Internet domain registrar and web hosting company GoDaddy has admitted it suffered a data breach that affected 1.2 million of its customers.

In a document filed with the U.S. Securities and Exchange Commission, the web hosting giant said that on November 17, 2021 it became aware that hackers compromised its Managed WordPress hosting environment and gained access to customers’ data, including:

• Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.

• The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.

• For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.

• For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

GoDaddy explained that the intruders obtained access to the provisioning system in the legacy code base for Managed WordPress using a compromised password.

Upon discovering the breach, the company “immediately blocked the unauthorized third party from our system.” The web registrar believes that the breach first occurred on September 6th, 2021. It said that the investigation is currently ongoing, and that it is contacting the affected customers directly with specific details.