Just search for GoDaddy stories on old Slashdot. I've known since I had my own computer that GoDaddy=NoDaddy.

It's funny, the only time I can recall a programmer describing something as sexist (towards women) in the early/mid 2000's was somebody describing GoDaddy's booth at a convention. That really stuck with me for some reason, lol.

The explanation is at the end of the article: another GoDaddy customer asked for the transfer of a similar-looking domain name, and they transferred the wrong domain.

If you read farther down, it’s obviously an inside job in the incompetent, not malicious, sense. Their employee did not do anything remotely resembling following procedures, misread an email to an outrageous degree, and transferred the wrong domain.

That doesn't make any sense. The entire reason it was undone is because the recipient told GoDaddy support that they transferred the wrong domain to her. So how could this have been an inside job?

I don’t think you read the article. GoDaddy transferred the domain to someone in a local chapter of the same organization. When that person realized what happened, they called the original owner and got everything fixed. There’s no way this is an “inside job” of any kind.

but why? why would an insider put the wrong domain into a strangers account that has no interest in using the domain and went out of her way to give it back to the rightful owners?

Yep. Binding 2FA flows to email is risky business for a lot of reasons, but registrar incompetence might be the spookiest thing of all.

exactly, few years ago I was thinking to bind all on domain email, thinking when I own it, I can host anywhere and seemed best option. After thinking it through, had to stick to a gmail, again. Due to the possible catastrophy scenario!

Luckily in EU, they still hardly depend on presencs validation, therefore all these sorts of errors can be resolved in couple of hours.

The cascading effect is unimaginable since everything tied to that email.

It is similar like losing phone or sim or even being in a foreign country where you can't access your number but worse.

That’s such a good point I didn’t think about!

Really toxic security anti-pattern.

I’m locked out of my 20 year old wikipedia account because they instituted 2fa without asking and my email on file was no longer valid.

Also huge opportunity for scams etc if this ever was a targeted takeover type thing. Emails and other stuff go to the same domain, and an impostor could just keep answering correspondence like nothing had happened

And even worse, if I wanted to take over npmjs.com tomorrow and godaddy would kinda... just hand it over (?!?!?!) then i could probably become a crypto billionaire overnight

That is a really fd up system. Pay more to own more.

Trademarks mean Bullshit. Facebook closed a site of mine besides having a registered and valid (US) trademark that precedes everything.

It's literally the largest registrar in the world, by a large margin.

When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.

That's what makes this particular story so egregious.

Domains are a very funny business. I can't think of anything so crucial to businesses, that at the same time generates so little revenue per customer. Your entire technological infrastructure depends on it, yet it costs $15/yr. Making a single support request can turn you into an unprofitable customer.

Registering a domain usually happens very early in a business' history. It might literally be the first concrete thing the founder does. If the founder is non-technical, they're just going to Google "buy a domain" and see who comes up.

Do it, now. What comes up?

Yes, once IT gets professionalised, they should switch to a better provider. But the registration will likely be for multiple years, with auto-renewal, and when nothing has gone wrong, theoretical problems take a backseat to live ones.

Vast majority of domain owners are not technically inclined today, probably hasn't been so for decades now.

If we ask 100 likely buyers family feud style, where would they go buy a domain, GoDaddy likely is going to be the top answer by a wide margin.

They wouldn't know about any bad news/ security incident with the brand either.

Exactly. Had to chuckle at:

> [...] is one of the most competent IT guys I know. The GoDaddy account had [...]

Don't think I've ever heard something good about GoDaddy.

You’d be surprised how many enterprises use them. Also their managed hosting support is surprisingly competent. I’m not a fan of their service but some of our clients use them and anytime their servers have had issues support was quick to fix. Way nicer than having to jump in and do it myself. And so far it’s all been local support and not offshore.

To be fair, 10 years ago the alternatives weren't as obvious to non-technical buyers.

I also found this very, very strange. With their broker campaigns, godaddy built a strong shady facade. Still wonder how people fail to see.

The domain has been acquired 27 years ago

Came here to post the exact same comment. They have a history of amateur-hour stuff like this, too, don't they? For me, the brand has always been associated with "bet it all on marketing" rather than technical competence.

The primary reason I used to prefer GoDaddy is you could call them 24/7 and talk to a human who could fix it. Historically I have preferred companies with phone support over submit-a-ticket-and-wait.

People get tied to their registrar by using their DNS or other services. It's a mistake, but it's extremely common.

So if you have someone using GoDaddy, and everything is working, how do you sell them on the idea of migrating DNS or hosting or email if they've never had an issue?

It does sound snarky, maybe GoDaddy was the cheaper option at one point and they stuck with it. I get that.

I use some square space for a lot of stuff, but it's largely because Google Domains sold out and the price is "fine." Sure, I could use something else, but this works, the cost is correct, and - I can't stress this enough - it already freaking works. I also use a python as a service tool I point at frequently. Their customer service is great, so I doubt this would ever happen there? But yeah, I'm not manually configuring a server somewhere most of the time.

Is it the "best" possible tool for the job? Not really, but it works well enough for the stuff I use and my workflows are already rock solid to deploy code to prod, etc. Is it because it's impossible for me to spin up a VPS or I'm too stupid to figure out Hetzner? Probably. But no, I've done it before, I could do it again, but that would take me X hours that I'm not getting paid for to migrate for limited utility, possible customer interruptions, and stress. I might need to migrate in a year or so, but until then, I'm not going to bother.

