GoDaddy's 1.2 Million-Customer Breach Is a Managed Hosting Nightmare
GoDaddy disclosed a breach exposing sFTP, database, and even SSL private key credentials for up to 1.2 million Managed WordPress customers.
GoDaddy dropped a rough disclosure yesterday: an unauthorized party got into its Managed WordPress hosting environment using a compromised password, and the exposure touches up to 1.2 million active and inactive customers. That’s not a small leak of email addresses — the attacker had access to sFTP and database credentials, and for some customers, SSL private keys too.
Let that sink in for a second. sFTP and database credentials mean someone could, in principle, read or modify site files and site data. SSL private keys are a different category of bad — if those were exfiltrated, an attacker could potentially impersonate the affected sites in a man-in-the-middle scenario, or at minimum the certs need to be treated as burned and reissued. GoDaddy says it’s in the process of issuing and installing new certs for the customers affected, which is the right move, but it’s also a logistical scramble at scale.
The detail that’s going to get the most attention, though, is the timeline. GoDaddy says the intrusion had been sitting there undetected since September 6, 2021. That’s over two and a half months of unauthorized access before anyone noticed. For a hosting provider whose entire pitch is “let us handle the infrastructure so you don’t have to worry about it,” a multi-month blind spot in your own environment is a hard thing to explain away.
What this means if you’re a Managed WordPress customer on GoDaddy right now:
- Rotate your sFTP and database passwords immediately, don’t wait for GoDaddy to force it.
- Check whether your site had a unique WordPress admin password set at install — if it was using GoDaddy’s default, treat it as compromised and change it now.
- If you handle sensitive data on your site (logins, payment info, anything regulated), start thinking about breach notification obligations on your end too, since GoDaddy’s disclosure to you doesn’t automatically satisfy your own downstream requirements to your users.
Managed hosting is supposed to be the low-effort option — you’re trading control for someone else’s security team doing the work. When that security team misses a live intrusion for over two months, it undercuts the whole value proposition. I’d expect this to get scrutiny beyond the usual “here’s your breach notification email” cycle, especially from anyone hosting client sites through GoDaddy’s reseller programs, where one compromised account can cascade into dozens of affected businesses that never had a direct relationship with GoDaddy at all.
We’ll see how many additional details come out as security researchers and affected customers start comparing notes. For now: rotate credentials first, ask questions later.