According to GoDaddy, "Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress." Once the company detected it, they blocked access and cooperated with investigators.
Up to 1.2 million customers who use WordPress' own hosting for their WordPress-based sites had their e-mails and customer numbers exposed.
Customers using GoDaddy's sFTP and database environments had their usernames and passwords exposed.
A very small number of users had their SSL private keys exposed as well. Go Daddy has reset all passwords and keys impacted.