GoDaddy’s Internal Fumble: Domain Vanishes to Stranger in 4 Minutes Flat

GoDaddy transferred a 27-year-old nonprofit domain to a stranger without documents or validation, causing four days of outage. Support failed; honest recipient returned it. Exposes registrar vulnerabilities amid history of lapses.
GoDaddy’s Internal Fumble: Domain Vanishes to Stranger in 4 Minutes Flat
Written by John Marshall

A 27-year-old domain name, backbone of a national nonprofit’s websites and email across 20 U.S. locations, vanished from its owner’s GoDaddy account. Gone in four minutes. No warning. No documents from the recipient. Just an internal GoDaddy user flipping the switch during a routine account recovery.

The saga began on April 18 at 1:39 p.m. GoDaddy sent an email alerting Flagstream Technologies, the IT firm managing the domain for its client, about a recovery request on the account. Three minutes later, at 1:42 p.m., an “Internal User” initiated a transfer to another GoDaddy account. By 1:43 p.m., it was done. DNS records reset to defaults. Websites dark. Emails bouncing. The audit log noted “Change Validated: No.”

Flagstream partner Lee Landis discovered the outage the next day. He fired off emails to [email protected]. Wait, they said. Calls piled up—32 in total, 9.6 hours on hold. Emails shifted targets: [email protected], then [email protected]. No callbacks. Case numbers reset with every call: 01368489, 894760, and more.

Austin Ginder, author of the original account on Anchor Host, took to X. “Can any of my GoDaddy friends help? A good friend of mine had a domain taken. My friend is very competent. Domain ownership protection was on. Owner did not get any notices. Audit log looks fishy.” GoDaddy’s Courtney Robertson reposted, escalating internally on her own time. Still, nothing.

Flagstream filed disputes via cas.godaddy.com/Form/TransferDispute, uploading driver’s licenses, business documents. Ignored. On April 21, GoDaddy closed the case: “After investigating the domain name(s) in question, we have determined that the registrant of the domain name(s) provided the necessary documentation to initiate a change of account. … GoDaddy now considers this matter closed.”

But the recipient—”Susan,” an executive assistant at one of the nonprofit’s regional chapters—had submitted zero documents. Her expired upload link proved it. She’d requested recovery for a different domain, HelpNetworkLocal.org. GoDaddy spotted a subdomain reference in her email signature, matched it to the parent domain, and handed it over. No verification.

Resolution came from the recipient, not the registrar.

On April 22, Susan saw the mystery domain in her account. She called Flagstream. Account-to-account transfer. Back in five minutes. DNS restored overnight. But damage lingered: four days offline, SEO rankings tanked, marketing materials obsolete, emergency migration costs.

GoDaddy’s policies promise safeguards. Domain Protection requires identity checks for transfers. Two-step verification was active—dual factors. Privacy enabled. Yet an internal process bypassed it all. ICANN rules demand verification for inter-registrar moves, but intra-account transfers? Looser. GoDaddy’s own help pages stress unlocking, auth codes, contact confirmation for outbound transfers (GoDaddy Help). Inbound or internal? The anchor.host audit log exposes the gap.

This isn’t isolated. Hacker News lit up with the story, topping charts at 500+ points (Hacker News). Commenters shared tales: domains yanked via social engineering, support ghosting. Reddit threads echoed it (r/webhosting). History repeats—2020 saw crooks trick GoDaddy staff into handing crypto domains to attackers (Krebs on Security). A 2015 CSRF flaw let hackers edit nameservers sans login (SecurityWeek).

GoDaddy defines hijacking as unauthorized control grabs (GoDaddy Resources). Here, it was authorized—by mistake. Susan proved honest. What if malicious? The nonprofit dodged ransomware, phishing via trusted email, traffic theft.

Flagstream plans full exodus from GoDaddy. Ginder calls it outrageous: “Everyone was lucky it was Susan that got this domain.” No apology from GoDaddy. No follow-up. Security reports bounced—[email protected] failed; HackerOne ticket #3696718 filed.

Industry insiders know the drill. Registrars handle millions of domains. Scale breeds slop. But basics matter. Email signatures as proof? Internal users overriding protections? Support queues shuffling cases like hot potatoes?

Nonprofits can’t afford this. Four days dark hits donations, outreach. SEO loss? Months to rebuild. Multiply by scale—GoDaddy holds 84 million domains. One slip, and trust erodes.

Fixes? Mandate docs for all internals. Phone confirms on high-value domains. Audit logs public on dispute. But registrars chase volume. Customers pay pennies yearly. Security’s the cost center.

Susan saved the day. GoDaddy didn’t. That’s the punchline.

Subscribe for Updates

DevWebPro Newsletter

The DevWebPro Email Newsletter is a must-read for web and mobile developers, designers, agencies, and business leaders. Stay updated on the latest tools, frameworks, UX trends, and best practices for building high-performing websites and apps.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us