Web hosting company GoDaddy Inc (GDDY.N) said on Monday email addresses of up to 1.2 million active and inactive Managed WordPress customers had been exposed to unauthorized third-party access.
The company said the incident was discovered on Nov. 17 and the third party accessed the system using a compromised password.
“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” Chief Information Security Officer Demetrius Comes said in a filing.
The company, whose shares fell about 1.6% in early trading, said it had immediately blocked the unauthorized third party, and an investigation was still going on.
In disclosures to the Securities and Exchange Commission, web registrar and hosting company GoDaddy has revealed that it discovered it had been hacked. The company says that it discovered an “unauthorized third party” had gained access to its Managed WordPress hosting environment. Anything up to 1.2 million users have seen their email address and customer number exposed, as well as admin passwords for both WordPress sites hosted on the platform, plus passwords for sFTPs, databases, and SSL private keys.
In addition, it says that it has reset the relevant credentials and will work with users to issue new SSL certificates. Comes ends his statement by saying that the company will, perhaps a little too belatedly, “learn from this incident” and will take steps to prevent such a breach from happening in the future.