GoDaddy account hacked and changed the credentials

[rmungara]

Hello,

I am a part-time domain keeper and web site developer. I have about 50 domains and 3 web sites in my Godaddy account. Recently the following things have happened to my account and not able to access my account, as well Godaddy is not able to help me in resolve this Issue.

What are my options and how and where do I get assistance to regain access to my account. All these domains and web sites are at least 3-10+ years old in my account.

I received the following order of emails in last three days.

1) Two-Step Verification has been enabled ( I never enabled two-step verification, this was the start, as I can’t login into my account as well Godaddy do nothing about this unless they have the pin)

2) One or more domains you're monitoring were Unlocked. (They unlocked the premium domains from my account)

3) Your domain registration change is pending. (Godaddy can’t help as I don’t have the pin from two-step verification)

4) Thanks for calling. Let us know how Cody did. (seems like they started call Godaddy to change things and they are helping them)

5) Stopped receiving emails from Godaddy ( they have changed the Account name and Email Associated with account)

I called Godaddy lot many times and received the same old response as they can’t help if I don’t have two-step verification pin.

I applied to disable two-step verification but received mail saying that can’t communicate with emails which are not associated with account.( they have changed the account Name and email on my account)

I tried to change the email and account name using the changeupdate.com, but no response on this or acknowledgement.

I am really worrying about the domains and web sites in my account and I need to know my legal rights and how to proceed further on this situation.
Let me know if you need more information.

Please guide me in this regards to regain access to my account, domains and web sites.

Regards

 

[Rob Monster]

Hello,

I am a part-time domain keeper and web site developer. I have about 50 domains and 3 web sites in my Godaddy account. Recently the following things have happened to my account and not able to access my account, as well Godaddy is not able to help me in resolve this Issue.

What are my options and how and where do I get assistance to regain access to my account. All these domains and web sites are at least 3-10+ years old in my account.

I received the following order of emails in last three days.

1) Two-Step Verification has been enabled ( I never enabled two-step verification, this was the start, as I can’t login into my account as well Godaddy do nothing about this unless they have the pin)

2) One or more domains you're monitoring were Unlocked. (They unlocked the premium domains from my account)

3) Your domain registration change is pending. (Godaddy can’t help as I don’t have the pin from two-step verification)

4) Thanks for calling. Let us know how Cody did. (seems like they started call Godaddy to change things and they are helping them)

5) Stopped receiving emails from Godaddy ( they have changed the Account name and Email Associated with account)

I called Godaddy lot many times and received the same old response as they can’t help if I don’t have two-step verification pin.

I applied to disable two-step verification but received mail saying that can’t communicate with emails which are not associated with account.( they have changed the account Name and email on my account)

I tried to change the email and account name using the changeupdate.com, but no response on this or acknowledgement.

I am really worrying about the domains and web sites in my account and I need to know my legal rights and how to proceed further on this situation.
Let me know if you need more information.

Please guide me in this regards to regain access to my account, domains and web sites.

Regards

That is unfortunate. Hopefully you caught it early.

Process-wise, if Godady support won't help, I suggest you list the domains here so folks at NamePros can watch out for any fraud issues -- probably just your most valuable domains but feel free to list all.

As for getting your account back in your control, Godaddy should let you prove your identity. At the very least they should transfer lock the domains pending resolution.

It seems you are a new member at NamePros, but perhaps established members here can vouch for your reputation and/or attest that you own certain names.

In the meantime, welcome to NamePros.

@Paul Nicks and @Joe Styler - Heads-up.

 

[biggie]

Let us know how Cody did.

find out who this person is and if they assisted with the account change

imo...

 

[rmungara]

find out who this person is and if they assisted with the account change

imo...

Thanks, I tried but no luck in finding the person

 

[biggie]

Thanks, I tried but no luck in finding the person

also, check the full header of each of those emails, to insure they actually all came from GD

if there are any links in them, hover over to see the address

as many times, scammers/phishers will send fake emails that look like they came form gd

imo….

 

[rmungara]

also, check the full header of each of those emails, to insure they actually all came from GD

if there are any links in them, hover over to see the address

as many times, scammers/phishers will send fake emails that look like they came form gd

imo….

Thanks but it's not the Emails I am worrying about, I need to regain access to my godaddy account, which I lost control due to some hacker.

 

[DomainRecap]

This happens way too much, and all it needs is a bad actor "social engineering" scam and a moron CSR at your registrar or your email provider/ISP.

They call up with "Me name is Joe, me no have access to me account", give out some basic address/phone info that is available anywhere, and bingo, your account (or your email then your account) is "hacked".

Do you still have access to the email you used for your account at GoDaddy? I know it won't help you get it back, but determining the intrusion point will help track which company got fooled by your local 3rd-world scammer.

 

[DomainRecap]

4) Thanks for calling. Let us know how Cody did. (seems like they started call Godaddy to change things and they are helping them)

Why is GoDaddy not helping you get your account back from a social engineering trick?

