On 6 September 2021, an unauthorized actor used a compromised password to access GoDaddy’s Managed WordPress hosting provisioning system. GoDaddy is the world’s largest domain registrar and web hosting company, serving over 20 million customers globally. The breach affected approximately 1.2 million active and inactive Managed WordPress customers. Exposed data included: email addresses and customer numbers for 1.2 million customers; original WordPress admin passwords (which were reset); sFTP and database usernames and passwords (also reset); SSL private keys for a subset of active customers (reissued). GoDaddy discovered the breach on 17 November 2021 — over two months after initial access on 6 September — and disclosed it on 22 November 2021 in an SEC filing. The breach was GoDaddy’s fourth known security incident in two years (following breaches in 2019, 2020, and March 2020 when 28,000 customers’ hosting accounts were accessed). In a 2023 SEC filing, GoDaddy revealed that the November 2021 breach was connected to a multi-year campaign by a sophisticated threat actor group: the same attackers had previously breached GoDaddy in March 2020 and again in 2022, and had installed malware on GoDaddy’s servers to redirect customer websites. GoDaddy stated in 2023 that it believed the attacker’s ultimate goal was to infect customer websites with malware for phishing campaigns.