GoDaddy helped someone hijack my account and steal my domains

[GDiddy]

Last night, as I was working, I started receiving emails from my godaddy account stating that my domains were being unlocked, and transferred. I immediately tried to login to my godaddy account. My email and password were no longer valid on my account. I called Godaddy's support number and explained to them that someone had broken into my account, changed my info, and was transferring domains away as we spoke. The rep told me there was nothing he could do about it, and I'd have to contact WIPO if I wanted my domain names back. In fact, he wouldn't even let me change my domain account info back to my own info. Apparently, his stance is that if someone hacks your account and changes the email and password, that means it now belongs to them, and not you.

Someone is hacking my entire domain account at Godaddy, and I have to contact WIPO? I don't think so. I demanded to speak to a supervisor. The supervisor helped change my email and password back so I could login, but not until after he talked for a half hour, repeating over and over again that he couldn't do it. All the while, domain names were being stolen from my account, one at a time, as I watched the notification emails pouring in telling me how my domains were being unlocked and transferred. Is this not like sitting on the phone with a cop who doesn't want to come out to your business, while someone is loading merchandise out the front door as you speak? Would the cop just tell you to make an insurance claim?

After I was able to login, I noticed that the domains were no longer even present in my domain list, so I could not change my info back on them. The supervisor told me that the domains were transferred to another Godaddy account, so they would immediately disappear from my account. I asked him to transfer my domains back from the hacker's account. He said no. Even though he had the domains at his fingertips, within his own system, he refused to help. It's not like they were transferred to another registrar. The hacker had the guts to use the same registrar to transfer them. I asked him how this hacker was able to enter my account. I wanted to know who called in and pretended to be me, and who the rep was that helped them to steal my account. He told me that one of his own employees (I have his name now) did it. So, his employee at Godaddy aided someone in stealing my entire domain account with dozens of domain names. The supervisor (I have his name too) told me he couldn't do anything about it.

So, a Godaddy employee aids another person in stealing my entire domain account, and godaddy does nothing but protect their employee who performed this honorable deed. They see nothing wrong with what happened, and think that they have no responsibility in the severe security breach of their own employees and their own ridiculous security flaws. I've heard of problems with security at Verisign, but I've never once heard of anything this blatant and ridiculous happening with a registrar. What kind of security does Godaddy have that they let their own employees give away not just your domain names, but your entire domain accounts?

If anyone knows anything about the legality of this situation, I'd appreciate the information. My domain names have been stolen. My domain account was stolen. Godaddy aided the thief. I want those responsible to be prosecuted, big time.

 

[LeeRyder]

I guess the model works well if your primary market is couch potatoes who watch bouncing mammary gland commercials.

very professional.

Anyways, the people registering the names..if what you say is true... are compensated for their actions, check stubs/pay receipts would prove that in any court of law.

in turn, the corporation that "could" potentiall have this happen..if at all, would/could sue the living daylights out of anyone being so foolish.

Also, I would not be so sure that the domains stay in the attorney's account but would instead by transfered into the corporations account.

also, by power of attorney..if an attorney is making the purchase, he negates all rights to ownership if he/she is doing this in the course of law for said corporation

lastly, an IT mgr doing this would likely be using a corporate CC, and not into their own, personal godaddy account. as well as to be expected would be that said purchases would almost always have their own corporate cc from amex or whoever.... which of course would be listed in their name (the companies) with merely holding the name of the IT mgr..or whomever.. as an authorized user.

all said, no one would have a legal leg to stand on, woulc/could be said and possible jail time for theft or grandtheft depending on the losses, potential, intent etc etc etc.

moot point, in other words.

i'll qualify this by saying it is possible though highly unlikely. any..and I mean ANY business is highly unlikely to go to an employee and go "listen, we're short 8 bucks and need to register a domain name..."

 

[jberryhill]

very professional.

I didn't make the commercial, GoDaddy did.

lastly, an IT mgr doing this would likely be using a corporate CC, and not into their own

I deal with this kind of crap all of the time. It's what I do for a living. First off, I don't think you understand how a lot of corporate credit card accounts work. The name of the "cardholder" is often the person authorized to use any given card. And saying "you can sue the daylights" out of some guy with no assets, and take a couple of months to regain control of your company's domain name, which is pointing at porn in the meantime, is pretty simplistic, and demonstrates your lack of experience in dealing with these situations.

The most common scenario, which I see all of the time, is that a small business goes to a web developer because they want a "web site". The developer includes the cost of the domain registration in the cost of building the site, and the business, which can read the whois data and thinks the domain name is "theirs" is blissfully unaware that the developer retains a mechanism to take the domain name hostage when things go sour between the developer and the business.

Whether you like it or not the legal "owner" of a domain name is the registrant, not who paid the registrar.

 

[Mark]

The most common scenario, which I see all of the time, is that a small business goes to a web developer because they want a "web site". The developer includes the cost of the domain registration in the cost of building the site, and the business, which can read the whois data and thinks the domain name is "theirs" is blissfully unaware that the developer retains a mechanism to take the domain name hostage when things go sour between the developer and the business.
Whether you like it or not the legal "owner" of a domain name is the registrant, not who paid the registrar.

I was just thinking about that - I sold a Domain last year to a pretty decent sized Corporation. Their Webmaster took "full / registrant" control of the Domain even though the "Check" was cut from the Actual Corporation I was dealing with.
I got a strange feeling about it when it happened and even mentioned it to the folks I had originally contacted within the Company before the Transfer.

They insisted on letting the webmaster handle everything but the actual payment (BTW - The Company and webmaster are thousands of miles apart).

Do People place too much faith in their webmasters/developers ?

As JB mentioned - Things do Go sour ......

