GoDaddy is domain registrar with high name recognition because of their aggressive advertising and large presence. Every internet service has both fans and haters, and there is no shortage of stories on the web about bad experiences. I moved my domains to GoDaddy a few years ago mainly for the lower costs compared to my previous registrar, and I learned to ignore and work around the confusing website and persistent upsell ads. The bottom level customer service staff seemed helpful enough and things worked ok for those years while nothing out of the ordinary occurred.

Many of the horror stories I had run across involved problems with fraud and theft, and I took them with a grain of salt and also the lack of any expectation that such situations would ever happen to me. Well, they did, and here’s my GoDaddy story.

I’m not a “domain professional” and only have a few domains for my own use and friends I help out. I have only 23 domains, more than many people but far fewer than others. I’m a tech professional and a hobby geek and have more domains than I really need but they are mine and I depend on several of them. One day in early November 2013 one of the apps I always have open on my desktop lost it’s connection to one of my servers and could not reconnect. When I investigated I found that the domain name was not resolving. I checked my nameservers and found no problem there, so went to my GoDaddy account and discovered I could not log in.

I tried GoDaddy’s “forgot password” feature even though I knew I had my correct password, and the verification process failed, my GoDaddy PIN was not accepted. I called the support line and they support person said I had the wrong pin and my email address did not match the account contact information. As alternate verification, I gave the last 6 digits of the credit card I used for the last purchase I made. They accepted that as good enough to restore my login access to my account.

When I logged in, I found that my contact information had been changed, the email address was an unfamiliar address and the PIN was not mine. This is the first time I realized that the PIN field that is normally hidden as **** had a button next to it that will show the hidden PIN. You need to know the current PIN to change the PIN, so anybody who manages to login can change the PIN as well as the email address, which will make them the authorized person as far as GoDaddy is concerned. Somebody had done exactly that to my account.

I have no idea who or how they gained access to my GoDaddy account. I do not use the same password for multiple sites and the password was relatively strong with more than 8 characters, no dictionary words, mixed case and numbers. Still, it happened somehow, for all I know some vulnerability in GoDaddy’s system was exploited and not my actual password. It’s hard to speculate and impossible to know.

Once I was back into my account, I discovered the damage. Not only had my contact and verification info been changed, all my domains were missing, and dozens of random domains were there instead. The thieves had not only stolen my domains by transferring them to another GoDaddy account, they had used the credit card on file in my account to purchase almost a thousand dollars worth of random spammy-looking domain names. This had all occurred within the past few hours.

I reported the situation to the GoDaddy support staff on the phone, and they were able to cancel all the purchases and told me that this was obviously fraudulent activity and they would probably have my domains restored to my account within the next 3 hours. This all seemed reasonable to me and although I was upset at the situation, I wasn’t panicked and was expecting everything to return to normal shortly.

I called GoDaddy support a few hours later to see what the status was, I had not heard anything and my domains were still not in my account. This time I was told that I had to submit requests for the domains to be restored, which was not what I was told previously. I asked for instructions and was given a GoDaddy email address to send a list of the domains that I wanted transferred back to my account. I complied and waited. The next day I received an email that the department I emailed could only handle domains that were transferred to another registrar, and all mine were still with GoDaddy.

I was then told to use the Change Request form, which is accessed from the “forgot password” link. I used this form several times over the next few days, following the instructions I was given at each step. I would submit the form, wait a day for an email reply that requested more or different information, reply with the requested info and it went in circles like that for weeks as they requested documents that I did not have or took time to get from government agencies. The problem was that there were minor differences in my registrant records, and they wanted business licenses that matched exactly all the registrant info, which in many cases simply did not exist and in a few cases never had. This is where my own fault really came into play, I was ignorant of the fact that the organization contact takes absolute precedence over the administrative contact, so if the organization name is not blank, the only identity documentation they will accept is a government-issued license that exactly matches the organization contact info.

I had never been asked for this documentation before, and I was not requesting any changes to the registrant info, only a return to my account. The thieves hadn’t needed to provide any of this documentation to move my domains out of my account, so I didn’t think I should have to provide it to move them back but I had no choice. I had business licenses for some of the names but not all. Some were branding names only, without business licenses since none was needed. Some were names I have used for over 15 years but had no legal documents at all for. This was my error, I didn’t think that was important when it was, these were personal domains I had been using for a long time.

