GoDaddy allegedly transferred a domain name without the permission of its long-time registrant, transferring the domain name without the proper authorization and required documentation. The victim spent almost ten hours with customer service only to receive the response that GoDaddy could do nothing to resolve the issue.
The domain transfer took place on a Saturday
Interestingly, the malicious domain transfer took place on a Saturday, which could be an important detail as some domain registrars outsource their customer service on weekends and I’ve heard of other occasions where errors occurred due to less quality control. I know of one case where high-value domain names worth six to seven digits were stolen on a weekend where an attacker was able to manipulate customer service over the weekend to change the account’s email address, allowing the thief to transfer all the one- or two-word domains to another account.
What happened with this specific domain was not a case of theft but something worse. A weekend customer service employee made a mistake while processing a legitimate domain name change by another GoDaddy customer and, instead of initiating the change on the correct domain, transferred the victim’s domain.
To compound the error, GoDaddy’s weekend customer service did not follow its own protocol to prevent unauthorized transfers, allowing the domain to be transferred to someone else.
32 calls and almost 10 hours of phone calls
The process of getting GoDaddy to reverse its mistake was a bureaucratic nightmare. They made thirty-two phone calls and spent 9.6 hours on the phone talking to GoDaddy customer service.
“Lee called GoDaddy on Sunday. They confirmed that the domain was no longer in his account but couldn’t say where it had gone for privacy reasons. They told him to email undo@godaddy.com. He did so, but received no response when emailing that address. Of course, Lee didn’t really think that was the appropriate level of urgency for this problem. He requested a supervisor who was even less helpful. Lee was not happy. He may have said hurtful things to GoDaddy support staff during this call. This first call lasted 2 hours, 33 minutes and 14 seconds.
On Monday morning, Lee and a colleague began working on this problem in earnest because there were still no updates from GoDaddy. The call resulted in another agent telling Lee to email transferdisputes@godaddy.com instead. By Tuesday, the address had changed again to artreview@godaddy.com. The instructions changed from day to day. It seemed like each GoDaddy tech support member had a slightly different recommendation.
The error was compounded by the fact that each time the victim called GoDaddy, the call generated a new case number without any of the case numbers being linked to previous ones.
Response from GoDaddy
After four days of trying to reach someone at GoDaddy to resolve the issue, GoDaddy finally responded with the following resolution:
“After investigating the domain name(s) in question, we have determined that the registrant of the domain name(s) has provided the necessary documentation to initiate an account change. … GoDaddy now considers this matter closed.”
GoDaddy’s response included links on how to contest a domain name change with ICAAN, the global organization that manages the domain name system, instructions on how to search for domain name registration information, and a customer support page for contacting legal representation.
That’s it.
Error corrected, but not by GoDaddy
The person who wrote about the issue said they contacted a friend within GoDaddy who was then able to resolve the issue properly. Ultimately, the error was not corrected by GoDaddy but by the innocent person who discovered someone else’s domain name in their GoDaddy account.
As previously reported, the whole fiasco started with a mistake on GoDaddy’s part regarding a legitimate domain change request. GoDaddy changed the domain name to the victim’s domain name. The person who ended up with the victim’s domain name in their account contacted the victim and together they began the process of transferring the domain to the rightful owner.
Domain name ownership is non-existent
A common mistake many developers and business owners make is believing they own a domain name. This is false, no one owns a domain name. Domain names are registered but never owned. Registration gives the holder the right to use the domain name, but they never actually own it. That’s how the Domain Name System works and that’s part of the reason this issue played out the way it did. However, the problem in this case was solely due to a GoDaddy error.
The post detailing the nightmare refers to GoDaddy’s “domain ownership protection” services, but that’s not actually what it’s called. There is no protection of domain name ownership.
What GoDaddy sells is a domain protection service that protects against unauthorized transfers and accidental expiration. The victim paid for this protection, but since the error was due to GoDaddy’s own error, the protection did nothing for the victim and the domain change was completed without proper documentation.
Read the blog post explaining how GoDaddy made a mistake and not only failed to resolve the issue, but didn’t even acknowledge that they made a mistake.
GoDaddy gave a domain to a stranger without any documentation
Featured image by Shutterstock/AVA Bitter
