GoDaddy customer claims registrar transferred 27-year-old domain without any security checks
- Reference: 1777456809
- News link: https://www.theregister.co.uk/2026/04/29/godaddy_megagaffe_wrongly_transferred_27yearold/
- Source link:
The sensational allegations come from Lee Landis, a partner at Pennsylvania IT shop Flagstream Technologies, who claims one of his client's domains "vanished" from the company's GoDaddy account without notice.
This, said Landis, meant the client lost access to its website and email accounts throughout the ordeal. The security implications of this include potentially losing access to account recovery mechanisms, MFA codes, company impersonation, [1]business email compromise (BEC) schemes, and all manner of other possibilities.
[2]
The client wanted to remain anonymous, but was described as an American non-profit that operated 20 locations across the country.
[3]
[4]
According to a [5]writeup penned by Landis' friend Austin Ginder, who owns Anchor Hosting, it took just four minutes for the domain takeover process to be approved. However, it left Landis' client with four days of downtime, during which time staff resorted to using personal email addresses and SMS messages to keep stakeholders informed about progress, as numerous fundraising events were scheduled for the following days.
"Lee is one of the most competent IT guys I know," Ginder wrote. "The GoDaddy account had dual two-factor authentication enabled, requiring both an email code and an authentication app code to log in. The domain itself had ownership protection turned on."
[6]
According to the logs, GoDaddy confirmed to Flagstream via email of an account recovery request being made. Three minutes later, the transfer was initiated, and it completed a minute after that. This all took place at around lunchtime on April 18, a Saturday.
The transfer was initiated only by an "internal user," the audit logs reportedly revealed, and it did not require any of the authentication methods to be completed. Ginder appeared to imply the transfer was done by an "internal user" inside GoDaddy.
Landis' calls to GoDaddy began the following day. Support staff proved unhelpful and allegedly lacked what he believed to be the necessary urgency.
[7]
Over the subsequent days, across 32 phone calls which in total lasted more than nine hours, GoDaddy support threw out various email addresses where it said Landis could try to seek a resolution. He claims instructions differed depending on which staffer at the hosting provider answered the phone.
Email conversations, of which there were 17, were never with a named individual, just generic address names, says Landis, who adds that he was asked multiple times why he thought the case was so urgent. Not once did he receive a callback from any of these email exchanges.
Landis "may have said some hurtful things to GoDaddy's support personnel," Ginder wrote.
A mountain of work and a huge stroke of luck
On the following Tuesday, four days after the transfer was completed, GoDaddy allegedly closed the case without action.
In a statement sent to Flagstream, GoDaddy said: "After investigating the domain name(s) in question, we have determined that the registrant of the domain name(s) provided the necessary documentation to initiate a change of account… GoDaddy now considers this matter closed."
The issue here is that no documentation was provided, according to both Flagstream and the woman who received ownership of the domain. Ginder refers to her as Susan, but it is not her real name.
GoDaddy denies this was the case.
Before Flagstream had to clean up this mammoth mess, Susan was trying to reclaim an old domain registered to a former employee.
Again, the specifics were changed because the nonprofit wanted to stay anonymous, but for the sake of storytelling, we'll use the two domains below as examples:
HELPNETWORKINC.ORG (Flagstream's client)
HELPNETWORKLOCAL.ORG (Susan's domain to be reclaimed)
Another important detail to understand how this transfer was botched is that Susan's email signature referenced her chapter's website at a subdomain of HELPNETWORKINC.ORG . Gilder said that GoDaddy staff most likely looked at the signature and mistakenly transferred its parent domain to Susan rather than the intended one.
Susan told Flagstream that she received a link to upload supporting documents but the link expired before she could use it, which if true would mean GoDaddy was not being accurate in its statement to Flagstream which said the submitted documentation informed the decision to approve the ownership transfer.
While all of this was taking place, Landis and the wider Flagstream team were working at pace to transfer the client over to a new domain and new email addresses, an arduous, brand-harming task, but a necessary one to get the non-profit back in business.