It's obvious after "Cody" changed your account login, and the scammers got access and changed everything, that you can't give them PIN numbers or account credentials - a GoDaddy CSR has to be able to see the obvious chain of events resulting in you being locked out.

You need to keep calling until you find one willing to help, and tell them someone played a "bad actor" and got access to your account. Ask them to look up recent account changes, and if things are as you present them, only a blind person couldn't connect the dots.

 

[premkumar]

Email them about your scenario and ask them to lock the domain transfer until your problem fixed.

 

[rmungara]

Email them about your scenario and ask them to lock the domain transfer until your problem fixed.

I am trying to do that. Finally I got one responsible CSR with some dignity to listen and understand. He said they put lock this account until further investigation. Is there a way to check the lock on the account?

 

[xynames]

Once you get it back, be sure to implement your own two step authorization, at least for any sort of real change within the account, such as for domain transfer unlock, for "High risk transactions only" at least (versus "for every login").

 

[tldboss]

Change password for your email account.

Did Godaddy confirm that the transfers will be suspended pending investigation?

 

[rmungara]

Change password for your email account.

Did Godaddy confirm that the transfers will be suspended pending investigation?

I changed my email password; No Godaddy can't confirm any thing as they can't see/reveal anything until further investigation.

 

[xynames]

It is a little tough to prove identity for a registrar or hosting account, I mean it's not like identity is confirmed or even relevant at creation, other than perhaps indirectly if WhoIs is involved.

I did have GoDaddy ask me to FAX in an ID for a random check of WhoIs information for a couple of my domains, but whether this ID was kept on file or not, I don't know, in fact I think (not sure) I recall that the email or phone convo I had with the lady at GD indicated the ID would be discarded after verification.

It's all about password, email address, with some added protection in some cases (two step verification).

 

[DomainRecap]

It is a little tough to prove identity for a registrar or hosting account, I mean it's not like identity is confirmed or even relevant at creation, other than perhaps indirectly if WhoIs is involved.

Not really, as obviously you paid for some level of services, like registration, transfer, hosting, etc, so you have payment verification online in some form that links to your address (even Paypal).

And if someone hacks you, then there is a direct path, including changing passwords, changing emails, transferring domains, etc. (all the standard things hackers do) that would sound off some alarm bells that would then require GoDaddy to investigate further.

Add to that the "Thanks for calling. Let us know how Cody did." red flag and you have a slam dunk to at least lock all accounts and domains down hard, before determining what happened.

The account lock-down should have happened immediately after the first phone call, not days later.

 

[DomainRecap]

I changed my email password; No Godaddy can't confirm any thing as they can't see/reveal anything until further investigation.

Did GD expressly state they were locking down all domains and existing domain transfers, as it sounds like from the emails that a transfer was initiated.

If not, you might want to call back and advise them of such.

 

[xynames]

Not really, as obviously you paid for some level of services, like registration, transfer, hosting, etc, so you have payment verification online in some form that links to your address (even Paypal).

Unfortunately this stems from a lack of understanding of how credit card verifications work. Except in certain instances with the American Express card the only information that comes through from card issuer to card processor or from card processor to card issuer is numerical - yes that’s right no name just credit card number expiration date and cvv code. Even the U.S. AVS (address verification service) system is all numbers - digits in street address and zip code. No alpha characters are passed along.

So good luck with trying to prove who you are via a credit or debit card payment.

Same goes for ACH transfers (electronic debit of your bank account) - it’s all numbers. No name involved.

PayPal - little better but releasing the identity to the card processor isn’t automatic and depends on HOW the payment was processed. Via PayPal processed through a traditional gateway - again it’ll be only numbers passing through no name no alpha characters. Only if the merchant received a direct PayPal payment such as via email and only the really small fry merchants probably not GoDaddy do it that way - will the merchant see the complete name of the payer.

Now if we’re talking subpoena of credit card issuer pursuant to a lawsuit then yes - name on credit card account could be revealed. But thinking “I used my credit card the merchant must know who I am” - not necessarily.

There are some sophisticated fraud protection systems that allow the merchant to match the name on the credit card with the name of the buyer (Apple uses such a system) but I’m sure GoDaddy doesn’t do it this way. Try it sometime put the name Mickey Mouse on the next credit card paid order you place with GoDaddy see if it goes through. It will.

 

[premkumar]

I am trying to do that. Finally I got one responsible CSR with some dignity to listen and understand. He said they put lock this account until further investigation. Is there a way to check the lock on the account?

Check regularly Whois for domain status, If transfer initiated the status changed to "pending transfer" in whois.

 

[platey]

When you look at the

Homescreen

Of Godaddy

What colour is it

 

[platey]

Some Godaddy accounts are blocked and the homepage instead of being completely green as it should be etc

Some Godaddy Homescreen s have two different blue colours of the two main block of the main Godaddy homepage which should be green and no blue

And the account login icon is locked

 

[DomainRecap]

So good luck with trying to prove who you are via a credit or debit card payment..

