Yes. The GoDaddy breach occurred on September 6, 2021, affecting 1.2 million records.

What data was exposed in the GoDaddy breach?

GoDaddy's 2021 breach exposed data of 1.2 million WordPress hosting customers including passwords and SSL keys. Learn what to do.

What should I do if I was affected by the GoDaddy data breach?

Check if your data was exposed using our free tool, change your passwords, enable two-factor authentication, and monitor your accounts for suspicious activity.

GoDaddy Data Breach

High Severity 1.2 million records affected Published February 10, 2026

Company	GoDaddy
Breach Date	September 6, 2021
Disclosure Date	November 22, 2021
Records Affected	1.2 million

In November 2021, GoDaddy disclosed a data breach affecting approximately 1.2 million customers of its Managed WordPress hosting service. The attacker had access to the environment for over two months before detection, compromising credentials, SSL certificates, and database access.

What Happened

GoDaddy discovered on November 17, 2021, that an unauthorized party had gained access to its Managed WordPress hosting environment using a compromised password. The attacker had access since at least September 6, 2021. The breach exposed email addresses and customer numbers for 1.2 million active and inactive Managed WordPress customers, the original WordPress Admin passwords set at provisioning, sFTP and database credentials, and SSL private keys for a subset of active customers. GoDaddy later revealed this was part of a multi-year campaign, with related incidents occurring in 2020 and 2023 involving the same threat actors.

What Data Was Exposed

Email addresses
Customer numbers
WordPress Admin passwords (set at provisioning)
sFTP and database usernames and passwords
SSL private keys for active customers

Who Is Affected

Approximately 1.2 million active and inactive GoDaddy Managed WordPress hosting customers were affected. Website owners who used GoDaddy's Managed WordPress service had their hosting credentials and SSL certificates compromised, potentially allowing attackers to access or impersonate their websites.

How to Check If You Were Affected

GoDaddy contacted affected customers directly via email. If you used GoDaddy's Managed WordPress hosting service, check your email for breach notifications. Log into your GoDaddy account and review your hosting products. Even if you did not receive a notification, changing your hosting credentials is a prudent step.

What You Should Do Now

Change your WordPress admin password immediately
Change your sFTP and database passwords
Request new SSL certificates for your domains
Audit your WordPress site for unauthorized changes or malware
Review your WordPress plugins and themes for backdoors
Enable two-factor authentication on your GoDaddy account
Consider scanning your website with a security tool like Sucuri or Wordfence
Check for unauthorized admin users in your WordPress dashboard

Last updated: February 10, 2026