GoDaddy hands out account details and doesn't care!

[Gwaihir]

This is a word of warning. It hasn't fully played out yet, but so far I am shocked by what has happened to me and the way the firm involved, Godaddy.com is "handling" it. If you have an account there, this can happen to you too at any time. I feel you ought to know.

I have several domains registered through GoDaddy. I just got back from holiday to find curious messages from GoDaddy about a particular registration and my GoDaddy customer account the registrations run in. It turns out that a third party has contacted GoDaddy pretending to be me. This person was promptly given full access to my account! Obviously very bad, so I contacted them to find out what exactly has happened, get my account back completely, and gather all available evidence. The last in order to press for prosecution; the offender is known to me and causing me increasing headaches for a while now. Much to my surprise, this the reply from GoDaddy:

Thank you for contacting Domain Services. We received what appears to be valid information for the account holder. We cannot share this information with you. However, it also appears that you have gained access back to your account. Please let us know if we can be of any further assistance.

In other words: they just do not care! It seems they are totally happy with having handed over my account and unwilling to help me in any way! So, fellow GoDaddy customers be warned, your account is not safe there!


Some extra details: I have been able to at least get access again too by using the password reset system (it was still connected to my e-mail address) and deducted most of the above from looking around in my account after that, as well as by phoning the offender and reading between the lines of what he had to say - when pressed a bit he did let slip that he had indeed contacted GoDaddy and faxed them documents.

I do not know yet if any sensitive data has been compromised, like: was the original password handed over? Were my credit card details taken? The person gaining access has made a series of changes in his interest but most of those are not necessarily very harmful to me. (They transfer out a domain that is his and was to be transferred out anyway.)

[Spathiphyllum]

This is a word of warning...

...We received what appears to be valid information for the account holder. We cannot share this information with you...

Yikes! I'm not sure GoDaddy has really done anything that wrong other than be rather distant in their issue resolution. Yeah, that needs improvement if their form letter is all they can muster, but the real violation is your "colleague's." Since GoDaddy did obtain valid data, I'm not sure how their first response would differ from everyone else's.

At any rate, good luck with your forensics and any subsequent prosecution, and thanks for the tip. I don't use GoDaddy but I'll be parsing some contracts now to re-review my hosts' policies.

[Vin DSL]

I told you so!!! 1und1, heir Heemskerk..

Sorry, it's an Amerikan thing!

[Gwaihir]

Since GoDaddy did obtain valid data

Pardon me, how do you reach that conclusion . I have been able to establish that they have indeed received some data, but clearly it cannot be valid data showing that he's me.. GoDaddy appearently allowed itself to be had pretty easily and doesn't seem to care about resolving that.

It looks to me they are rather bluntly stating that they have accepted the fraudster as the real account holder and tell me to piss off. Furtunately, I do indeed have access too again now, so I guess the best I can do is empty the account ASAP and hope the next registrar I pick isn't so gullable and careless.

[Gwaihir]

I told you so!!! 1und1, heir Heemskerk..

Sorry, it's an Amerikan thing!

Yes, I'm afraid it is. 1&1 is only value for money for US & Canadian customers. Their European branch is much more expensive. I have been looking around before, being not overly happy with GoDaddy, but well, it never seemed to have priority.

[Vin DSL]

I assume you use "private registration", so called, yes?

[Spathiphyllum]

Pardon me, how do you reach that conclusion . I have been able to establish that they have indeed received some data, but clearly it cannot be valid data showing that he's me.. GoDaddy appearently allowed itself to be had pretty easily and doesn't seem to care about resolving that.

It looks to me they are rather bluntly stating that they have accepted the fraudster as the real account holder and tell me to piss off. Furtunately, I do indeed have access too again now, so I guess the best I can do is empty the account ASAP and hope the next registrar I pick isn't so gullable and careless.

Per their Universal Terms of Service:

4. ACCOUNT SECURITY.

You agree You are entirely responsible for maintaining the confidentiality of Your customer number/login, password, credit card number, and shopper PIN (collectively, the "Account Access Information"). You agree You are entirely responsible for any and all activities that occur under Your account. You agree to notify Go Daddy immediately of any unauthorized use of Your account or any other breach of security. You agree Go Daddy will not be liable for any loss that You may incur as a result of someone else using Your Account Access Information, either with or without Your knowledge. You further agree You could be held liable for losses incurred by Go Daddy or another party due to someone else using Your Account Access Information. For security purposes, You should keep Account Access Information in a secure location and take precautions to prevent others from gaining access to Your Account Access Information. You agree that You will be responsible for all activity in Your account, whether initiated by You, or by others on Your behalf, or by any other means. Go Daddy specifically disclaims liability for any activity in Your account, whether authorized by You or not.

Per your previous comments:

...when pressed a bit he did let slip that he had indeed contacted GoDaddy and faxed them documents.

So, this person (who you knew already) somehow obtained the appropriate documents and faxed them to the GoDaddy administrators. From their list, it would seem that s/he provided the appropriate "number/login, password, credit card number, and shopper PIN"... or at least enough for those administrators to push the legal paper for transfer. What documentation did they ask for and what was provided? Do you know? Did they disclose that?

From this distant and rudimentary observation, it would seem that an unscrupulous agent (who you happen to know) was either able to socially engineer a transfer through a perhaps knowing and complicit or an ignorant company rep. Either that or this agent acquired the appropriate personal data about your account (from you?) and that sufficed when submitted with the proper forms.

Again, what else is there to conclude? What document(s) did this offender provide? Was it different from what The Agreement explicitly specifies? If it wasn't, how did they obtain this info? Was it a system hack? Social engineering by them on you previously? Reckless GoDaddy employees not following their written policy and breaking your contract with them?

Were I you and The Domain of significant value, I'd be looking for an attorney as soon as I had the forensics that I could accumulate acquired. Then I'd be looking both at the unscrupulous colleague and GoDaddy and weighing the cost of litigation and the consequences therein. But before any of that I'd have yanked all of my services from their servers and told them why. You have done that, right? It might make them reconsider their options, too.

[Rob]

Wow.. i would sue the guy... How did you know him?

More to the point how did he obtain your details?

[Gwaihir]

As far as I know he has provided none of the details Spath highlighted, so ignorent / reckless GoDaddy rep indeed.

He is the legitimate owner of the one domain now transfered out, so the value of that isn't relevant here. It seems so far that he provided details showing he was the registered owner of that - which indeed he is - but somehow managed to use them to lay claim to the account as a whole, rather than the domain name, which btw I had already unlocked for him months ago for transfer out.

I am at this point still trying to complete whatever forensics I can. Mailing GoDaddy twice again got a more sensible response at last: they're stating they're looking into it and that I'll hear again from them in a couple of days. I hope that will get me somewhere and bring enough for the police to go on. I'm afraid they'll not be too anxious to or good at investigating stuff like this, but I really hope I can get them to so I want to make that as easy as possible. This person has been quite a menace in my life for a while now, so now that he has taken steps that are criminal in nature, there may be a way there to send a good counter-signal without having to litigate myself, which is a costly and complex process for which I totally lack the means (both financial and time wise), especially compared to him.

Sorry for leaving so many of the other elements open. I can understand the curiousity, but am trying to limit the amount of needless mud I permanently place on the internet. GoDaddy is a firm many around here will have dealings with, so would want to know about how it falls for fraud / handles sensitive matters. The other involved is not. Furthermore, I do not whish to aggrevate things by useless public mudslinging, as there are still ties between me and him that will unfortunately take years more to break fully.

[Spathiphyllum]

File a report with the IC3. It will get your complaint on record with a third party and provide you with the incentive to accumulate presentable data.

A few years ago I used the IC3 (when it was still a novel process) and additionally sent a cease and desist letter for a cyber infringement. The combination worked well in my case though the conditions are different from yours. It was a good alternative to litigation since you have limited options. IANAL, so this is just a path that I took once upon a time. YMMV.

It may or may not open up a can of worms, but I'd be quite serious about my intent and my response. Such filings and the notification of those filings with the violating party indicate the seriousness of your concerns. If you are legally sound, it sends a powerful message. Their response to that message indicates the required level of escalation you'll need to apply for the long term.

Good luck.

[Rob]

they're stating they're looking into it

i have heard that so many times i don't know whether or not to believe it. Hopefully they should and will look into it especially if they have a pending legal case. My advise would be to transfer all your domains away from go-daddy and consult your lawyer as it sounds a really bad problem.

Hope you get it sorted out soon.

[Vin DSL]

My advise would be to transfer all your domains away from go-daddy...

This applies to everyone!

I travel past CrackDaddy almost every day. It was started by a realtor in my area (Cave Creek, Arizona actually) as a hobby, and grew out of all proportion - one of those Internet phenomenas. They're down by the Scottsdale Airport now.

Anyway, I've been warning ppl about this (ahem) joint for years. They blow!

[JPC-Greg]

Not really a big suprise . They signup 25k $2 clients a day, why should they care about any of them.

[Rob]

ive never used GoDaddy before they have always looked crappy

[the_ancient]

I dont know why anyone would trust a person that names their company "godaddy" anyway!!!!


The best thing you can do at this point is switch companies.