I'm not sure you understand what I am trying to say. I am not saying that VISA sends back a specific address with each confirmation, as that would break about a million privacy laws and introduce massive security risks.

I AM saying that if I have a GoDaddy account with XYZ Street, in ABC City, USA on their system, and I buy domains, hosting, transfers, etc. from GoDaddy using a Credit Card, and none of the transactions are refused or charged back, then you have an easy paper trail to who initially owned the account.

If that account suddenly gets allegedly hacked and the email changed, contact changed, domains start getting transferred, you can easily look back at the verified/confirmed Credit Card purchases for evidence of past account ownership. It may not be 100% verifiable, but it certainly gives GD more than enough to hard lock everything ASAP and start an investigation.

All my Registrar receipts have my billing address + MC/VISA confirmation number on them.

 

[DomainRecap]

Try it sometime put the name Mickey Mouse on the next credit card paid order you place with GoDaddy see if it goes through. It will.

Try:

Mickey Mouse
123 Cartoon Lane
Disneyland, The Universe
11111

and see how far you get. The address check is a basic one on any VISA/MC transaction and that's what I am referring to.

 

[xynames]

If you read my post you read

Even the U.S. AVS (address verification service) system is all numbers - digits in street address and zip code. No alpha characters are passed along.

You're talking to a guy who has two different standard merchant accounts one with authorize.net and another with a different gateway, plus an eBay Managed Payments account, and multiple PayPal accounts, business and premier.

Your trying to school me on credit card processing is like trying to school the Pope on Catholicism.

In your example above if your real info was

John Smith
123 Elm Street
Los Angeles, CA 90012

and you entered
Mickey Mouse
123 Disneyland Drive
Los Angeles, CA 90012
(with some systems you could even get away with entering
Disneyland, CA 90012
if the merchant system entry didn't cross check the city with the state.)
it would go through fine.

Again, the AVS system WILL definitely accept Disneyland, CA 90012 as the city and state in the above example.

You could also enter
Mickey Mouse
123 Disneyland Drive
Disneyland, FL 90012
and again, if the merchant's field entries didn't cross check for matching the state with the zip code, it would go through.

Only the 123 is read on the address for AVS not the rest. And only the zip code is read for AVS. And all it does is match for AVS purposes and again only numbers not characters, so, what is your point?

What you are not understanding is that what the merchant entry accepts and what the credit card processor require are two different things. The AVS checks only the numeric portion of the address and the zip code. Not enough to establish the address. Certainly not enough to establish the cardholder name because it isn't even checked.

I'd ask again, what is your point? because use of a credit or debit card will not establish identity via any of what you keep posting about.

 

[branding]

If you read my post you read

You're talking to a guy who has two different standard merchant accounts one with authorize.net and another with a different gateway, plus an eBay Managed Payments account, and multiple PayPal accounts, business and premier.

Your trying to school me on credit card processing is like trying to school the Pope on Catholicism.

In your example above if your real info was

John Smith
123 Elm Street
Los Angeles, CA 90012

and you entered
Mickey Mouse
123 Disneyland Drive
Los Angeles, CA 90012
(with some systems you could even get away with entering
Disneyland, CA 90012
if the merchant system entry didn't cross check the city with the state.)
it would go through fine.

Again, the AVS system WILL definitely accept Disneyland, CA 90012 as the city and state in the above example.

You could also enter
Mickey Mouse
123 Disneyland Drive
Disneyland, FL 90012
and again, if the merchant's field entries didn't cross check for matching the state with the zip code, it would go through.

Only the 123 is read on the address for AVS not the rest. And only the zip code is read for AVS. And all it does is match for AVS purposes and again only numbers not characters, so, what is your point?

What you are not understanding is that what the merchant entry accepts and what the credit card processor require are two different things. The AVS checks only the numeric portion of the address and the zip code. Not enough to establish the address. Certainly not enough to establish the cardholder name because it isn't even checked.

I'd ask again, what is your point? because use of a credit or debit card will not establish identity via any of what you keep posting about.

Interesting. Never looked into that to be honest. Learning every day. Cheers.

Anyway, At some point a transaction number would be created though right? So if GD has a transaction Id, and the same Id is stated on my credit card transaction overview that would to some extend prove I'm the actual owner/account holder?

It's not 100% fool proof but in ideal circumstances it should give GD enough justification to reverse any changes made to the account and request further identification of the account holder.

 

[DomainRecap]

Your trying to school me on credit card processing is like trying to school the Pope on Catholicism.

I do financial systems/ERP for a living (Oracle mostly) so I know all about credit card processing and you're just being purposefully obtuse.

Sure, there are ways to fool the system, but you make it seem that it's easy to fake an entire identity and run credit card bills for fictitious names and addresses for years at a time.on a long-standing account with many services and no fraud warnings or chargebacks?

I find that highly-unrealistic, and at the very least, this scenario would automatically raise red flags for me, especially as the hackers a) talked to a GD rep to gain access, b) subsequently changed the password, c) changed the email, d) enabled 2-factor authentication, and e) started initiating domain transfers.