A compromised password can have far-reaching consequences. Up to 1.2 million email addresses for active and inactive ManagedWordPress customers were exposed in a security breach that was disclosed on Monday.
The company reported the incident to the Securities and Exchange Commission, which said that an unauthorized third-party had gained access to its ManagedWordPress hosting environment. The company said that the source of the breach was a compromised password which allowed the hackers to enter the system.
Customer numbers were exposed, as well as the 1.2 million active and inactive ManagedWordPress email addresses. The access to the email addresses opens the door to attacks. The original passwords of customers who created their new sites were also accessed. If the passwords were still being used by the affected customers, GoDaddy reset them.
sFTP and database usernames and passwords were also compromised for active customers. The passwords were reset as well. A subset of active customers had their private SSL key compromised, and GoDaddy is currently in the process of issuing and installing new certificates for those affected.
The company said that it immediately began to investigate the incident, enlisted the help of a third-party IT forensics firm, and contacted the authorities. The hacker was blocked from its system.
The chief information security officer of the company apologized for the incident and said that the investigation is ongoing. We, the leadership and employees of GoDaddy, take our responsibility to protect our customers' data very seriously and never want to let them down. We will learn from this incident and strengthen our system with additional layers of protection.
Gizmodo reached on to GoDaddy on Tuesday to inquire about how the compromised password was obtained and how the company was protecting its system. If we hear back, we will make sure to update this post.
