This is a guest post from someone who wishes to remain anonymous. The article discusses how the person’s Go Daddy account was hacked.
—-
So it was a Monday morning a few weeks back – the start of a new workweek. That Monday morning I had a few things on my plate one of which was to renew a few domain names at Godaddy.com. I have been with Godaddy since the early days – I believe I registered my first name there in 1999. I have an executive account rep and I rarely have any issues with them.
That Monday morning, I tried to log into my account and it seemed as if I may have mistyped my password – I change my password all the time and it was early, maybe 7am est, I figured that I must have just forgotten my password. I submitted the password retrieval request on the site and I received a message telling me that my email address was incorrect. I am a little paranoid so I immediately believed my account was hacked or at least compromised in some way.
I then call the executive accounts number to find out exactly what was going on. It was 5 am in Gilbert Az. where Godaddy is located, but they had a rep there to assist me. This rep was not my account rep, but none the less was able to get into my account to inform me that my email had been changed about a half hour earlier and that I pushed one of my domain names to another account. The account rep helped me regain control of my account, I reset all of my passwords, and my 4 digit pin number.
I eventually got the domain name back and put a crazy high security setting on my account – where nothing can happen at all with any domain name unless I get a personal phone call and give a additional special code (a different code than the 4 digit call in security pin – a real pain in my ass – but I feel necessary now). I was also frantically checking all my other accounts in my life…I was pleasantly surprised that none of my other accounts such as banking, other registrars, paypal, email addresses, etc…had any issues with hacking – All seemed fine – I still changed all passwords etc for all my accounts….
I assumed somehow my Godaddy password got compromised and that was all – so no real worries and this was the end of it. At the time the only thing that bugged me was that it seemed Godaddy would not investigate the hacking at all for me and was pretty unhelpful in providing me any info so I could investigate it myself – there was plenty of data Godaddy could use to investigate this hacking, but I was told they did not have access to the information I was asking for. Oh well – I just figured they did not really care as it seemed that everything was back on track for me at this point and the problem was on my end. I thought that was the end of it…no such luck.
Two days later I got my account hacked again – nothing was taken as they could not move or make any changes – this really had me crazy freaked out. I concluded the problem was actually on my end – I have a mac – but I still had a thorough scan of my computer for malware and/or keylogger apps – found no issues – I wiped it clean anyway – I also purchased a powerful security software which I installed. I then changed all my Godaddy passwords, user pin etc…again – as I did with all of my other accounts in my life – Banking, emails, other registrars, etc. This seemed to do the trick as I stopped having any issues…until this morning.
My account was hacked again – I found out as soon as I woke up around 6:20am; no other personal accounts such as banking etc…had any issues – just my Godaddy account. The hacker tried to push a few domain names out, but could not as I have the high security settings which require a personal phone call with code (and the code is not online)…I was really just baffled and I immediately called Godaddy as now I was certain the breach was not on my end.
I spent a marathon session with an early morning Godaddy executive account rep and I was not taking “we don’t have access to that info” as an answer… I will say that this account rep seemed to truly care about the problem and was working with me to get to the bottom of it – He was able to look into many of the things I asked him to look into and we did get to the answer.
We realized I had not deleted any of my expired credit cards or old paypal billing agreements from my account – so I had expired cards and paypal confirmations dating back from 2000 still associated with my account. In addition to the standard giving your 4 digit pin number, Godaddy will allow access to your account with the last 6 digits of any credit card expired or not – they will additionally give access to your account with the last 4 digits of any paypal billing agreement code – which is plainly visible to anyone who has access to your Godaddy account or email account.
The hacker was calling into Godaddy and pretending to be me. The hacker seemed to originally be able to access my account by getting ahold of an old/expired credit card number and changed my email address by having the Godaddy rep send the email confirmation to the hackers designated email address – it appears as Godaddy accepted expired credit card data to allow access into my account without knowing the designated 4 digit pin number (for credit cards on Godaddy – the last 4 digits are visible on the account – but they do require the last 6 digits in lieu of the 4 digit pin number you set).
