Web hosting company GoDaddy announced Monday an unauthorized third party obtained the email addresses and customer numbers of up to 1.2 million users after improperly accessing its Managed WordPress hosting environment.

The bad actor utilized a compromised password to enter the system and gain access to customer information. GoDaddy said the breach began Sept. 6 and was identified by the company on Nov. 17.

“We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement,” GoDaddy Chief Information Security Officer Demetrius Comes wrote in a blog post. “… Upon identifying this incident, we immediately blocked the unauthorized third party from our system.”

Comes said the company is still investigating the breach.

The affected group includes both active and inactive customers. GoDaddy said it reset passwords for active customers whose sFTP and database usernames and passwords were exposed and is installing new certificates for customers whose SSL private key was exposed.

The company did not disclose whether any further personally identifiable information or financial details were exposed. GoDaddy warned users of the risk of phishing attacks that might occur at their compromised email addresses.

“We are sincerely sorry for this incident and the concern it causes for our customers,” Comes wrote. “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

GoDaddy has experienced a handful of breaches the last several years, as attackers often target the company’s employees seeking to gain access to domain names. “When an organization experiences a cyberattack, it can signal a lack of proper security controls and policies, making the organization an even more appealing target for cybercriminals,” said Matt Sanders, director of security at security intelligence company LogRhythm.

Robert Prigge, CEO of online mobile payments and identity verification company Jumio, noted the GoDaddy breach underscores the flaws of relying on credentials to authenticate users.

“With user email addresses, credentials for WordPress databases, and SSL private keys exposed in this breach, cybercriminals have everything they need to conduct phishing attacks or impersonate customers’ services and websites,” Prigge said. “Resetting passwords and private keys is simply not enough to protect the 1.2 million users affected by this breach.”