A major cybersecurity incident linked to GoDaddy has widened in scope, affecting six additional web hosting companies that resell its Managed WordPress services. The breach, which initially exposed the personal and technical data of approximately 1.2 million GoDaddy customers, has now extended to platforms including 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost.
According to reporting by Search Engine Journal, all six companies operate as resellers of GoDaddy’s Managed WordPress hosting infrastructure. As a result, vulnerabilities within GoDaddy’s systems also impacted customers hosted under these associated brands.
What Data Was Compromised
The attack specifically targeted Managed WordPress accounts. Affected customers experienced exposure of highly sensitive information, including registered email addresses, customer identification numbers, WordPress administrator passwords, sFTP and database usernames and passwords, and in some cases, SSL private keys. This level of access significantly raises the risk of unauthorized website control, data theft, and follow-on phishing attacks.
Several customers of the affected hosting providers reported receiving breach notification emails closely resembling those sent earlier by GoDaddy. These communications confirmed that both active and inactive Managed WordPress users were impacted.
Confirmation From GoDaddy and Wordfence
The spread of the breach was confirmed by Wordfence, a leading WordPress security plugin provider. Wordfence published an official statement attributed to Dan Rice, GoDaddy’s Vice President of Corporate Communications, outlining the scope of the incident.
Rice stated that only brands reselling GoDaddy Managed WordPress services were affected and emphasized that the number of impacted users was relatively small. He also confirmed that no other GoDaddy brands were involved and that all affected companies had already contacted their customers with detailed guidance and recommended security actions.
Timeline of the Intrusion
Investigations revealed that the unauthorized access began as early as September 6, giving attackers an extended window to exploit compromised credentials and data. Despite this lengthy exposure period, GoDaddy has not disclosed evidence showing how the stolen information has been actively used, leaving customers uncertain about potential downstream consequences.
What Affected Customers Should Do
Customers of the impacted web hosts are strongly advised to remain vigilant. This includes treating unexpected emails with caution, resetting passwords across WordPress, hosting, database, and FTP accounts, and regenerating SSL certificates where applicable. Monitoring websites for suspicious changes and enabling additional security measures such as two-factor authentication can further reduce risk.
If a customer believes their account may have been compromised but has not received official communication, contacting their web host directly is recommended to confirm account status and ensure all protective steps have been taken.
While the affected companies continue remediation efforts, this incident underscores the broader risks associated with shared hosting infrastructure and the importance of proactive cybersecurity hygiene across all web platforms.