From there – the hacker gained access to my account and made note of all the entries in my ‘payment methods’ area for paypal billing transaction codes. So you know – when you authorize instant payment from paypal – you set up a billing authorization – which is kept in your ‘payment methods’ area and most of the transaction number is not visible but the last 4 digits are visible. Godaddy will allow access to your account with those 4 digits from the paypal transaction billing agreement – which is visible on my account.
In summary – The Godaddy rep was able to tell me that the hacker each time called into Godaddy – gained access to my account by either using an expired credit card number (as they did the 1st time) or last 4 digits of a paypal billing agreement code. I deleted 3 dozen old credit card numbers and all the paypal billing agreements from my account. I believe this has finally secured my account.
It is really troubling to know that everywhere I use my credit card is a potential new breach into my Godaddy account. IMO it is only a matter of time before hackers perfect this breach. I truly hope this is the end of my story on this. My suggestion to everyone is to check your payment methods and delete all the expired credit cards and all your paypal billing agreements.
Thanks for taking the time to share this very important information with the domain community.
Time for us all to review all of our accounts — yet once again.
In my past days as an account Exec. with Merrill Lynch, I learned where there is a lot of money The Rats will find a way to the cheese. The biggest Rats now wear Bankers suits and have access to widowers CD accounts. You think the last Bank asset blow up was Big? Wait till the next go around we havent seen anything yet.
Gratefully, Jeff Schneider (Contact Group) (Metal Tiger)
Thanks for sharing!
Thanks for sharing this useful tip. I will go through my account and see if there are any old/expired credit cards and PayPal billing agreements which will be deleted as quickly as possible.
I hope GoDaddy enables the Two-Step Authentication for all countries soon. This will help everyone to secure their account in better way.
I don’t get it, everytime godaddy asks for pin code, if you are exc account, they transfer you after confirming your account, shouldn’t there be a note on the file, like many banks have warning of past breaches. I can’t seeing a rep changing critical info without confirming, very sad, looks like a big shakeup at godaddy exc accounts this week on a side note.
This happened to us several years ago and we had two 3 letter .com domains stolen, which we later recovered.
Most GoDaddy “hacks” happen as a result of people clicking on Godaddy fishing emails. Usually they come in the form of an ICANN whois confirmation request (the one that registrars are supposed to send you annually). When you click it you go to a page that looks like godaddy and you enter your login information and then…
Check the actual URL you are clicking on in any of those emails and look carefully as they usually use some variation which is similar to “Godaddy.com”.
Seems the bigger problem you had was with PayPal and not GoDaddy……….
Wow ! The trouble these hackers went into for stealing a domain name. Hope these hackers are identified and prosecuted.
Thanks for sharing.
How did they get a copy of your old card to get in originally?
@Andrew – Yes that is another way that hackers can get you – and people need to look out for that as well – what happen to me is certainly different, but has the same effect.
@Alan – The problem was not with Paypal at all really, but in the different/un-secure methods Godaddy allows for entry into your account. Basically, if someone has any current or past credit card number for you – they have full access to your account with Godaddy’s help….and yes the Paypal billing agreement code is also a method that godaddy allows full access to your account – which is hugely problematic especially if the company or person you have the billing agreement with is in the know on this – but be clear, it is not Paypal that allows access to your Godaddy account with the last 4 digits of that billing agreement code.
@Steve – Not sure – most likely from a breach with someone I have done business with in the past.
Hi to All
know that I’ve read this, just a quick question.
3 days ago a got an email from Godaddy saying that I’ve earned “**Godaddy Premier Services**” and Mason Goecke is my account manager. I’ve just searched him on Linkedin and he has very limited info, no connections.
Could this be a bogus mail? Has anybody here dealt with Mason? thanks
I assume there’s a phone number. Call and confirm. It should be a 480-505-xxxx number.
