Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

Serious Security Concern - Transferring All Domains out of GoDaddy

I've used GoDaddy for over a decade. Today I transferred all my domains away from GoDaddy for one reason: My GoDaddy account was hijacked and GoDaddy did not do enough to prevent it. 


Three days ago I noticed that I could not log into my GoDaddy account because suddenly a two-factor authentication code was required - I never set a two-factor authentication for my account. I ignored it as I was on the go until yesterday when I saw a charge of nearly $500 on my bank account from GoDaddy. I immediately called support and was asked for the two-factor authentication code before they could look into my account. I didn't have it and they couldn't help.


Then I tried to change the password on my account and noticed a temporary password was being sent to a masked email n*****@e*** email which I did not recognize. That's when I realized that my account was compromised. 


Several calls later and after talking to a supervisor, it became evident that someone used my username and password (not sure how they got it), changed the email address on my account, set two-factor authentication, and purchased a premium domain. 


This comes down to two things: 1) I did not do my due diligence to protect my login credentials, 2) GoDaddy allowed the email address on file to be changed without sending a verification email to the old email address. I'm more upset about the second issue because once the email address is changed you can no longer recover the password. The two-factor authentication makes it impossible to even get support. I had to upload my government ID to prove my identity to get back into my account and transfer everything out of GoDaddy. 


Through talking to the supervisor, it became evident that this is a common occurrence and it's largely due to a limitation of GoDaddy's current system. Basically, GoDaddy, a publicly traded company with 12 billion dollar market cap, is aware of this issue, but not willing to implement an email verification step in the account management portal. That's why I decided to transferred all my domains away from GoDaddy today. I hope GoDaddy takes these incidences seriously and protects client's accounts. 


Re: Serious Security Concern - Transferring All Domains out of GoDaddy

Greetings @salehramazani,


I really appreciate your post and your sincere comments, they are especially useful as you took the time to communicate even though you already decided to go elsewhere. Please let me share some food for thought in return. The response is mine, I can't speak for the company at large, but I wanted to be timely with a reply.


One of the primary reasons that confirming an account email change will not work is that often the email being changed is being changed because it is not working. An example is an email address set-up with a now expired or no-longer-desired domain name. No confirmation would be possible. Of course, the listed account holder can always update the email address of record via with the identification specified on the site, but we are talking about a validated party with derived authority in this case.


Also, once authority or validation is invoked it is difficult for any organization to discern the proper customer from a "fake" customer and it's no secret that nuisance access or compromises sometimes come from the same device (where the device, access trail, password, or account was left available to others). I'm not suggesting this was your case, only that it's a common one in the industry.


However, knowing that humans err, we do try to put preventative and corrective processes in place. Unfortunately, this is made especially difficult when an account holder does not fill-in ALL the contact info or begins using shortcuts (in violation of our terms) by using nicknames or other unverifiable data. If we have no "tells" to discriminate the proper user from an improper one we both suffer.


As for the compromise, I am sorry to hear that the protocol we have in place to address recent account compromises may not have been invoked. Frequently this can resolve an issue in 24 hours or less in many cases, especially if a charge has occurred (some time to research the account activity is needed, of course).


While this is not the place (nor would it be proper to) discuss all the security procedures we have in place, there are layers upon layers of them (to the point where we occasionally upset a customer by insisting upon their help, even though our common security is our goal).


So, while this likely doesn't answer all of your concerns, I wanted to discuss a couple of the issues you raised from the "other side" at least. Again, thank you for your frank post and your clear wish to want to make things better. I hope we will continue to demonstrate continuous improvement so that you may want to return at some point.


Best regards,

Thomas D. - GoDaddy | Community Moderator
24/7 support available at