A poster at WordPress.org posted the following “official” response from GoDaddy (although I was unable to find this on their site):
Timeline of Events:
April 7: Database injections are identified on our WordPress hosted accounts.Actions: websites are scanned and cleaned and steps are commenced to contain the issue.
April 16: Additional malicious code appears on customers’ website files.Actions: operations team continues to run scans that identify code and clean customer websites.
April: 18-24: The criminals dynamically inject code on customers’ websites and change signatures each time. The criminals add viruses and/or malware to customers’ sites.Actions: security and network experts work to contain the infections and prevent additional issues.
April 25-present: Security and network teams confirm that security measures continue to contain the malicious code.
Ongoing: We continue to monitor and implement additional measures as needed to protect our customers. Customers who have not logged in to their sites for at least three weeks are now reporting infections and are being escalated to technical services. The security team confirmed that these are not new cases of infections.