The following article is a true and accurate tale of warning for users who use GoDaddy’s web hosting services.
It details how a long-term GoDaddy client had their account compromised by malicious actors who used GoDaddy’s archaic policies and poorly trained technical support against the legitimate owner. This occurred in the first week of 2022.
GoDaddy Hosting & 2-Step Verification
GoDaddy is an all-in-one domain registrar, website host, and email provider (Microsoft 365).
Your account with GoDaddy is secured with a username/client number, password, and support PIN.
In today’s modern tech landscape, it is important to additionally enable Multi-Factor-Authentication (MFA) or 2-Step Verification on your accounts.
For a GoDaddy account, this can be added using the following article: https://ca.godaddy.com/help/enable-2-step-verification-7502
When you enable 2-Step Verification, you add an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code sent to your phone).
The code can be texted to you (SMS) or generated using an application like Google Authenticator or Authy.
This sounds great, but be aware, you are only as secure as your weakest link.
Your account with GoDaddy has an account email on file, and if this account email is not secured, you are in grave jeopardy. Sounds a little overly dramatic, doesn’t it? I couldn’t be more serious.
A Compromised GoDaddy Account: A Tale of Infinite Woe
A user contacted us as they were heading out the door for a much anticipated and much needed break from Covid; 6 weeks in the land where technology doesn’t reach, and one can attune themselves with nothing but sun, sand, and surf.
They had received a notification from GoDaddy that their request for an update to their GoDaddy contact information had been successfully processed and if there were any problems, they were to contact them.
On the trip to the airport, they reached out to GoDaddy support to inquire as to “what changes?” The representative was unable to definitely say exactly “what” had changed, only that the requested changes had successfully been updated… Thank you, have a nice day.
“But wait”, says our client, “I didn’t request any changes, how can this be?”.
“No worries, ma’am”, says our GoDaddy Support Agent, “your account has 2-Step Verification enabled, so no changes could have possibly been made without your request as no-one can access your account without those 2-Step Codes.” It must have been an automated renewal… or something like that.
Confused, our client accepted the bizarre explanation, even though they had NOT made such a request and could not understand exactly “what” had changed as the GoDaddy Agent was unable to disclose that information as they were not sure.
Yes, for those following along, despite not being sure what had changed, the GoDaddy Agent was still 100% confident that the change was genuine. smh
Off through check-in, board the plane, place one’s mind into the relaxing adventure to come.
Not to be.
The next day, the client’s staff reported that they were no longer able to access the company website and that strange (and large) charges were being posted on the Company Credit Card.
An encrypted database, accessible via GoDaddy servers, had been compromised, and now, Customer Data was being accessed and fraudulent Credit Card charges were being posted to the client’s customer database. We are talking in the tune of $600k CAD. Not small potatoes. These charges were appearing to come from *DNH* GoDaddy, but this was a fraudulent ID, which helped to bypass bank and CC authorization checks.
Calls and chat sessions were initiated with GoDaddy, who informed us that there was nothing they could do. You see, the account email had been changed to the hacker’s email address and that any password resets to the GoDaddy account would be sent there. Despite having a 10 year history with the client on record, GoDaddy said their hands were tied and that they could not reverse the update to the account without us providing government issued ID and by submitting a form.
So, we did. And we were told this would take 72 hours. We asked for expedition. We asked for a supervisor. We asked for a call back. Nope. Notta. Ha!
3 days came and went. We called in repeatedly. Now it was 7 days before they could look at it. And then it was 10 days. They would NOT put the account on hold. Freeze further transactions? Nope. The hackers were having a field day and we were stuck outside the loop.
Common sense was not to be found. GoDaddy Agents were stuck in a script and were not empowered to break out of their bot-like approach to a crippling situation.
Oh, but it gets worse. So much worse.
You see, that GoDaddy account didn’t have just one domain associated with it. It had this client’s entire business empire running out of it.
Every company and every venture that this client had running was now being systematically pillaged.
Websites were being harvested for confidential information, contact and order forms were being intercepted and redirected to hacker-controlled accounts. Any attempt by us to rectify this situation was immediately undone as they had their finger on the heartbeat of every database that controlled these operations.
GoDaddy would do nothing about this. We tried to make attestations that there was active fraud occurring. We were told to dispute the charges with the bank. And for some inexplicable reason, to turn off 2-step verification.
The final insult to this saga was that once all the possible revenue streams had dried up, the hackers put the domains on the market, using GoDaddy’s own domain auction block (powered by afternic)… so our client, when all was said and done, could buy back their own domains from the people that stole it. And of course, GoDaddy would get their cut of the action.
The client’s business is a shambles. Their reputation with their clients was destroyed.
GoDaddy, you should be ashamed.
How Did This Happen?
A running post-mortem of the situation revealed the following chain of events.
- The client ran their email through GoDaddy’s 365 offering. This mailbox had a weak password and was not protected by MFA or 2-Step Verification
- The hackers gained access to this mailbox and were then ready to impersonate the victim
- The hackers contacted GoDaddy and requested a One Time Passcode. This code acts as a 2-Factor Code and allows the hackers to reset their GoDaddy Account Password (Needless to say, this a massive security breach, but one approved by GoDaddy)
- The hackers now had access to the master GoDaddy Account and proceeded to update contact information to their own information (also using compromised accounts from previous victims). They even updated the registrar so that, in reality, they were now the real owners of the domain.
- Any notifications for these activities were promptly removed from the client’s email as they were actively deleting these incoming emails (these were all found in the clients’ trash folder)
- Once GoDaddy information had been updated, it was game on… the client was locked out of their own accounts and they could now move through all assets stored within that account, including databases, WordPress installations, secure forms, you name it.
- That’s it. The client lost everything. With 4 weeks left on their relaxing vacation, they get to sit on the beach and contemplate the utter ruin of their business empire and how the agency who should have been there to help them right the ship left them stranded.
- Enable MFA or 2-Step Verification wherever possible
- Ensure you have complex and unique passwords for your online world. Generators like CorrectHorseBatteryStaple are very useful
- Avoid GoDaddy
- Move to a proper Microsoft 365 Account (we can assist)
As of the writing of this article, GoDaddy has not responded or acknowledged any of our requests for support. It has been 10 days.