Web hosting giant GoDaddy confirms that it has suffered a data breach, which has affected about 1.2 million of its active and inactive Managed WordPress customers, according to an 8-K filing with the U.S. Securities and Exchange Commission. As a precaution, the company has reset passwords for customers who remained exposed.

“On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment,” says Demetrius Comes, chief information security officer and vice president of engineering at GoDaddy, in a blog post published by the company on Monday.

Although the investigation is ongoing, Comes says that an initial probe, carried out by an IT forensics firm and other law enforcement authorities, determined that the threat actor first gained access on Sept. 6, 2021, through an unnamed vulnerability. The threat actor(s) further leveraged a compromised password and accessed the provisioning system in the legacy code base of GoDaddy for Managed WordPress environment, he says.

Read more at GoDaddy Confirms Breach Affects 1.2 Million Customers