Credential Attackshigh

GoDaddy 2021: 1.2 Million WordPress Hosting Customers Exposed via Compromised Password

A GoDaddy WordPress hosting breach exposed 1.2 million active and inactive customers' email addresses, WordPress admin passwords, sFTP credentials, database credentials, and SSL private keys — all via a single compromised provisioning system password.

GoDaddy·2021·2 min read

Background

GoDaddy is the world's largest domain registrar and a major web hosting provider. Its Managed WordPress service hosted over 1.2 million sites. A compromised password in a provisioning system — used during site setup — gave the attacker broad access to customer data.

The Attack

On November 17, 2021, GoDaddy discovered that an attacker had used a compromised password to access the provisioning system for its Managed WordPress hosting. The attacker had access to the system since at least September 6, 2021 — over two months before discovery. During that time, they accessed email addresses and customer numbers, WordPress admin passwords (originally set at provisioning), sFTP and database usernames and passwords, and SSL private keys for active customers. The breadth of data types exposed made this breach particularly severe — an attacker could use the combination to fully compromise any of the 1.2 million affected sites.

Response

GoDaddy notified affected customers and reset WordPress admin passwords, sFTP/database credentials, and issued new SSL certificates. The company notified relevant regulators. CEO Aman Bhutani personally communicated the breach to customers.

Outcome

The combination of admin passwords, database credentials, and SSL private keys meant attackers could silently serve malicious content, intercept encrypted traffic, access customer databases, and install malware. The breach was disclosed under GDPR timelines and US state breach notification laws. GoDaddy faced class actions and SEC investigation for untimely disclosure of prior incidents.

Key Takeaways

  1. Provisioning systems with access to customer credentials are critical assets requiring the strongest access controls
  2. SSL private keys must be unique per customer and revocable without service disruption
  3. Stored provisioning passwords must be hashed — if they need to be set initially, force change on first login
  4. Two months of attacker access to 1.2 million sets of credentials represents a massive downstream risk regardless of GoDaddy's response
WordPressprovisioning systemSSL private keyshosting breachcredential exposure

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks