On September 6, 2021, an attacker used a compromised password to access GoDaddy’s Managed WordPress hosting provisioning system, where they maintained access for over two months before being detected on November 17, 2021. GoDaddy filed an SEC 8-K disclosing the breach on November 22. Approximately 1.2 million active and inactive Managed WordPress customer accounts were affected. Exposed data included email addresses, sFTP (Secure FTP) credentials, database usernames and passwords, and SSL private keys for active customers — the SSL private keys effectively allowed the attacker to impersonate any affected customer’s website. GoDaddy reset all sFTP passwords and database credentials, and reissued SSL certificates. The exposure of SSL private keys was particularly severe, as it could enable man-in-the-middle attacks against website visitors even after the credentials were rotated, until affected certificates expired or were reissued across the ecosystem.