GoDaddy, which is also a big domain registrar, said in a statement issued by chief information security officer Demetrius Comes to the US Securities and Exchange Commission, that the breach had been discovered on 17 November.
"We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement," Comes said.
"Using a compromised password, an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress."
He added: "Our investigation is ongoing, but we have determined that, beginning on 6 September 2021, the unauthorised third party used the vulnerability to gain access to the following customer information:
"Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
"The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
"For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
"For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers."
Commenting on the incident, Ev Kontsevoy, chief executive of remote login technology vendor Teleport, said: "[The] breach reported by GoDaddy, unfortunately, is destined to be another footnote on the ongoing list of data leaks caused by faulty password management.
"Earlier this year, we learned the hack that took down the Colonial pipeline was the result of a single compromised password. Passwords are everywhere, so eventually we're going to see them leaked, intercepted or stolen.
"Because they pose a security risk, there is no other way to say it: passwords in our infrastructure have to go. But beware — not everything that replaces a password is a better choice.
"Only relatively simple, purpose-built security devices that use public/private key crypto, and that verify presence and identity through biometrics, are a good-enough replacement for passwords today.
"From headline-catching compromises to everyday annoyances, passwords are reaching the end of their usefulness. They are simply too difficult to keep track of and keep secure.
"As an industry, we need to build responsible systems that protect user data and prevent the critical infrastructure we maintain from being used to expose or compromise such data. Removing passwords from our infrastructure is one step towards this."