Beware of Dynadot. They will lock your account and demand ID photo through UNSECURE processes.

[Kostas]

I have a few names into dynadot, sometime in the past they introduced a mandatory pin which I apparently forgot now. I can't unlock domains and dynadot demands I send them my ID via their OWN website, completely unprofessional without using a secure KYC service like any serious company would do.

Meanwhile, they could just send a simple verification email and know with certainty the actual owner of the account is in control and not an unsecure 4-digit pin.

So beware of dynadot, don't keep your domains there, you can use much better and more secure registrars like Porkbun that take security actually seriously with 2FA over a 4-digit pin.

 

[alcy]

it sucks u forgot pin

but there is no sane way to go from that to telling people not to keep names there

 

[Kostas]

I have names in 15 different registrars. Losing a lot of time on this is a perfect reason to not keep names there. They could've used email verification for pin reset but no. They could have required a 2FA code in order to increase they security. They opted for an unsecure PIN.

 

[Caleb Tweed]

Hey there,

We use email verification for password resets, but since the unlocking the account allows the user to do more sensitive actions we don't allow PIN resets via email as external emails can be compromised. If you don't remember the PIN and can't answer the secret question we have to resort to something more drastic like asking for ID for verification.

You can add 2FA to your account as well, but it still requires you have your PIN.

The KYC system for submitting your ID is 100% secure as it can only be accessed by Dynadot and does not include any third parties.

 

[Kostas]

Dynadot’s practice of directly requesting the upload of a government-issued ID and a selfie video without using a certified third-party KYC or identity verification provider raises serious additional GDPR compliance concerns.

Most companies that require identity verification rely on established third-party KYC processors (e.g. Onfido, Veriff, SumSub, Jumio), which operate under strict GDPR-compliant frameworks, encryption standards, and data minimization protocols. These services typically return only a verification token (e.g. “verified = true”) to the controller, ensuring that sensitive personal data such as ID documents and biometric images are not permanently stored or processed by the requesting company.

Dynadot’s direct collection and storage of these materials make it the sole data controller of highly sensitive information, including government identification numbers and biometric data. This approach substantially increases the risk of noncompliance with several GDPR provisions, specifically:

Article 5(1)(c) (data minimization), since the company holds more data than necessary for account verification;

Article 32 (security of processing), as the company must demonstrate robust, documented technical and organizational safeguards equivalent to those of regulated KYC processors; and

Articles 44-49 (cross-border data transfers), given that Dynadot is based in the United States and appears to lack any declared transfer mechanism such as Standard Contractual Clauses (SCCs) or equivalent safeguards.

This handling method represents an unnecessary privacy risk, both in terms of data breach exposure and noncompliance with the GDPR’s proportionality principle, especially considering that my identity could easily be verified through existing account credentials, payment records, or contact confirmation.

Even though I still consider id verification excessive in our situation, I would be ok doing it through a reputable 3rd party KYC provider. Alternatively, let me try entering the PIN or security question one more time.

We all remember the epik data breach and the personal data that were leaked then. I don't want this to happen with my id.

 

[alcy]

guys plz just keep on mind that all above is 56 trillion times harder than just remember a focking 4 number pin

just be a focking man and blame your dumb asses for it not registrar.

 

[AEProgram]

don't send these id's, just read about a discord related id hack https://www.pcgamer.com/gaming-indu...-discord-breach-compromising-some-users-data/

hire a lawyer before sending around id's. A lot of people will lose everything because these ID's can be used to get anywhere.

 

[alcy]

wait a minute

stupid as iam I temporarily forgot the focking pin in question is from our focking bday

did I miss something on this dumbazz thread or op forgot when he born???

 

[Kostas]

The pin is indeed connected to birthday but no hint of it and after two tries you are locked out. On the secret question you get one try. Anyway, after some time wasted, problem is now solved without any id upload. Thanks Caleb.

 

[alcy]

The pin is indeed connected to birthday but no hint of it and after two tries you are locked out. On the secret question you get one try. Anyway, after some time wasted, problem is now solved without any id upload. Thanks Caleb.

may I ask what u mean by no hint? one normally need no hint to get his vday right

I'm intrigued

glad it solved. posting on np usually solves it

without it u would prolly still be sweating it out trying to remember your bday

joke

 

[Caleb Tweed]

You're welcome!

It was originally supposed to be tied to a birthdate, however we changed it from being called a "Birthdate Pin" to just "security pin" so it can be any 4 digit pin now (makes it harder for people to hack if it's more random). You can always retry your security pin with support and they should unlock it for you!

 

[alcy]

You're welcome!

It was originally supposed to be tied to a birthdate, however we changed it from being called a "Birthdate Pin" to just "security pin" so it can be any 4 digit pin now (makes it harder for people to hack if it's more random). You can always retry your security pin with support and they should unlock it for you!

well mine still bday
so I guess that's the default or what??

 

[Caleb Tweed]

well mine still bday
so I guess that's the default or what??

If it was still your birthdate when we changed a while back it it would've remained as it is. ( I mean technically you could have set it to whatever you wanted even when it was specified as a "Birthdate Pin")

 

[Future Sensors]

If it was still your birthdate when we changed a while back it it would've remained as it is. ( I mean technically you could have set it to whatever you wanted even when it was specified as a "Birthdate Pin")

Every time this comes up, I wonder if you've actively informed all users that they should no longer use their date of birth as their PIN. I get the impression that there's still a very large group of customers who do, due to choices Dynadot made in the past. Are they aware of the risk?

 

[Kostas]

You're welcome!

It was originally supposed to be tied to a birthdate, however we changed it from being called a "Birthdate Pin" to just "security pin" so it can be any 4 digit pin now (makes it harder for people to hack if it's more random). You can always retry your security pin with support and they should unlock it for you!

To be fair, support didn't offer me this option. They specifically said that I have to upload id and do a selfie video if I want to unlock my account. An NP member sent me a DM regarding birthday being the PIN, but I was already locked out at that point. Anyway, I don't think the current implementation of the PIN offers any added security at all, especially the way it is shared around on emails and chat support. 2FA on login is the supreme method. If someone doesn't set this up, they are responsible if their account gets compromised.

 

[alcy]

If it was still your birthdate when we changed a while back it it would've remained as it is. ( I mean technically you could have set it to whatever you wanted even when it was specified as a "Birthdate Pin")

ah ok

well there are obvious pluses to keeping it your bday

lke not having thread like tis

 

[carob]

This same Dynadot account lockout without warning issue comes up over and over, has for years, plenty of threads on this topic and criticisms of how Dynadot handle this and personal data.

Allowing only one chance at answering a question and not warning that a wrong answer leads to instant lockout is a guarantee of problems.

I stopped using Dynadot because of this issue and their attitude.

 

[Synozeer]

Where do you even change your PIN code? I'm looking at the security settings page and I'm not seeing.

EDIT: Okay, appears you have to do a forgot PIN code to create a new one. Instructions here:
https://www.dynadot.com/help/question/submit-forgot-security-pin

 

[Stekky]

Interesting thread, I'm going through similar process here and I share the same concerns as Kostas. I'm not prepared to share any IDs due to GDPR compliance issue and I also do not believe that the situation with a forgotten PIN should warrant this type of action. I see @Caleb Tweed was able to assist, would you be able to provide the same for me please?

 

[alcy]

even when I have my brain removed I will remember my dyna pin cause its same day and month

bahahah

like 1111 but not really it

but I do wish it was 1111

so cool

I see 1111 everywhere all the time.