So will GoDaddy do something about this security issue?
This is good information regarding old credit cards/payment methods.
Another suggestion: if you live in the U.S., turn on two factor authentication. Even if someone gets your username and password, it will be difficult for them to get into your account if you’ve turned on two-factor.
Holy…just wow. Thanks for sharing your experience. It sounds like a massive headache, but I’m glad it’s resolved. Was there an additional charge for the extra level of security, or was it something you just had to opt-in to?
Andrew – “….turn on two factor authentication…..”
How does one do that?
Here are instructions:
http://domainnamewire.com/2012/07/09/godaddy-com-adds-two-factor-authentication/
Memo to all customer service reps, do not change passwords without confirming pin, or calling old contact number first. You idiot thieves better think twice as if that is a pricey domain someone has paid big money for your going into a whole new felony class, no domain is worth jail time.
@John – Direct link https://mya.godaddy.com/settings.aspx?settingstab=securitysettings
Then check the box on the right. It’s only available to US based customers.
Incidentally, the #1 method hackers use to compromise GoDaddy accounts, is via phishing emails. Never click on email links that invite you to log in.
When you get those, you can forward them to legal@godaddy.com. I am not sure how much it helps them, but it can’t hurt to make them aware of these attempts.
Has godaddy executive services tiered their services to metals, ie) gold, silver, platnium?
There is a Gold and Platinum tier now.
Gold is the first level. There are more account reps and there is a lower bar for qualifying.
The Platinum level has fewer accounts reps and a higher bar for qualifying.
Brad
@Nadia – Yeah, it was a real headache, but knowing how the hack occurred is quite a relief. If I was the type who renewed all my domains at once – I may not have logged in for a month or two and it would have been much more worse. in answer to your question – Godady offers that added level of security at no charge…the problem with it is that I cannot do an immediate push any more – I have to wait for my account rep to call me and get my verification code.
@everyone else – The message I received informing me that my email was changed was grossly insufficient. IMO – having my accounts email address changed is monumental…I receive tons of emails from godaddy each day and the “alert” message was really easy to lose in the mix. This is what they sent each time my email was changed:
Dear (My Name),
You are receiving this email because the Account Settings were modified for the following Customer Account:
(My Account Number)
There will be a brief period before this request takes effect.
If these modifications were made without your consent, please log in to your account and update your security settings.
If you are unable to log in to your account or if unauthorized changes have been made to domain names associated with the account, please contact our customer support team for assistance: support@godaddy.com or (480) 505-8877.
Please note that Accounts are subject to our Universal Terms of Service.
Sincerely,
GoDaddy.com
Any public registrar could have a weak point in security.
I have suggested to a few of them to display the last 10 times the acct. was logged into and the IP address. It is very simple to do. They don’t want to do it.
Meyer,
Unfortunately when a domain account is hacked the damage is usually done too quickly — the domains are stolen before you log in and notice the mysterious IP address.
I have asked Go Daddy for a similar feature on web hosting accounts, as my FTP was recently compromised.
I like how gmail does it.
As long as the domains stay within godaddy, you have a good chance of recovering them. Another layer of security is mask your domains with privacy, as domains cannot be transferred out when privacy is set on. The access to the privacy panel, has seperate login, and passwords possible, so it could buy you time.
Very informative and useful blog post. Thanks.
Unless it has changed with the new Gold and Platinum tiers, the coverage for Executive Accounts has not been 24/7/365. If contacted after hours, the coverage for Executive Accounts is handled by inbound support at Go Daddy.