"It was a huge stress," Landis told The Register . "We had several guys working on this constantly, even at night. Plus, the company that hosted the website had a lot of work to do too, apart from us when we decided to set them up with a new domain."
Fortune was on Flagstream's side, however, as Susan was all too helpful after noticing she was in possession of the wrong domain.
Susan initially called the non-profit's CFO, saying she did not know what she was looking at, but knew she had to tell someone. From there, Susan worked with Flagstream to initiate an account-to-account transfer of the domain's ownership, a process Ginder said took less than five minutes, all without GoDaddy's support or oversight.
"Susan is really the hero of this entire story," Ginder wrote. "Without her, Flagstream would still have no idea what happened to this domain. Lawyers would have gotten involved, but it would probably be months until anything was resolved."
While migrating the non-profit onto a new domain, and then reverting it back after regaining access, the wider Flagstream team were contacting lawyers to discuss their options for recovering the domain through the courts.
Landis told The Register he was confident this route would have worked, but it could have taken months, and that length of downtime was simply unacceptable for any organization.
Flagstream is still in conversation with lawyers so the team can prepare itself should they ever have to face a similar situation in the future.
Security nightmare
Not only was it a stroke of good luck that Susan was helpful in reversing GoDaddy's error, but she was not someone with malign intent who with her newfound access could have carried out a range of attacks. Phishing and BEC are two of the more impactful possibilities, not to mention the opportunity for 27 years' worth of data theft.
[8]Cloudflare, GoDaddy team up to curb AI bot brigades
[9]DNS security is important but DNSSEC may be a failed experiment
[10]Claims assistance firm fined for cold-calling people who put themselves on opt-out list
[11]GoDaddy slapped with wet lettuce for years of lax security and 'several major breaches'
Landis told us that throughout the episode, the primary concern was that the client's domain was in control of someone who could weaponize the situation.
"Our huge concern was that a bad actor had this domain because that would be a huge security risk. Since we no longer had control of the domain, there was nothing that we could do to stop this individual if they were a bad actor."
While managing GoDaddy's support, Flagstream worked with its client on ways to mitigate the attacks they anticipated following the transfer, including disconnecting company email addresses from all accounts, from banking and payroll to [12]Amazon and [13]Dropbox .
Landis told us that at the time of writing, GoDaddy had still not contacted him nor Flagstream to address the matter. And when they tried to report the issues to GoDaddy's security team via email, the email bounced.
Asked whether Flagstream will continue with GoDaddy, Landis said the IT shop is evaluating its options.
"Most likely we will probably leave because we can't afford the risk of having other domains disappear. It will be a hassle to transfer our hundreds of domains, but it will be less of a hassle than what happened this last week."
Fear is all that lingers
The Register spoke to the nonprofit affected by GoDaddy's domain transfer on condition of anonymity.
The CEO told us that technically, operations are entirely business-as-usual, though some staff remain fearful of clicking the wrong button and triggering a repeat of April's IT calamity.
"A number of our staff – we have a lot of social workers, and some of them are just not, maybe as tech-savvy as our administrative team – they were becoming fearful about touching anything," the CEO told The Register .
"I mean, even this morning I'm having issues, as everything gets back, and people are needing to log back into their [14]OneDrive , and all these little kind of details, but there's a relief that even though this is taking extra time from my day, at least we know we have recovered the domain."
The Register contacted GoDaddy for a response. It acknowledged the request, and told us it was investigating.
It did not deny the story, but disagreed with the assertion that it had authorized the transfer without the necessary documentation and approval.
"While we cannot comment on specific customer accounts, we have reviewed our protocols, and confirmed that we received proper documentation and authorization, and our standard operating procedures were followed," a GoDaddy spokesperson said.
