we recommend that all GoDaddy Managed WordPress users assume that they have been breached and perform the following steps to repair damage from this incident or mitigate risk in the event of another.

  • Change Passwords
    Change all of your GoDaddy and WordPress passwords, even for other accounts or applications that uses the same password. If applicable, force a password reset for your users or customers and encourage them to change their passwords for any sites that use the same credentials.

  • Notify Users
    If your site collects any kind of PII, particularly if you have an e-commerce site, you may be required to notify your customers of the breach. Verify with GoDaddy whether you were affected by the breach and research the regulatory reporting requirements in your jurisdiction.

  • Check for Unauthorized Users or Plugins
    Scan your site and server for malware, viruses, or any other anomalies, and unauthorized administrator accounts. Ensure that no unauthorized plug-ins have been installed by checking the plug-in management page in your WordPress back-end, also check your site’s filesystem — wp-content/plugins and wp-content/mu-plugins — for any that do not appear on the plug-ins page.

  • Beware of Email Phishing
    For both GoDaddy Managed WordPress customers and non-customers, it is important to always be vigilant for emails that asks for your information. With so many compromised addresses, there is a big risk of email phishing scams, with the acquisition of usernames and other information that could make them seem more credible. Remember most companies will not ask for your account passwords or PINs. If they do ask you to confirm your identity check to make sure the link is to a credible website.

  • Enhance Password Security
    It is a best practice to use long passwords or passphrases — we recommend 14 characters minimum — and to use a different password for each account you have. Also, enable multi-factor authentication wherever possible to prevent brute-force attack on your accounts.


GoDaddy Announces Security Incident Affecting Managed WordPress Service - GoDaddy

GoDaddy Announces Security Incident Affecting Managed WordPress Service - SEC Archives

GoDaddy Breached – Plaintext Passwords – 1.2M Affected - Wordfence

GoDaddy security breach exposes WordPress users' data - Reuters

NPC files.


NPC Security Alerts

Receive our NPC Security Alerts email to stay on top of the most important security threats to your devices, data, and your privacy. We do not use this list for any other purpose.

Sign up now