Likely an inside job. I had a similar experience with AWS where my account was compromised despite the fact that I had all the proper security features enabled. It was later discovered internal contractors were responsible. But up to that point AWS blamed the issue on me with no proof. A call to the AG office in my state got the ball rolling and initiated an investigation that finally got a manager to take the case seriously.
The explanation is at the end of the article: another GoDaddy customer asked for the transfer of a similar-looking domain name, and they transferred the wrong domain.
And then slow rolled support.<p>And then flat out lied that they received "the correct" documentation justifying the transfer when they hadn't received any documentation, and denied the appeal.<p>Frankly the whole thing is inexplicable. The best explanation is fraudulent business practices to save 60 seconds of looking for the documentation.
[delayed]
If you read farther down, it’s obviously an inside job in the incompetent, not malicious, sense. Their employee did not do anything remotely resembling following procedures, misread an email to an outrageous degree, and transferred <i>the wrong domain</i>.
but why? why would an insider put the wrong domain into a strangers account that has no interest in using the domain and went out of her way to give it back to the rightful owners?
Wait few hours. Some CTO or PR guru will post a message here.<p>- We are totally revamping our processes. This never happened out of incompetence. Humans make mistakes. We are contacting the client for 1 year free renewal - waiving. Will mail a coupon code. We consider this issue closed.
Have we ever got any response like than from GoDaddy ever in any of these issues over years?
Any direct followup from GoDaddy would be welcomed.
Or a very long "let me explain why this is ok actually" from a "random" account
HN is the only real support channel in tech. First level customer service is AI, second level is outsourced idiots who blindly follow a script, the third level is ”Issue has been closed”
He mentions these 3:<p>"- Every email address that exists out in the world is now wrong.
- Every piece of marketing material is now incorrect.
- All of the SEO is gone."<p>but it seems to miss even the biggest one, which is that you are effectively locked out of any online business accounts, your bank, your crm, anything that says "we noticed an unusual login, please enter the code we just sent to your email to verify the login."
The cascading effect is unimaginable since everything tied to that email.<p>It is similar like losing phone or sim or even being in a foreign country where you can't access your number but worse.
Also huge opportunity for scams etc if this ever was a targeted takeover type thing. Emails and other stuff go to the same domain, and an impostor could just keep answering correspondence like nothing had happened<p>And even worse, if I wanted to take over npmjs.com tomorrow and godaddy would kinda... just hand it over (?!?!?!) then i could probably become a crypto billionaire overnight
That’s such a good point I didn’t think about!
I have no reason why would anyone use godaddy 10 years ago let alone today
It's literally the largest registrar in the world, by a large margin.<p>When you're a business and want something reliable, picking the most popular provider is <i>usually</i> a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.<p>That's what makes this particular story so egregious.<p>Domains are a very funny business. I can't think of anything so crucial to businesses, that at the same time generates so little revenue per customer. Your entire technological infrastructure depends on it, yet it costs $15/yr. Making a single support request can turn you into an unprofitable customer.
>It's literally the largest registrar in the world, by a large margin.
When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.<p>It's also literally one of the most criticized and awful registrars in the world, by a large margin. If decades of stories like this don't convince you to go with a more reliable registrar then I have very little sympathy.<p>This story is not egregious, it's in fact typical of GoDaddy. Every so often we get a HN post with a GoDaddy horror story. You'd think people would have learned by now.
They are the biggest because they undercut all the other registrars and spent millions on Superbowl commercials among other strategies. Size does not automatically equate to competency. Sometimes bigger can mean more mistakes are likely to occur and customer voices may be more likely to be unanswered in the ocean of support issues.
How many stereotypical male tech nerds flocked to GoDaddy after hiring Danika as "spokes" model. Did she ever speak? Glorified booth babe is more like it. After that, every non-tech dude would remember those commercials. Of course they are popular, of course for the wrong reasons. It goes to show exactly how well advertising campaigns work.
> more likely to have established processes that work for all sorts of cases<p>Whatever their process is, it's concerning. I wonder how many sign-offs are actually involved, or if it's just a ticket handled and closed by a rep.<p>Either way, GoDaddy is not the first choice for a new domain in 2026.
Then a paid support plan at $500/mo for those mho want it?
> They're more likely to have established processes that work for all sorts of cases.<p>In my experience the sentence is only correct this way: "They're more likely to have established processes for all sorts of cases"<p>They have lots of clients. They have big opportunities to streamline support (which is a cost center). ... do you see where it leads? Read the OP, if not!
> When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well.<p>That is also at least 10 years old stale matter. Have you ever read people wrongly being locked out from a BIIIIG provider unable to get through to get remedy? Apparently no. I did. I am sure several other people here did too.<p>Motto: "Eat shit! A trillion flies cannot be wrong!"
