Cyber Incident Victim: GoDaddy
Date:
Sep 2021
Location:
United States of America
Summary
A cybersecurity breach impacted approximately 1.2 million Managed WordPress customers after unauthorized actors exploited a compromised password to infiltrate the provisioning system within a legacy infrastructure. The intrusion, detected weeks later, exposed sensitive customer data including email addresses, unique identifiers, original administrative credentials for WordPress installations, secure file transfer protocol and database authentication details, and private cryptographic keys used for SSL certificates. The incident involved prolonged unauthorized access to the hosting environment’s network and systems before discovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 17, 2021, GoDaddy detected suspicious activity within its Managed WordPress hosting environment, prompting an immediate investigation supported by an external IT forensics firm and engagement with law enforcement. The company determined that unauthorized third parties had infiltrated its systems using a compromised password to access the provisioning system in its legacy code base for Managed WordPress services. This breach granted attackers persistent network access dating back to at least September 6, 2021—over two months prior to detection—allowing extensive exposure of customer data. GoDaddy publicly disclosed the incident on November 22, 2021, confirming the breach impacted up to 1.2 million active and inactive Managed WordPress customers. The compromised provisioning system served as a critical component for configuring and managing WordPress hosting instances, enabling attackers to harvest multiple categories of sensitive authentication materials and customer information during their prolonged access period.
The attackers exfiltrated email addresses and customer numbers for all affected Managed WordPress accounts. Additionally, they obtained original WordPress Admin passwords assigned during initial account provisioning, along with credentials for sFTP file transfer protocols and associated databases. SSL private keys—crucial cryptographic elements for securing website communications—were also exposed, potentially enabling decryption of intercepted traffic or impersonation of customer websites. As one of the world’s largest domain registrars and web hosting providers serving over 20 million customers globally, GoDaddy’s breach carried significant operational and reputational implications. The company initiated password resets for exposed WordPress Admin and sFTP accounts, issued new SSL certificates to mitigate risks from compromised private keys, and notified impacted customers directly. No evidence suggested unauthorized modifications to customer websites or injected malware, but the exposure of foundational authentication mechanisms necessitated widespread credential rotations and security renewals across the affected hosting infrastructure.