"However, we are taking this opportunity to reinforce processes that help identify miscommunications between customers and representatives early, before they create downstream issues." ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2026/04/07/cybercrime_losses_reach_alltime_high/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2afIrIMKcm2ngoCxtez3fqwAAAVQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afIrIMKcm2ngoCxtez3fqwAAAVQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afIrIMKcm2ngoCxtez3fqwAAAVQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://anchor.host/godaddy-gave-a-domain-to-a-stranger-without-any-documentation/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44afIrIMKcm2ngoCxtez3fqwAAAVQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33afIrIMKcm2ngoCxtez3fqwAAAVQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/04/07/cloudflare_godaddy_ai_bot_blocking/
[9] https://www.theregister.com/2025/07/25/systems_approach_column_dns_security/
[10] https://www.theregister.com/2025/04/25/claims_assistance_firm_hit_with/
[11] https://www.theregister.com/2025/01/15/godaddy_ftc_order/
[12] https://www.theregister.com/2026/04/10/amazon_climate_goals/
[13] https://www.theregister.com/2025/07/30/dropbox_drops_dropbox_passwords/
[14] https://www.theregister.com/2026/02/03/microsoft_retires_sharepoint_onedrive_standalone/
[15] https://whitepapers.theregister.com/
Re: Schitzo
I did that several decades ago after they "lost" one of my domains.
I have never used them again.
Re: Schitzo
The fact that both the folks whose domain was given away by GoDaddy & the person who received the domain from GoDaddy have the same story, backed up by the receiver proactively contacting the original domain holder in an effort to give the domain back, should tell GoDaddy security that their verification & logging about documentation is inadequate, including it seems the lack of a human name in the logs associated with the transfer*. If GoDaddy's security staff doesn't get that, they should be fired for incompetence.
*"Gilder said that GoDaddy staff most likely looked at the signature and mistakenly transferred its parent domain to Susan rather than the intended one."
I've switched registrars twice from ones that were taken over by GoDaddy.
Currently with OVH who hopefully are too big to be taken over by them.
People miss this so much.
The second I don't get the service I expect, I'm gone. There's no "apology" or "reparation" that can cover for incompetence on this kind of scale.
I'd be moving / advising ALL my clients away from GoDaddy in this instance, and letting them know why.
Had something a bit similar with a domain and hosting provider once... got a screaming call from a client saying their website wasn't working. Turned out that the FTP site was... blank. Nothing. Empty. They'd already contacted the hosting company who had for some reason already blamed me.
Fortunately, because I have a brain, I have copies of the website, as did my client, so I was able to reupload it quite quickly, but the client was blaming me.
Got into an extended row with the host (which the client had chosen, not me) where they said I must have deleted it, or my client must have done so. Client had ZERO access to that FTP account (I'd created it and only I knew the password and used it, and the password hadn't changed). I had access but hadn't connected via FTP for weeks to any client's site by that point.
So, therefore, suspected compromise - so I asked them to provide login audits. They didn't have any (it took a long time to get that admission).
Asked them to check their backups to see when this had occurred (I knew to within about 8 hours or so already). They didn't have any.
I asked if we were the only ones affected. There was a very odd, non-commital response.
I asked them if they were doing any data migrations last night... oh, look... you were. So actually what happened was that you migrated my client's (and other client's) data, without informing them, screwed it up overnight, lost all our data, didn't notice or said nothing, and then when my client asked for an explanation you told them - on the basis of zero evidence - that it must have been me logging in and randomly deleting all the data for my best client, which only I could practically restore at great frustration and zero cost to my client.
And I had all that recorded (the only time I recorded phone conversations because it was literally serious enough that I could see my client taking action).
Client was eventually happy that it wasn't me (with the help of said recordings), and was NOT happy with the hosting provider, and - as per the above - I recommended they move hosting provider solely on that basis.
Why on earth would you stay with them after that?
Recently, my domain host which I've been used for over a decade was bought out by a large multi-national and I have had similar problems with them in the past. The second I got that email, I paid to migrate all my domains over to a new host. It cost me a couple of extra "renewals" and transfer fees (to the new host, no way I was paying the old host a penny extra!), and I had them all out. On the customer service follow-up for each domain transfer, I told them exactly why.
LOL
... at your use of the 'fire' icon in a post saying you use OVH!