I reckon that's a similar sort of thing that happened here and depending on what they're doing business-wise, Lee could be insanely competent IT person and was just unlucky because the hammer he reached out for with GoDaddy actually turned out to be a foot gun that took years to fire.

It happens, it's not ideal, but it happens - I'm just glad they got it figured out and I'm glad that these sorts of events percolate up in the hn zeitgeist, because I definitely know who I won't be turning to in the future. Like, I kind of already knew GoDaddy was trash? I used them something like 10 years ago to spool up a website for a friend of mine. The whole experience was garbage then and I said, "never again" - but also that was kind of at the beginning of me even learning about how this stuff works? But I could totally see a scenario where I get snared into a product ecosystem and the opportunity cost of switching out of it outweighs staying put until it blows up in my face.

Read every alternative volunteered here. Imagine any world where in the next 5 years they can't be enshittified, sold to a predatory private equity, their support lines AI-ified, their headcount reduced by 40% without your knowledge, etc etc. 27 years is a very long time.

A competent IT person can have a backup plan for every expected failure. They can't control registrar level screw ups.

Companies explicitly selling you "bulletproof domains" like MarkMonitor have screwed up big time.

Also as an IT guy, asking to register a new domain with X is much easier than asking to transfer a long held domain away from Y.

Where would you host domains?

Why not?

GoDaddy is a valid domain registrar. The customer had dual MFA set up. The customer did all the right things.

I’ve never heard of Godaddy making this kind of egregious mistake before. I’ve heard of some doozies, sure, but nothing like this.

Don’t blame the victim. “It’s their fault they got robbed, they left their door unlocked” is not a valid response to a situation like that or like this. The robber still stole, and godaddy still broke their own rules, rules that customers pay to have enforced.

When you find yourself victim-blaming, you will find yourself on the wrong side.

Also refusing to acknowledge or correct the mistake when the original owner raised a ticket.

It is very scary to consider the consequences that such a transfer can have.

Unfortunately the few people I have tried to convince all double-down. People don't like to admit they made mistakes.

Count it as a good deed, talked a group out of GoDaddy on a greenfield project once. Still proud of that one.

That sounds like name.com was squatting on your expired domain and extorted $140 from you to get it back.

Blind spot in the process is one thing, support staff not understanding the urgency of something like this and escaping to higher level is another

+1 for Dynadot.

I compared all of the other registrars mentioned by HN users, and Dynadot basically tied with Namecheap on price, but Dynadot is so much more user-friendly.

Do you host with dynadot? From their website it seems like it's mostly domain registration?

Nah, that honor goes to Network Solutions. GoDaddy is definitely in 2nd place though.

This wasn’t a phishing attack. Did you read the article?

Dynadot, please CTRL-F for them in this thread. I don't know why people like Namecheap better when Dynadot is just as inexpensive but better.

We register most of our domains through Namecheap and then manage their DNS through Cloudflare.

Aside from that, Porkbun gets recommended on Reddit and HN pretty often.

What’s a good alternative?

punitive seems like a huge stretch, damages sure.

Icann Arbitration seems like the wrong channel, those are typically used for when someone correctly technically registered the domain name, but there's a dispute from the non-owner, e.g:

1- Trademark holder registers trademark.com, malicious actor registers trademark-web.com and phishes. 2- trademark.com expires, and someone registers trademark.com and domainsquats.

This is not the case, all Icann can do is make decisions over who owns a domain. A civil court would be more appropriate for calculating and ordering compensatory damages.

They might want to perform some due diligence on which company to switch to, and build and test a migration plan before migrating. This incident didn't happen that long ago.

Such an irony considering the claimed ethical pillars of their founders.

There's Discworld bit [0] that often comes to mind for me, where the protagonist is reading a press-release by a fantasy version of a communications monopoly:

> The Grand Trunk’s problems were clearly the result of some mysterious spasm in the universe and had nothing to do with greed, arrogance, and willful stupidity. Oh, the Grand Trunk management had made mistakes—oops, “well-intentioned judgments which, with the benefit of hindsight, might regrettably have been, in some respects, in error”—but these had mostly occurred, it appeared, while correcting “fundamental systemic errors” committed by the previous management. No one was sorry for anything, because no living creature had done anything wrong; bad things had happened by spontaneous generation in some weird, chilly, geometric otherworld, and “were to be regretted.”

[0] Going Postal (2004) by Terry Pratchett

Have we ever got any response like than from GoDaddy ever in any of these issues over years?

Any direct followup from GoDaddy would be welcomed.

What even is "security" anyway? You don't know. I don't know. It's probably a made-up concept.

Or a very long "let me explain why this is ok actually" from a "random" account

HN is the only real support channel in tech. First level customer service is AI, second level is outsourced idiots who blindly follow a script, the third level is ”Issue has been closed”

Their TOS has binding arbitration, so that sort of advice needs to be taken with a grain of salt, since, contractually, they are barred from using the traditional court system to litigate this issue. (Unless they opted out of arbitration when it was first added to the TOS, which most people don't.)

IAAL (but this is not legal advice).

That sounds like a nice idea in theory, but: 1/the mistake has been undone, and 2/damages are likely to be minimal. At this point, getting a lawyer involved is going to be a lot of cost without much benefit.

They look like a pretty small company. The damages they could recoup might not be high enough to justify the costs.

I was just wondering if this might be the first incident. Are there any other public stories available?

This comments reads sarcastic, but it makes a serious point. GoDaddy has an extremely poor reputation. At some point you must accept that choosing companies like that is your own mistake.