Skip to content

1.2 million email addresses leaked in GoDaddy’s latest breach

  • by
  • 2 min read

GoDaddy suffered a massive data breach that gave the attacker access to over 1.2 million email addresses coming from active and inactive Managed WordPress users. The company disclosed the breach in the SEC filing on Monday. 

The attacker gained access to a system meant to set up and automatically configure new sites in their legacy codebase for Managed WordPress using a “compromised password.” GoDaddy noticed the intrusion on November 17 and locked the attacker out before contacting law investigation and launching their investigation with the help of an unnamed IT forensic firm. 

GoDaddy says that their “investigation is ongoing, and we are contacting all impacted customers directly with specific details.” However, the company has been somewhat vague in its description of the attack so far.

In the News: MediaTek announces the Dimensity 9000, its most powerful SoC yet

Another bug in the closet?

While the intrusion may have been detected on November 17, an initial investigation has revealed that the attacker had access to the data since September 6. According to the filed disclosure, the following customer information has been leaked.

  • Up to 1.2 million active and inactive Managed Wordpress users’ email addresses and customer numbers.
  • Original Wordpress admin password set up at the time of provisioning the site. 
  • sFTP and database credentials for active users.
  • SSL private keys for a subset of active customers. 

As mentioned before, there have been no details on how the hack actually took place except that the attacker gained access to GoDaddy’s provisioning system in their legacy code base for Managed WordPress using a compromised password.

How this password was compromised and how was the attack carried out will only become clear as the company proceeds with its investigation and publishes further details. As for the potential consequences of such a large breach, these 1.2 million email addresses could be a hunting ground for phishers and scammers.

In the News: No default end-to-end encryption for Messenger and Instagram until 2023

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: