Wanted to provide some answers to your questions from comment 5:
Complete certificate data for all affected certificates
We are expecting to post this by the end of the week.
Describe the role of the provisioning system and its relationship with the CA and/or other PKI components
The provisioning system is part of the Managed WordPress hosting environment and acts as a consumer of certificates from the GoDaddy CA by making certificate requests and receiving issued certificates from the GoDaddy CA for Managed WordPress hosting customers. It is logically and physically separate from the GoDaddy CA.
The maximum level of access or functional privilege the unauthorized third party could have exercised through the attack, especially concerning the issuing CA or other PKI components (e.g., could the adversary use their access to request new certificates, perform certificate management functions, remotely manage network-attached HSMs, etc.?)
The compromised credentials were not ones that would have been used in conjunction with anything PKI related.
The detected access and activities performed by unauthorized third party with any implication to the issuing CA or other PKI components
The CA environment, issuing CAs, and the general PKI environment were not impacted and could not have been impacted by the credentials obtained as mentioned above.
Whether the compromised account and password also existed on the issuing CA or other PKI component.
No. We can confirm that the account and password that were compromised did not exist in the issuing CA or any other PKI components.
Can GoDaddy describe the "additional security layers on the Managed WordPress hosting environment help to minimize the exposure risk" in more detail?
For security reasons we don’t disclose the measures we have taken in detail, however, we can confirm that we have added access hardening to the previously exposed API end point.
What evidence can GoDaddy offer supporting the conclusion that subscriber private keys were not the target of the breach?
To date we’ve seen instances of SEO poisoning (“Blackhat SEO”). We have no other reason to believe that subscriber keys were the target.
Is there any evidence to refute the assumption that the adversary exfiltrated subscriber private keys?
It is possible that the adversary had access to private keys, however, there is no evidence to suggest they were after these specifically. To date, we’ve only seen instances of SEO poisoning.
One thing that may be noteworthy, related to our formal incident report, we will be amending our previously provided issue summary to measure against the 24 hour revocation timeline within the BRs. Namely, subscriber certificates were not revoked within 24 hour of key compromise, which is a violation of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 188.8.131.52 “Reasons for Revoking a Subscriber Certificate” which states that “the CA SHALL revoke a Certificate within 24 hours if the CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise”
We will continue providing updates, working toward the full incident report, and monitoring for questions. Hope this helps in the meantime.