As if the problem that GoDaddy disclosed of compromised passwords for sFTP, database and WordPress admin for up to 1.2 million users (likely significantly more than 1.2 million web sites because many users own more than one web site) isn’t bad enough, it just got much worse.

Readers of yesterday’s blog post probably figured they were in the clear if their WordPress web sites were NOT hosted by GoDaddy, but it turns out that this is not the only brand to worry about.

It turns out that GoDaddy private labels their service under a URL that starts with htttps://myh.secureserver.net and there are a number of other brands that use their infrastructure. These brands were acquired by GoDaddy between 2013 and 2017.

The affected brands (at least as of today) are:

Copies of the breach notice sent by these brands can be found at the WordFence alert site.

While we do not know, yet, if this increases the total number of users affected, if you were assuming you were safe because your WordPress site was not hosted under the GoDaddy brand, that may not be accurate; you may be affected.

Credit: Wordfence