Over the next 2 months I created legal businesses with tax licenses and paid government fees to provide GoDaddy with all the legal documentation they requested of me. It was a huge pain in the ass, and on top of all this I was very lucky that the thieves never changed the registrant information on any of the domains. All my documentation was for the purpose of matching the registrant records, which can be changed from the GoDaddy account easily. I was expecting that to happen at any time and scared that the delays in getting documents from the government would result in losing the domains permanently if the registrant info was changed to something I could not possibly provide documents for. I still have no idea why the thieves didn’t do that, it would have made it impossible or near enough for me to succeed in my efforts.

In the meantime, the nameserver settings for most of my domains were changed. That’s what called my attention to the stolen domains in the first place, when a domain stopped resolving. Suddenly I had to worry about traffic to my domains going somewhere I didn’t control, somebody else being able to receive all email for my domains, etc. I had to change the contact info for every business and website that used a stolen domain, else the thieves could see incoming email, know where I had accounts, and use “forgot password” mechanisms to change passwords and gain control of things like bank accounts. I watched the nameservers every day for MX records to appear that would direct my email traffic to a server where they could receive my email, and changed everything I could as quickly as I could. For somebody with an active online life using some of these domains for over a decade, it’s a huge job to change email addresses. Even worse is explaining to family and friends that they have to do the same, because the domain you’ve been managing for them was stolen. But it had to be done.

Again, I was extremely lucky. The thieves never changed the registrant records, so I was able to eventually provide the proof requested by GoDaddy for all the domains. The thieves also only set up DNS records for web traffic and never created any MX records for mail, so all email to the domains simply went nowhere for the duration of the situation. A few of the domains never even had nameserver changes and operated normally throughout the situation, but I had to act anyway at the time since they were not under my control. I had to create new domains, set up new mail and web servers, change email and passwords on hundreds of services, and pay a lot of money and time to get government licenses for businesses that don’t actually exist, just for the purpose of matching my organizational contact info. That was my biggest mistake, not having sufficient documentation on hand that matched my registrant information, that’s what contributed to the longest delays.

As soon as I regained control of my domains, I changed the registrant information so I will never have such a problem again. However, during this process I found several gaping holes in GoDaddy’s security processes, as well as their support processes that created this situation in the first place and made it much worse to resolve than it should have been. GoDaddy’s processes made it easier to steal my domains than to restore them, even though it was clear that I was a victim of fraudulent activity. I discovered there is no way to talk to a live person in the department that does these transfers, and all communication is painfully slow by email. If I had not been lucky about the thieves not changing registrant information or registrars, I’m not sure I would have succeeded at all. Not only can a thief change my email contact and PIN without any notification at all to me, they can then change the registrant records so that any documentation I had would no longer match. Also, I regained control of my domains by registering forms with my local government to create matching documentation, what is to stop a thief from doing the same or faking it? I found GoDaddy’s processes very much lacking and decided that I would change registrars as soon as I could.

After changing registrant information, a 60 day lock is placed on a domain, so I had a couple months to research and shop for a new registrar. I wanted low prices, high security, and no bullshit with a reputation for common sense and excellent customer service. The registrars that kept floating near the top of the list were Ghandi, Hover, and NameCheap. I found NameSilo, which is a bit younger but ticked all feature the boxes for me, whereas the others all had at least one drawback in price or service. Ghandi looks like great services, but pretty much retail pricing. Hover has an average mix of price and services. NameCheap has discounted base pricing but security and privacy are addons. NameSilo has even lower pricing, security and privacy are included, and comes out ahead of the others for me.

I did a test transfer of 3 domains to NameSilo and it was fast and easy. So I transferred the bulk of the others as well, also fast and easy, all my domains transferred in under an hour and are protected by PrivacyGuard, and I can enable their free DomainDefender feature that adds an extra security layer to my account designed to protect it from exactly the type of theft that happened to me at GoDaddy. I’m also paying less than GoDaddy and don’t have to hunt down stupid promo codes any more or deal with the constant GoDaddy upsell spam.

That’s my GoDaddy story. Goodbye GoDaddy, I won’t miss you.