It started off like a normal Tuesday, that is, until I received an email at 11:03AM from GoDaddy. “Your account settings were updated. It may take a little while for you to see these changes in your account. But if this was done without your consent, please update your security settings or call us immediately at +1 (480) 505-8877.” [Emphasis added is my own]

A screenshot of the email from GoDaddy right after my account was hacked.

The first thing I did was check the sender and look at the email headers–everything looked legit. I knew at that moment my day wasn’t going to go as planned.

While dialing the support number provided, I attempted to login to my GoDaddy account but it was too late. I had been hacked. My account was no longer my own. By 11:15AM I was on the phone with a human at GoDaddy trying to regain access my account and that’s where this story goes from bad to worse.

The conversation with first person I spoke to, who’s name I forgot unfortunately, started off fine, I explained the situation and he seemed to understand my problem–great, I thought. He asked me for information about my account which I obviously didn’t have anymore–I was just hacked remember? He relayed to me that the email on the account started with an “s” — that’s obviously not correct. I told him I don’t know anyone with an “s” email that ends in gmail.com and that it must be the person who hacked my account. He then goes on to tell me that the hacker enabled two-factor authentication (something I never enabled on my GoDaddy account, I know, stupid). Nonetheless, he told me he was messaging the fraud team about it and they would let him know what we had to do.

After a few minutes, it became clear to me that I was being treated as suspect. The support person would not provide me anymore information aside from telling me I need to email “[email protected]” explaining my situation and that the fraud team will look into it.

Excuse me?

The email specifically said to “call us immediately” and now you want me to send an email and wait? “How long will take it for a reply?” I asked, “Hopefully within 24 hours.” WHAT?!

ALSO READ
5 cloud security trends for enterprises to follow

I then proceeded to ask if they could at least lock down the account in the meantime to prevent any further changes from taking place until this is resolved. This seemed like a reasonable request to me, even if I was the hacker, I’m sure the account owner wouldn’t mind (how often do you change domain settings, right?), but more importantly, if it’s locked down then at least I’d have the peace of mind the hacker couldn’t change my domain name servers and point my sites, including BestTechie to some malicious or porn site without me having a way to fix it.

“No, we can’t do that.”

I kept being told the fraud team will get back to me via email. There was no sense of sympathy or even urgency in his voice at all. It was extremely frustrating. I asked if they could transfer me to the fraud department, that too, was a big fat “No.”

Apparently the tech support team can only chat with the fraud team on internal messaging apps, they can’t get in touch with them over the phone? What kind of system is in place here? Finally fed up, I decided to ask to speak to this person’s manager and after waiting on hold for approximately 10 minutes, I found myself talking to Scott, who is apparently the only floor manager in GoDaddy’s Iowa call center.


Briefly into my conversation with Scott, I started to record the call. Instead of detailing it below, I’d recommend you just give it a listen. By the end of the call, I’m completely beside myself and eventually Scott actually hangs up on me!

At this point, I was livid and beyond frustrated so I did what any normal person would, I started tweeting at GoDaddy. My biggest concern was that my site’s could be redirected somewhere I wouldn’t want to them to be. This seemed like an urgent concern considering someone I don’t know had gained access to my account which stores 38 domains (pretty much all of them business related).

A little less than three hours after my first tweet, GoDaddy reached out over Twitter asking me to the DM them. I did. They too were slow to respond or show much concern and ultimately the Twitter team was little to no help, telling me that the fraud team was looking into it and I would hear back “soon.”

ALSO READ
Commonly measured metrics in network monitoring

I waited all of Tuesday for some inkling of news, an update, anything, but nothing. Radio silence. So I figured I’d call back Wednesday morning after it had been a full 24 hours and that’s exactly what I did. This time the call went a bit better, at least in the sense, that my support representative, Jake, actually came across like a nice, caring person, who understood how important this was. While ultimately Jake wasn’t able to fix the problem himself, he did assure me that someone higher up on the fraud team was handling it and I should be receiving an email “soon” with more information.

Here’s my call with Jake, which as you’ll hear is a much friendly conversation. I could tell he was really trying to help.

Then at 2:25PM on Wednesday, the long-awaited email arrived in my inbox.

A screenshot of the email informing me my account had been reverted back to me

I was so happy when I read the first line of the email, only to be slightly annoyed that I had to make another call to GoDaddy support to iron out the rest and officially get my account back. Nonetheless, I did it. I got my account back under my control and oh yeah, I enabled two-factor authentication this time (which I realize I should have done before).

I’m sharing this story because I’m shocked GoDaddy doesn’t have a better way to sort out this type of problem. It shouldn’t take so long to resolve, customer support should be a bit more understanding, and there should be more security measures put in place to prevent hackers from doing things to an account they gain control over. After this whole ordeal I plan to move my domains away from GoDaddy. I’ve been a customer of theirs for over 16 years, but not for much longer.

If you have any good registrar recommendations, feel free to send them my way.

  • It’s really too bad. I recently left my Job at GoDaddy. I worked in a senior role, supporting their Customer Care department. It’s a mess there. There’s very little incentive for the company to prepare their employees on how to properly handle issues like the one you experienced. Everything is about sales, and that’s it.

  • Have you been notified that the free godaddy email you have is going away….now $4.99 a month….and they only give you 30 day notice? I’ve had some of my email accounts for almost 20 years…and now I have less than a month to notify all my contacts…. Sheeze….

    • Happened to me too. I can’t access my emails any longer. Am contacting BBB – AZ where company is headquartered. Maybe if they hear from enough of us….

  • Also noticed how slick GD is about hiding dissatisfied customers complaints on Twitter. They orchestrate these “Presenting my new website” tweets that fills up #GoDaddy and buries any complaints.

  • So, your personal account and password was compromised. GoDaddy’s system recognized the changes made to your account, and sent you an alert suggesting that if you didn’t make the changes, then you should contact them. You contacted them, they alerted their fraud department, and ultimately got you back into your account without issue in a little over 24 hours…

    What exactly is the “Horror Story?”

  • I’m not seeing the “horror story” here? You were negligent and your account got hacked? I would assume you take great pride in your ability to secure everything you have online being tech blogger? But hey.. you can’t fix stupid I guess. To be honest after reading this I don’t know I really can trust any other articles you have? Anyways I guess Harvard doesn’t teach basic cyber security.

  • Lol the fact you think we care what you think is hilarious. People like you who own a few domains feel so entitled. You spend a few bucks and think you should be treated like a king. You’re mad at us for protecting your account? Get over yourself. Take your handful of domains and go someplace else. We would rather deal with real business owners anyway.


  • >
    Share This