GoDaddy Data Breach Advisory | November 2021

GoDaddy's Managed Wordpress hosting environment, which is used for companies hosting their website on GoDaddy servers, was the victim of a cyber attack.


On Monday, November 22, 2021, the web hosting company GoDaddy Inc disclosed that email addresses of up to 1.2 million active and inactive Managed WordPress customers had been exposed in an unauthorized third-party access of its managed WordPress hosting environment. GoDaddy has since determined that the threat actor initially gained access on September 6, 2021, using a compromised password to access the certificate provisioning system in its legacy code base for Managed WordPress. The threat actor remained undetected for more than 70 days, until GoDaddy discovered the incident on November 17th.

In addition to the email addresses, GoDaddy also notes that the following were compromised:
  • The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.
  • For active customers, sFTP and database usernames and passwords were exposed. GoDaddy also reset both passwords.
  • For a subset of active customers, the SSL private key was exposed. GoDaddy is in the process of issuing and installing new certificates for those customers.

Quick facts:  what you need to know now

  • The loss of email addresses could lead to targeted phishing campaigns.
  • Compromised WordPress admin passwords could lead to a compromise of your website leading to defacement or hosting of malicious files.
  • The loss of SFTP credentials could lead to data theft.
  • The SSL private key exposure could lead to potential information exposure.

Next Steps for All GoDaddy Customers:

  • Reset your WordPress Admin password. Although the incident only impacted the initial provisioning account, we recommend this as a good exercise. 
  • Reset SFTP credentials. Note that this should have already been done by GoDaddy.
  • If notified by GoDaddy that your SSL private key was impacted, work with GoDaddy to install the new certificate.
  • Ensure phishing protections are in place and monitor for suspicious targeted emails.
  • GoDaddy's investigation is ongoing. If you determine there was unauthorized access to your website, or believe your organization has fallen victim to a phishing scam, notify Corvus of a potential claim via the email or hotline listed on your policy.  

If you have any questions, please reach out to the Risk + Response Team at!

Additional Resources