(Seriously, OVH handled the fire and its consequences well, and I'm not criticising them.)
I have been using EasyDNS since I told GoDaddy what they could do with their service.
Still very happy with their service. Bonus: they're Canadian, not US :)
Mythic Beasts, for me.
Haven't found fault with them yet.
Remember 123 Reg ?
I bailed from 123 Reg when they started automatically registering associated hosted domains I owned without prior consent
As it was many years ago can't remember the exact scenario, but essentially involved them registering, unasked, linked domains e.g. xx.co.uk added xx.uk to your existing registration. It was complimentary for the first year, but thereafter was chargeable. They did send an email, but was "spun" as some marvellous benefit protecting you from someone else registering a comparable domain. Many would have overlooked the small print.
Such unethical behaviour resulted in an immediate transfer out to Mythic Beasts who are exactly the type of firm I wish to ve associated with.
Funnily enough 123 Reg are now owned by ... Go Daddy
Sharks to be avoided at all costs
My top tip to anyone thinking of registering a domain or setting up a website - avoid GoDaddy like the plague. At least nowadays the plague has a cure.
Godaddy me harder
Switch to Cloudflare. They don't try to gouge you like godaddy.
Re: Godaddy me harder
I run my own DNS servers, so use porkbun
Re: Godaddy me harder
As I said elsewhere, I switched to EasyDNS. Also because they're not US based :)
We cocked it up but we're not going to admit it.
Plausible deniability.
great advertising doesn't make great service.
Your domain is
GoneDaddy
Years ago
A woman non-nerdy friend of mine had a web site someone else had setup for her. I was having dinner at her house with a few people. She said something about wanting to update something simple on the website and I said I'd help if I could. She'd lost the password, so called go daddy. A helpful agent asked her for several pieces of info, of which she knew none. Zero, zip. Five minutes later she has a password. I could not believe it. She did not even know the CC# that was paying for the account and they still gave her access. I did not use godaddy myself and swore to myself I NEVER would. Sounds like they may have gotten even worse from their abysmal security. I did not think possible, and yet here we are.
Bookmarked
If anybody needs to have solid third party evidence of why I say "run away screaming" regarding this particular provider, I now have a link - and rather illuminating comments (WTF, retiredFool!) to link to as reasons why.
An outfit lacking so much basic competence ought be shuttered.
I'm not even sure my old provider was not long dead
I registered my domain in the dark ages of the DNS provider wars of the early 2000's.
One company got bought by another at some point with no impact. They still had the early 2000's web page for management that worked fine.
I usually did my renewals at 5-10 years for some stability.
On the last renewal, which I attempted about three weeks before expiry, my card would not process on the web portal, the provider contact emails would not respond and the phone went to complete silence (which is odd on its own).
Through some web sleuthing I eventually found out that my DNS domain was under Enom's "control" but was acquired along with my last provider and the provider still had distribution rights for the group my domain suffix fell under.
I reached out to Enom and got an actual human to help me by chat who immediately escalated the case.
It took about a week with constant communications for them to both A- agree that their distributor was no longer contactable within their contractual time window and B- for them to collect my documentation, have me send emails from the expiring DNS email to confirm identity and get things changed over.
The experience was stressful due to the potential impact (in the background I was moving everything to another DNS just in case), but getting things fixed and moved to Enom proper was processed with a great deal of professionalism and followed the plan they communicated at the start.
I am a few 1 year renewals and one IP change in on Enom and its been so much better. I now have 2nd factor login which was not even an option on the old system.
What a racket my old provider had, they may have been dead for all I know and that website was still collecting money until something finally broke with card processing.
This is not surprising as I lost 4 domains not just GoDaddy but 124Reg & heart internet all shortly after they took over these companies.godaddy is terrible at domain retention & data protection.
Schitzo
GoDaddy: "We did absolutely nothing wrong! But we're going to improve our internal processes so we don't do it again."
Were I them, I'd change my domain name registrar. GoDaddy can "Go **** yourself, Daddy."