Some background information may be helpful. Over the years, Go Daddy has developed, installed, maintained and promoted a VERY established class system of their employees. The corporate and technical departments are in the higher classes if employees. The call centers, providing domain support, is the lowest level. Within the Go Daddy Call Centers, inbound phone support is even further at bottom. Often, it is handled by newly hired employees. At Go Daddy, in the middle of the night, late on weekends, or on a holiday, consider that phone support is provided by the bottom tier of the lowest class of Go Daddy employee. It is from a worker who cannot get hired into the upper class Go Daddy jobs in the corporate or technical departments. Working in inbound support, they have not or cannot get a better, more specialized Go Daddy support position. We are all aware that for the most part, second level support and above at Go Daddy refuses to speak directly to us customers. Furthermore, the support rep we do get, if they are working in very late / early / weekends / holidays, it is because they can not get better hours to work.
At 5:00 AM in the morning, at Go Daddy inbound support, one should not be surprised to get the “we don’t have access to that info” as an answer. Also, the caller not being advised to delete the old credit card numbers and PayPal information should not be a surprise.
This is not making excuses for the handling of the situation at Go Daddy. Account security is VERY important. However, one should be cognizant of the fact that situationally, the support may be handled by the lowest class of Go Daddy employee, with the least amount of experience, with the minimum amount of Go Daddy training, doing a job that many are attempting to depart, working the hours that no one else wanted.
The above is just the reality of the situation. It remains to be seen if this paradigm will change under Blake Irving or Scott Wagner.
Would the GoDaddy.com owners – Kohlberg Kravis Roberts, Silver Lake Partners, and Technology Crossover Ventures – have any reason to change this?
I am not sure what has changed or not, but the time I got to the bottom of the problem it was before 5am at Godaddy and my understanding is I was being helped by an executive account rep who was very helpful and knowledgable. The first time it happened – I certainly was not helped by someone with any real knowledge…and that was early as well.
I think this is a huge security gap with Godaddy accounts and If they do not make things more secure – I will have to move all my names away…as much as it would pain me to do – and I really do like Godaddy – always have. I even got paranoid when I went out to dinner the other night and gave my credit card to the waiter – by doing that – I gave the waiter enough info to hack my account if he is savvy enough.
Set-up the security option that every time you sign into your Godaddy account it sends a 6 digit code to your mobile phone. You then have to confirm by putting it into your log-in page on Godaddy. I set it up right when the offered it.
Thank you for posting. This happened to me two days ago. My whole business was stolen. All contacts calendars and private emails. Just an FYI if you run your domains through any kind of a dashboard app such as google apps for business which is partnered with godaddy in registering BEWARE. Once acces is obtained into the app any domains you managed there ar compromised. My domian was even transferred in one day!!! I am fighting to get the persons prosecuted for this theft. Godaddy offered no help to me at all. They could see exactly what happened. That someon called in and requested a transfer and fron what ip addressess. But they refused to send me any documentation on it so that I could report it to the police. Instead of helping me they just said thy would put an email into legal and they couldn’t guarantee when I would be contacted. In the middle of all this the domain was transferred to godaddy!!!!! Under a new owner!! I couldn’t Believe it. They basically let someone transfer the domian to a new person with in the same company. Hello!! Big red flag. And by the way this was all done in the middle of the night while I was asleep. Woke up and tried to,log in to my gmail and all passwords changed. I was burglarized and godaddy helped it happen. I really think they need to be held accountable!!
@Annonomous: Get an attorney, file a report with your local police and call your state’s attorney general office and file a complaint. That might get Go Daddy to start dancing a bit.
Then reclaim your legal fees back from Go Daddy for not helping you in the first place. Its not like you’re a third party, you are the direct customer who was affected.
They’ve just removed my ‘car-mats’.
So, you go to the car dealer (..you know, the one you trust. The one you’ve dealt with before. The one you think you have a trustworthy connection with),find what it is you came for, accept all the terms, conditions AND FREE BEES to then find out after the first ‘timing belt change’ your FREE BEES are ‘removed’. Read GONE, disappeared, stolen!