Vast majority of domain owners are not technically inclined today, probably hasn't been so for decades now.<p>If we ask 100 likely buyers family feud style, where would they go buy a domain, GoDaddy likely is going to be the top answer by a wide margin.<p>They wouldn't know about any bad news/ security incident with the brand either.
You’d be surprised how many enterprises use them. Also their managed hosting support is surprisingly competent. I’m not a fan of their service but some of our clients use them and anytime their servers have had issues support was quick to fix. Way nicer than having to jump in and do it myself. And so far it’s all been local support and not offshore.
Exactly. Had to chuckle at:<p>> [...] is one of the most competent IT guys I know. The GoDaddy account had [...]<p>Don't think I've ever heard something good about GoDaddy.
To be fair, 10 years ago the alternatives weren't as obvious to non-technical buyers.
Came here to post the exact same comment. They have a history of amateur-hour stuff like this, too, don't they? For me, the brand has always been associated with "bet it all on marketing" rather than technical competence.
And that is why I’d rather work with a smallish and responsible registrar like porkbun - this is after I lost a domain from a “cheap name” registrar.<p>Personal experience, no relationship to either registrar listed above
npm can give you security warnings about packages. I wonder if there is space for an external dependency warning system for sites. 'WARN: godaddy has elevated security complaints related to service XXX' and the like when you push a PR. Add it as a GH action check and it goes against a public DB of complaints. Sort of a higher level 'do you trust your provider' check.<p>The core problem tight now is there is very little incentive for companies to fix their support since there is no easy way to advertise how bad it is compared to other companies. There is no natural market for the value of support since consumers don't have an easy/obvious way to compare built into how they do things day to day. An infra scan of services tied to public support metrics could help plug that hole.
At the risk of sounding snarky;<p><pre><code> Last Saturday afternoon one of his client’s domains vanished from his GoDaddy account.
Lee is one of the most competent IT guys I know.
</code></pre>
'Competent' and 'client's domains [hosted on] GoDaddy' don't go together.
It does sound snarky, maybe GoDaddy was the cheaper option at one point and they stuck with it. I get that.<p>I use some square space for a lot of stuff, but it's largely because Google Domains sold out and the price is "fine." Sure, I could use something else, but this works, the cost is correct, and - I can't stress this enough - it already freaking works. I also use a python as a service tool I point at frequently. Their customer service is great, so I doubt this would ever happen there? But yeah, I'm not manually configuring a server somewhere most of the time.<p>Is it the "best" possible tool for the job? Not really, but it works well enough for the stuff I use and my workflows are already rock solid to deploy code to prod, etc. Is it because it's impossible for me to spin up a VPS or I'm too stupid to figure out Hetzner? Probably. But no, I've done it before, I could do it again, but that would take me X hours that I'm not getting paid for to migrate for limited utility, possible customer interruptions, and stress. I might need to migrate in a year or so, but until then, I'm not going to bother.<p>I reckon that's a similar sort of thing that happened here and depending on what they're doing business-wise, Lee could be insanely competent IT person and was just unlucky because the hammer he reached out for with GoDaddy actually turned out to be a foot gun that took years to fire.<p>It happens, it's not ideal, but it happens - I'm just glad they got it figured out and I'm glad that these sorts of events percolate up in the hn zeitgeist, because I definitely know who I won't be turning to in the future. Like, I kind of already knew GoDaddy was trash? I used them something like 10 years ago to spool up a website for a friend of mine. The whole experience was garbage then and I said, "never again" - but also that was kind of at the beginning of me even learning about how this stuff works? But I could totally see a scenario where I get snared into a product ecosystem and the opportunity cost of switching out of it outweighs staying put until it blows up in my face.
Where would you host domains?
CloudFlare since they sell domains at cost and have really good DNS infrastructure with some free protection features. If the TLD isn't supported by them for registration then I'd just use their nameservers.<p>Or Route53 if you're using AWS since that makes it easier to integrate with the rest of AWS and manage in IaC, and AWS also has robust network/DNS infrastructure.<p>(I would say GCP if using GCP/Google Workspace, too, but since they split domains off to Squarespace I really don't know what is happening over there anymore as far as domains go.)<p>So far those 3 have been more than sufficient for all of my domain needs.
If it is extremely critical, MarkMonitor.<p>Otherwise, Porkbun or Cloudflare Domains if you're ok using their DNS.
[delayed]
I suspect you mean register/renew:<p>Depends. If it's something really high priority (like main domain for a large corporation) I'd likely be paying CSC 4 digit sums per domain per year.<p>For stuff a tier below that I'd be looking at companies that are serious about security and happen to do domains as well e.g. Cloudflare, Amazon
Literally anywhere else.
Literally anywhere else, GoDaddy is utter trash and has been for many years. Namecheap is the one I use personally.
