Web hosting giant GoDaddy has reported a data breach, and warns that data on 1.2 million customers may have been accessed.
In a filing with the Securities and Exchange Commission, GoDaddy’s chief information security officer Demetrius Comes said the company detected unauthorized access to its systems where it hosts and manages its customers’ WordPress servers. WordPress is a web-based content management system used by millions to set up blogs or websites. GoDaddy lets customers host their own WordPress installs on their servers.
GoDaddy said the unauthorized person used a compromised password to get access to GoDaddy’s systems around September 6. GoDaddy said it discovered the breach last week on November 17. It’s not clear if the compromised password was protected with two-factor authentication.
The filing said that the breach affects 1.2 million active and inactive managed WordPress users, who had their email addresses and customer numbers exposed. GoDaddy said this exposure could put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, which could be used to access a customer’s WordPress server, was also exposed.
The company said that active customers had their sFTP credentials (for file transfers), and the usernames and passwords for their WordPress databases, which store all the user’s content, exposed in the breach. In some cases, the customer’s SSL (HTTPS) private key was exposed, which if abused could allow an attacker to impersonate a customer’s website or services.
GoDaddy said it’s reset customer WordPress passwords and private keys, and is in the process of issuing new SSL certificates.
The web host has more than 20 million customers worldwide. Dan Race, a spokesperson for GoDaddy, declined to comment citing the company’s ongoing investigation.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Read more:
- Hostinger says data breach may affect 14 million customers
- Web host Epik was warned of a critical security flaw weeks before it was hacked
- Some of the biggest web hosting sites were vulnerable to simple account takeover hacks
Updated with a decline to comment from GoDaddy.
