EX-99.1
November 22, 2021
GoDaddy Announces Security Incident Affecting Managed WordPress Service
On
November 17, 2021, we discovered unauthorized third-party access to our
Managed WordPress hosting environment. Here is the background on what
happened and the steps we took, and are taking, in response:
We
identified suspicious activity in our Managed WordPress hosting
environment and immediately began an investigation with the help of an
IT forensics firm and contacted law enforcement. Using a compromised
password, an unauthorized third party accessed the provisioning system
in our legacy code base for Managed WordPress.
Upon
identifying this incident, we immediately blocked the unauthorized
third party from our system. Our investigation is ongoing, but we have
determined that, beginning on September 6, 2021, the unauthorized third
party used the vulnerability to gain access to the following customer
information:
•Up
to 1.2 million active and inactive Managed WordPress customers had
their email address and customer number exposed. The exposure of email
addresses presents risk of phishing attacks.
•The
original WordPress Admin password that was set at the time of
provisioning was exposed. If those credentials were still in use, we
reset those passwords.
•For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
•For
a subset of active customers, the SSL private key was exposed. We are
in the process of issuing and installing new certificates for those
customers.
Our
investigation is ongoing and we are contacting all impacted customers
directly with specific details. Customers can also contact us via our
help center (https://www.godaddy.com/help) which includes phone numbers
based on country.
We
are sincerely sorry for this incident and the concern it causes for our
customers. We, GoDaddy leadership and employees, take our
responsibility to protect our customers’ data very seriously and never
want to let them down. We will learn from this incident and are already
taking steps to strengthen our provisioning system with additional
layers of protection.
Demetrius Comes
Chief Information Security Officer
Forward-Looking Statements
This
blog post contains forward-looking statements regarding GoDaddy Inc.
(“we,” “GoDaddy,” or the “Company”) which are subject to the safe harbor
provisions of the Private Securities Litigation Reform Act of 1995,
including our efforts to investigate and remediate the security incident
and our attempts to identify and notify affected customers and
implement additional security measures. Our forward-looking statements
are based on information known to us at the time of this blog post and
are subject to a number of known and unknown risks, uncertainties and
assumptions that may cause our actual future results, performance, or
achievements to differ materially from any future results expressed or
implied in this blog post. Factors that contribute to the uncertain
nature of our forward-looking statements include, among others, our
ongoing investigation of the incident; our vulnerability to additional
security incidents; adverse legal, reputational and financial effects on
the Company resulting from the incident or
additional
security incidents, including regulatory inquiries; and potential
operational disruptions as a result of the incident. Because some of
these risks and uncertainties cannot be predicted or quantified and some
are beyond our control, you should not rely on our forward-looking
statements as predictions of future events. Additional risks and
uncertainties that could affect GoDaddy’s business and financial results
are included in the filings we make with the Securities and Exchange
Commission (“SEC”) from time to time, including those described in “Risk
Factors” in our Quarterly Report on Form 10-Q for the quarter ended
September 30, 2021 as well as those described in “Management’s
Discussion and Analysis of Financial Condition and Results of
Operations” in our Annual Report on From 10-K for the year ended
December 31, 2020 and in our Quarterly Report on Form 10-Q for the
quarter ended September 30, 2021, which are available on GoDaddy's
website at https://investors.godaddy.net and on the SEC's website at
www.sec.gov. Additional information will also be set forth in other
filings that GoDaddy makes with the SEC from time to time. All
forward-looking statements in this blog post are based on information
available to GoDaddy as of the date hereof. GoDaddy does not assume any
obligation to update the forward-looking statements provided to reflect
events that occur or circumstances that exist after the date on which
they were made.
Source:
https://www.sec.gov/Archives/edgar/data/1609711/000160971121000122/gddyblogpostnov222021.htm
No comments:
Post a Comment