A GoDaddy horror story


It started off like a normal Tuesday, that is, until I received an email at 11:03AM from GoDaddy. “Your account settings were updated. It may take a little while for you to see these changes in your account. But if this was done without your consent, please update your security settings or call us immediately at +1 (480) 505-8877.” [Emphasis added is my own]

A screenshot of the email from GoDaddy right after my account was hacked.

The first thing I did was check the sender and look at the email headers–everything looked legit. I knew at that moment my day wasn’t going to go as planned.

While dialing the support number provided, I attempted to login to my GoDaddy account but it was too late. I had been hacked. My account was no longer my own. By 11:15AM I was on the phone with a human at GoDaddy trying to regain access my account and that’s where this story goes from bad to worse.

The conversation with first person I spoke to, who’s name I forgot unfortunately, started off fine, I explained the situation and he seemed to understand my problem–great, I thought. He asked me for information about my account which I obviously didn’t have anymore–I was just hacked remember? He relayed to me that the email on the account started with an “s” — that’s obviously not correct. I told him I don’t know anyone with an “s” email that ends in gmail.com and that it must be the person who hacked my account. He then goes on to tell me that the hacker enabled two-factor authentication (something I never enabled on my GoDaddy account, I know, stupid). Nonetheless, he told me he was messaging the fraud team about it and they would let him know what we had to do.

After a few minutes, it became clear to me that I was being treated as suspect. The support person would not provide me anymore information aside from telling me I need to email “undo@godaddy.com” explaining my situation and that the fraud team will look into it.

Excuse me?

The email specifically said to “call us immediately” and now you want me to send an email and wait? “How long will take it for a reply?” I asked, “Hopefully within 24 hours.” WHAT?!

I then proceeded to ask if they could at least lock down the account in the meantime to prevent any further changes from taking place until this is resolved. This seemed like a reasonable request to me, even if I was the hacker, I’m sure the account owner wouldn’t mind (how often do you change domain settings, right?), but more importantly, if it’s locked down then at least I’d have the peace of mind the hacker couldn’t change my domain name servers and point my sites, including BestTechie to some malicious or porn site without me having a way to fix it.

“No, we can’t do that.”

I kept being told the fraud team will get back to me via email. There was no sense of sympathy or even urgency in his voice at all. It was extremely frustrating. I asked if they could transfer me to the fraud department, that too, was a big fat “No.”

Apparently the tech support team can only chat with the fraud team on internal messaging apps, they can’t get in touch with them over the phone? What kind of system is in place here? Finally fed up, I decided to ask to speak to this person’s manager and after waiting on hold for approximately 10 minutes, I found myself talking to Scott, who is apparently the only floor manager in GoDaddy’s Iowa call center.

Briefly into my conversation with Scott, I started to record the call. Instead of detailing it below, I’d recommend you just give it a listen. By the end of the call, I’m completely beside myself and eventually Scott actually hangs up on me!

At this point, I was livid and beyond frustrated so I did what any normal person would, I started tweeting at GoDaddy. My biggest concern was that my site’s could be redirected somewhere I wouldn’t want to them to be. This seemed like an urgent concern considering someone I don’t know had gained access to my account which stores 38 domains (pretty much all of them business related).

A little less than three hours after my first tweet, GoDaddy reached out over Twitter asking me to the DM them. I did. They too were slow to respond or show much concern and ultimately the Twitter team was little to no help, telling me that the fraud team was looking into it and I would hear back “soon.”

I waited all of Tuesday for some inkling of news, an update, anything, but nothing. Radio silence. So I figured I’d call back Wednesday morning after it had been a full 24 hours and that’s exactly what I did. This time the call went a bit better, at least in the sense, that my support representative, Jake, actually came across like a nice, caring person, who understood how important this was. While ultimately Jake wasn’t able to fix the problem himself, he did assure me that someone higher up on the fraud team was handling it and I should be receiving an email “soon” with more information.

Here’s my call with Jake, which as you’ll hear is a much friendly conversation. I could tell he was really trying to help.

Then at 2:25PM on Wednesday, the long-awaited email arrived in my inbox.

A screenshot of the email informing me my account had been reverted back to me

I was so happy when I read the first line of the email, only to be slightly annoyed that I had to make another call to GoDaddy support to iron out the rest and officially get my account back. Nonetheless, I did it. I got my account back under my control and oh yeah, I enabled two-factor authentication this time (which I realize I should have done before).

I’m sharing this story because I’m shocked GoDaddy doesn’t have a better way to sort out this type of problem. It shouldn’t take so long to resolve, customer support should be a bit more understanding, and there should be more security measures put in place to prevent hackers from doing things to an account they gain control over. After this whole ordeal I plan to move my domains away from GoDaddy. I’ve been a customer of theirs for over 16 years, but not for much longer.

If you have any good registrar recommendations, feel free to send them my way.