The web hosting company GoDaddy disclosed a major security breach on Monday, noting that an unauthorized party accessed data belonging to a total of 1.2 million active and inactive customers.
On November 17th, GoDaddy discovered that a malicious third-party had gained access to its Managed WordPress service environment as far back as September 6th. This access was gained using a compromised password on the system.
The third-party had accessed a large amount of data during that time, including email addresses and customer numbers of up to 1.2 million users, the original WordPress administrative password set on accounts at the time of creation, sFTP and database usernames and passwords of active users, and the SSL private keys for a subset of active customers.
GoDaddy stated that it is in the process of issuing and installing new certificates for the impacted customers, as well as resetting affected administrative or database passwords. They have also mentioned implementing new security controls to help prevent any future breaches.