GoDaddy Account Hacked [Resolved]

[sirlordcomic]

Really confused, but details starting to emerge.

Account Security as of 2-27-18

1. GoDaddy account was 2FA protected, but turned out it was only for "high-value" transfers? Don't remember doing that, but it's on me.

2. I had a 12 character random pass generated by LastPass; I already changed it quickly but from a glance I don't think it had special characters etc. Also on me; I usually use very long, secure passwords. So they brute force the GD account? GD doesn't have a way to prevent this. I don't get this.

It's not like me as I deal in crypto (lord have mercy) and I am hyper secure most of the time, I somehow overlooked these details with this particular account, but I'm kicking myself. However, I don't feel the GD response is really making me feel like shit is under control.

Domain Transferred Without Warning

Received (3) emails regarding transfer of VRCU.com out of my account to another registrar. ZERO emails prior to this warning me anything was amiss. Domain did not expire until 3-25-2019 but is now reg'd out to 2022.

GoDaddy support states it was initiated in my account and transferred to another GD user? Not clear...

Support Action

They said they cannon lock my account as I requested. I can't believe they did not transfer out other domains. I am very worried, and express my concern to support. They said thge Fraud dept. will be notified, and they sent me a "Disputing a Domain Name Transfer" web form

I am surprised no one can simply check IP records and see who logged in prior to today

@Joe Styler

 

[sirlordcomic]

typical, can't even finish the dispute

 

[sirlordcomic]

The fact my account can't be locked like a stolen credit card is infuriating.

 

[tldboss]

Sorry. Hopefully fraud dept will be able to assist.

Try a different browser.

I enabled 'High risk transactions only' - for example 2FA kicks in when I want to change password.

Why do you want your account locked? why not change password, use strong password (special characters, alphanumeric etc) and enable 2FA for every login?

Suggest you change your email login details as well, if possible enable 2FA there as well, in case he got your email login details as well. Check login activity.

 

[sirlordcomic]

Thanks, yes I did all that, but I'm still suspicious about the account hack. I just want things locked down. I have a few very high value domains in there. Guess I am being paranoid.

At the very least, I had a 12 digit alpha with no caps - they brute forced it?

 

[sirlordcomic]

I can't even find a record of this transfer in my GoDaddy account.

 

[wwwweb]

You should have kept domain behind privacy

Hopefully they can reverse engineer what happend, and get it back, we all know they have the power to retract domains.

 

[sirlordcomic]

How does privacy help? Avoid direct targeting? There is no cell phone listed.

My LastPass account uses a generic email.

GD site starts to trigger timer on multiple failed login attempts. LastPass hack?

 

[wwwweb]

Well they found a backdoor somehow. Get any weird emails lately?

Privacy helps in giving no info, no email, maybe they have a door in, your level of security is above, and beyond, just doesn’t add up.

 

[Jv1999]

Did you check your PC for malware? I know it sounds dumb, but that should've been the first step.

I thought GD 2fa was something required for logging in!!!!!! How was this not enabled? I remember reading a year ago the thread about the guy who had 2fa enabled for GD logging in, and htat saved him because he saw a Chinese buyer had somehow gotten his password on GD. The 2fa stopped them.

I'm guessing GD has some kind of injection password flaw thingy that a bug bounty can find. But no matter how strong your pw is, if they can get GD's database to spit out the pw... then it's done.

Would really like to know what the culprit here is though.

 

[Asfas1000]

If you only let LastPass fill in the data you can't be hacked, because it won't fall for the common trap to put your credentials in similar-looking sites.

Sounds like your PC is somehow hacked, maybe a keylogger.

 

[wwwweb]

Really confused, but details starting to emerge.

Account Security as of 2-27-18

1. GoDaddy account was 2FA protected, but turned out it was only for "high-value" transfers? Don't remember doing that, but it's on me.

2. I had a 12 character random pass generated by LastPass; I already changed it quickly but from a glance I don't think it had special characters etc. Also on me; I usually use very long, secure passwords. So they brute force the GD account? GD doesn't have a way to prevent this. I don't get this.

It's not like me as I deal in crypto (lord have mercy) and I am hyper secure most of the time, I somehow overlooked these details with this particular account, but I'm kicking myself. However, I don't feel the GD response is really making me feel like sh*t is under control.

Domain Transferred Without Warning

Received (3) emails regarding transfer of VRCU.com out of my account to another registrar. ZERO emails prior to this warning me anything was amiss. Domain did not expire until 3-25-2019 but is now reg'd out to 2022.

GoDaddy support states it was initiated in my account and transferred to another GD user? Not clear...

Support Action

They said they cannon lock my account as I requested. I can't believe they did not transfer out other domains. I am very worried, and express my concern to support. They said thge Fraud dept. will be notified, and they sent me a "Disputing a Domain Name Transfer" web form

I am surprised no one can simply check IP records and see who logged in prior to today:

Registrar Info
Name
HiChina Zhicheng Technology Ltd.
Whois Server
grs-whois.hichina.com
Referral URL
http://whois.aliyun.com
Status
ok https://icann.org/epp#ok
Important Dates
Expires On
2022-03-26
Registered On
2003-03-26
Updated On
2018-02-27
Name Servers
DNS10.HICHINA.COM
1
DNS9.HICHINA.COM
1
Similar Domains
vrcu.cn | vrcu.com | vrcu.com.cn | vrcu.win |
Registrar Data

Registrant Contact Information:
Name
Du Li Zheng
Organization
Du Li Zheng
Address
Hai Dian Qu Ban Jing Lu 6 9 Hao Shi Ji Jin Yuan Shang Wu Zhong Xin
City
Bei Jing Shi
State / Province
Bei Jing
Postal Code
100097
Country
CN
Phone
+86.13911528298
Fax
+86.13911528298
Email

@Joe Styler

Anytime I try to move a 4L.com out it always goes to pending status review, after I approve transfer, this should have applied.

 

[sirlordcomic]

Yeah I thought I had 2FA on, my bad. It was just some dumb "high-value transfer" option. If you have that on, a transfer should require 2FA, just my humble opinion.

 

[anantj]

Did you have the domain listed on Afternic with FT?

 

[sirlordcomic]

I haven't been able to check and my first thought was it was sold on Afternic, or similar. But the GD support said nothing about it.

Maybe it sold there?

 

[sirlordcomic]

sold on Afternic, duh sorry guys, not sure why I didn't check there first

 

[sirlordcomic]

Never used Afternic, geez, figured I would get notice. Lesson learned. *facepalm

Apologies for the false alarm. GD Support threw me off the scent in addition to lack of an Afternic comms.

Happy ending though!

 

[Jv1999]

:DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

>OP thought his account was hacked
>Turns out he sold his 4L on Afternic instead.

From Anxiety to Euphoria:
#DomainerLife

 

[sirlordcomic]

n00b moves man, sorry

I'm pretty into crypto, ran down the slippery slope too quickly lmao

 

[pinkdragon]

Oh well, now we must see something at "Report complete domain sales"

 

[wwwweb]

n00b moves man, sorry

I'm pretty into crypto, ran down the slippery slope too quickly lmao

What does crypto have to do with this?

Hopefully you got a good price, as a bin would have been activated.

 

[Jv1999]

Have fun writing an update to your support tickets to GD ^_^

 

[anantj]

sold on Afternic, duh sorry guys, not sure why I didn't check there first

Now share the price it sold for

 

[anantj]

Now share the price it sold for

Also take it as a learning experience and lock down all your registrar accounts with 2FA wherever you can and strong passwords for registrars that do not support 2FA

 

[wwwweb]

Now share the price it sold for

It was listed for $1275 BIN