Web hosting and domain seller giant GoDaddy has reported a data breach that exposed 1.2 million customers’ data to hackers.
GoDaddy’s chief information security officer Demetrius Comes, said, “the company detected unauthorized access to its systems where it hosts and manages its customers’ WordPress servers.”
WordPress is the world’s popular content management system “CMS” used by 70% of the internet publishers.
Godaddy has more than 20 million customers worldwide.
GoDaddy said, “the unauthorized person used a compromised password to get access to GoDaddy’s systems around September 6.”
The company added it discovered the breach last week on November 17. It’s not clear if the compromised password was protected with two-factor authentication.
The breach affected 1.2 million active and inactive managed WordPress users, with their email addresses and customer numbers exposed.
GoDaddy said this exposure could put users at greater risk of phishing attacks.
The company said that active customers had their sFTP credentials (for file transfers) and the usernames and passwords for their WordPress databases, which store all the user’s content, exposed in the breach.
In some cases, the customer’s SSL (HTTPS) private key was exposed, which, if abused, could allow an attacker to impersonate a customer’s website or services.
GoDaddy said it’s reset customer WordPress passwords and private keys and is in the process of issuing new SSL certificates.