I’m getting more and more discontent with my registrar GoDaddy. Let me share my frustration;
In the past i have made a few phone calls to HQ, had a conversation, asked a few questions and…was put on hold. I was able to ‘see’ & ‘hear’ the question marks over the phone. The fun and frustration part is that sometimes I HAVE NO CLUE WHAT I’M DOING, WHAT TO DO OR WHERE TO GO NEXT and therefore i’m picking up the phone trying to get answers from my registrars support department. Maybe i’m old-skool but i really think a support department needs to be…supportive, knowledgeable and service minded! (..if the shoe fits).
A year has gone by and somewhere half way i got this VIP/EXEC assigned to my account. The Go-To girl/guy for all your account related questions.
I’ve emailed this person a few times, explaining what i did, why i did it, how i did it but with an outcome being less pleasant or disappointing. His answer to my emails then is always a link. A link to an answer, and that’s fine, that’s super if it actually helps me to move forward.
Knowledge is key but dude,..please…do not send me a link to an explanation about stuff that i’ve just explained in my email…to YOU.
…and now my ‘car mats’
It’s renewal time and i’m filtering. Trying to hold on to those domain names of which i think have commercial value or will become crowd pleasers in the future. Some are extended for a year, others for 10.
Before checking-out i always check my ‘other products’ and click on a few free bees. The option is there so why not? They were FREE, added to the shopping cart…NO CHARGE. Part of THE DEAL. I did this after every sale and therefore have bin able to extend a product till 2022. Not so strange because i have domains with an exp date 2022…and i’ve bought a few.
Guess what, my FREE BEES…..GONE.
Not telling you (yet) what the value of my Free bees is…or was.
Here i am. Seriously contemplating to move my domains to the next registrar because if my registrar is able to basically ROBB me from ONE item, they certainly can ROBB us from more.
Changing ‘the game’ is one thing, making ‘products’ disappear..for whatever reason..is criminal. There’s a law against this.
It scares me to read about my fellow domainers experience with this registrar and makes me wonder where our domain names GO when they ‘bail out’.
Moral of the story is….the girl in me wants to bitch. So, next week is ‘bitch’ week at my registrar. Keep you informed about the outcome of it all.
GoDaddy is a HORRIBLE company. Customer service is INEPT at best. My critical info got deleted by someone unauthorized and they can’t even tell me what IP accessed the backend. How can I not think this is simply a lie! A giant hosting and domain name registering company and you want me to believe they don’t log in every IP that accesses their network? BS!
Please do not use GoDaddy.com to get your website designing.
About a year back, i got a domain name from GoDaddy.com. And Recently i received an email that my account was being automatically renewed for $109.18 without any Indication of Auto Renewal.
I contacted customer service and they did assured me about the refund of the money. Even after following their instructions and filling up their forms. Now they end up notifying for no refund at all.
I reported my transaction on
http://www.vcharges.com/godaddy-com-a4
It’s not worth staying with godaddy. They are constantly targeted by hackers or hijackers. Easy picking. Plus you pay for every little site add-on or feature while others include it. I have a developers account with many clients through Godaddy. Im in the process of moving all accounts. It’s not worth the risk! I’m working with YET ANOTHER company who was hijacked. Godaddy has flaky security, 2 part authentication that can be bypassed with simple steps. Godaddy will run you in circles to protect themselves. Pawn you to icann and state they can’t help, No matter what prof you show them! Transfer dispute form never works.
If you have to go through Icann to get your site back it’s going to cost at min 3K to start, TONS of paperwork and proof that you may not be able to get, receipts are not good enough or proof of use. Here is the expensive part: it’s really difficult to completely remove the hack depending on the type of attack or hack. Stay away from godaddy go elsewhere. Stay with godaddy at your own risk of not getting back your site or vital business information stolen if you are targeted. Don’t take my word for it, google search godaddy not helping customers or business get there site and business back up and running. Despite what they say look at the evidence. Listen to the complaints not the ones who were never attacked. It’s a risk that will cost some business too much. Not to mention the unrecoverable capital. Customer #: 114431487 bought the domain name not the hackers. On the other hand I get paid to redevelop sites that were hacked or hijacked. They don’t follow the Icann rules.