Namecheap has had its own host of issues like a few years back breaking hsts and causing tons of sites to break for quite a while and their response was basically oh well. That incident along made me move my domains off to porkbun.
I do wish Namecheap's Dynamic DNS support supported IPv6 though...
Namecheap supports genocide in Palestine: <a href="https://neosmart.net/blog/namecheap-com-revokes-domain-hosting-video-archives-of-israeli-war-crimes/" rel="nofollow">https://neosmart.net/blog/namecheap-com-revokes-domain-hosti...</a>
I had a similar problem with Crazy Domains: they accepted forged documentation, turned off two-factor authentication despite multiple emails from me saying never to do so, and me literally being on a call with them as it happened. The domain compromise happened as part of a plan to hijack my OG Twitter username [1].<p>It took getting my country's NIC and regulator involved before they restored control of my domain back to me.<p>I've never gotten a formal apology from them, and the incident took so much out of me that I've never gotten around to pursuing them any further.<p>But fuck Crazy Domains, Dreamscape Networks, and Newfold Digital (fka Endurance International Group).<p>[1] see also: <a href="https://news.ycombinator.com/item?id=47859496">https://news.ycombinator.com/item?id=47859496</a>
Probably ten years ago with name.com I had a .at domain expire.<p>I caught it like a day or two later, and successfully renewed it through their site but it did not take.<p>There was somehow already someone up squatting my domain. I contacted support and they told me there's apparently no renewal window for .at but they could recover it for $140 - oof .. sure. It was nothing super important but would be annoying to lose.<p>Then it took like a week for them to get back to me, but after that week I got my domain back. I have no idea what gymnastics happened on their side.
I’ve made a lot of really good decisions in my life, I think, such as: deciding to have kids, deciding to move to another place I wanted to live, career choices, but by far one of the best of them all was getting all of my domains off of GoDaddy.
They’ve been like that since the turn of the century. This is like eating every meal at McDonald’s and wondering why your health is suffering.
Most of the issues we've seen in the past are due to payment failures, credit card declined, etc., that let the domain goto auction and lose access.<p>This is all new and from the content of the post looks like due to an employee error in transferring the wrong domain and they don't have a process to address the situation.<p>Corporates have a huge blind spot and everything with them is just a process and this case the process completely failed.<p>Unfortunately everytime it's the customer who suffers.
I’ve successfully saved many people suffering with godaddy.<p>As soon as the word is mentioned I tell them the horror stories.<p>Saving this to the bucket of stories.
When is people gonna stop using that crap name server??
What else needs to happen? GoDaddy is a scam!
Godaddy is pretty awful in a lot of things. This doesn't even surprise me. But I will say that their broker services have done me well. But I do transfer domains away as soon as possible to dynadot
This is a textbook case for suing for compensation and punitive damages. I hope someone opened an arbitration complaint on day one to get the wheels turning. Maybe they’ll consider reviewing <a href="https://www.icann.org/compliance/complaint" rel="nofollow">https://www.icann.org/compliance/complaint</a> (one can dream).
punitive seems like a huge stretch, damages sure.<p>Icann Arbitration seems like the wrong channel, those are typically used for when someone correctly technically registered the domain name, but there's a dispute from the non-owner, e.g:<p>1- Trademark holder registers trademark.com, malicious actor registers trademark-web.com and phishes.
2- trademark.com expires, and someone registers trademark.com and domainsquats.<p>This is not the case, all Icann can do is make decisions over who owns a domain. A civil court would be more appropriate for calculating and ordering compensatory damages.
The amount of dark patterns in product management (Domain renewal) UI related to selling additional services and general shadiness from godaddy make it a very poor choice as a registrar. Concur with the other person who has no idea why anyone would choose to use it.
Flagstream should still get lawyers involved
I've heard this story before...in fact I've heard it several times, and funnily enough each time it involved GoDaddy. Stop. Using. Them.
This reminds me of when a friend’s website inexplicably disappeared and was replaced with a redirect to an ad for some GoDaddy ai website builder and support couldn’t explain how that happened other than “the nameservers were changed” despite the fact that the account hadn’t had any logins for over a year.
Wow, that is insanely atrocious. I'll look into moving off any remaining domains away from GoDaddy.
> Lee is one of the most competent IT guys I know.<p>And yet he uses GoDaddy?
"Lawyers would have gotten involved"<p>Oh, please do. Mistakes happen, and the scale of GoDaddy means that even rare mistakes will happen. But they may still be liable for damages, how much is the reputational damage, and the possible lost business? Why wouldn't you go this route?
Another example of a long list of stories where GoDaddy practically destroys decades of business trust for a customer by just ripping their domain away for no reason. What an awful company.
[dead]
[dead]