 

[Dave_Z]

Whether you like it or not the legal "owner" of a domain name is the registrant, not who paid the registrar.

Exactly. Registrars have been treating it this way for the longest time, no ifs
ands or buts.

If anyone disputes that, that's where the courts come in.

Do People place too much faith in their webmasters/developers ?

Not necessarily. More often than not, it's because people don't know what are
the devil in the details to watch out for.

What Dr. Berryhill described earlier is a classic mistake, and one not too many
people are aware of, either.

 

[slipondajimmy]

Whats Funny to see is since the 19th Gdiddy has not had a word to say

 

[dna]

I think Godaddy's credit card policy is great.
It gives us all an extra layer of protection against
domain name theft. To hell with Jberryhill and
his "blissfully unaware" clients.

 

[MD]

I didn't read every reply so i don't know if someone noticed this :

So, his employee at Godaddy aided someone in stealing my entire domain account with dozens of domain names.

and in another reply he said :

3 were taken before godaddy finally let me have my account back.

try harder next time GDiddy..

 

[LeeRyder]

I deal with this kind of crap all of the time. It's what I do for a living. First off, I don't think you understand how a lot of corporate credit card accounts work.

Well I paid and worked my way through college as a buyer using corp CC's roughly 25% of my transactions.. I'd say an avg day would entail roughly 65 purchases and an avg dollar amount of... $15K or so... so I feel I have a very clearly defined Idea of how corporate CC's work.

So much so that I dare say your wrong. Every thought and deed you do while "on the clock" is company property. I believe it falls under intellectual property rights and the laws we're set up exactly for situations as this. In other words, if you do something in the course of your duties.. all actions..both good and bad fall under the ownership of your employer. A good example of this is if you say... break something..by law the employer cannot make you pay for it. another example would be if you attack someone your employer can be sued for your actions.

The name of the "cardholder" is often the person authorized to use any given card.

If what I think your implying here is exactly what your typed out, again your wrong. I've never had a corporate card with my name on it listing me in any ways other than an authorized user of that card... those just don't exist any other way in the United States.

And saying "you can sue the daylights" out of some guy with no assets,

funny, I thought people owned property, cars..etc etc. Didnt know everyone was destitute...but thats getting off topic.

and take a couple of months to regain control of your company's domain name, which is pointing at porn in the meantime, is pretty simplistic,

and this is true because?? Oh yes, we all remember the days where msn.com, google,com ebay.com etc etc etc we're all offline because their "it mgr's" we're fired and decided to take revenge. Perhaps you can show us examples to support your assertation?

and demonstrates your lack of experience in dealing with these situations.

I believe I've adressed this and while no attorney, I believe.. your absolutely incorrect and basing this off of your feelings on this thread and not on US Law.

The most common scenario, which I see all of the time, is that a small business goes to a web developer because they want a "web site". The developer includes the cost of the domain registration in the cost of building the site, and the business, which can read the whois data and thinks the domain name is "theirs" is blissfully unaware that the developer retains a mechanism to take the domain name hostage when things go sour between the developer and the business.

Again not true. As a contractor the web builder (or whatever) does not own the domain because he was hired an even as a 99 employee his works belongs to the company...not himself.

regardles, I think there should be a VERY clear and distinct division here between this thread and this convo.

what jberry is asserting and what this thread is are two entirely different things.

The thread starter stole someone cc and bought domains with it...which GoDaddy returned. this is a theft thread and not a business law conversation.. and the laws vary greatly regarding the two.

 

[Dave_Z]

Again not true. As a contractor the web builder (or whatever) does not own the domain because he was hired an even as a 99 employee his works belongs to the company...not himself.

I don't know if there are any threads here. But in another forum which I'm not
sure I can say here (although one of the previous posters input a link there),
you'll find numerous samples of people who exactly went thru that.

I don't recall, but one of the mods told me I can't post the name or a link to
another domain forum. Anyway, back to topic.

This is because people know little to nothing about domains and websites, and
they feel they're best managed by people who do handle them. What many
just don't know, however, is that some webmasters register the domain name
in their own names or their holdings for whatever reason, be it legitimate or
not.

And remember, registrars treat the listed registrant as the legal owner, again
no ifs ands or buts. Most if not all of them don't care who registered and paid
for the domain with what, it's the domain's registration records that matter to
them.

So supposedly the webmaster's client is the one who truly owns the name. If
things go sour, however, and the domain is registered to the webmaster, then
that's where things get extremely complicated.

Unfortunately there are little to no laws defining the scopes and limitations of
domain name ownership, especially on how exactly to handle this kind of
issue. And uh uh, no need to start a discussion on whether domain names are
property or not (although the sex.com case established a heap of precedents
to base from).

regardles, I think there should be a VERY clear and distinct division here between this thread and this convo.

Sorry for drifting away also, but I just thought I'd post some disagreements to
your latest post. It doesn't happen to you, but it does happen to other people
who don't know anything about domains.

It might interest you to know that GDiddy and I have been emailing each
other as I'm trying to help him get setup at another forum. I told him to reply
here and the other forum, why he hasn't replied here is anyone's guess.

 

[Zeeble]

I believe I've adressed this and while no attorney, I believe.. your absolutely incorrect and basing this off of your feelings on this thread and not on US Law.

ok Lee, so what happens when we start talking about, say a UK company dealing with a Russian webmaster? US law is not World Law.

 

[dna]

Just like in any store, the product belongs to the person who
pays for it. You cannot expect Godaddy to settle legal disputes for
their $9 registraton fee. Jberryhill's "blissfully unaware" clients are
going to have to hire lawyers and go to court.

To answer Zeeble: you go a court where the registrar
is located.

 

[jberryhill]

Just like in any store, the product belongs to the person who
pays for it.

You mean I can go to my friends' houses and take back all of the gifts I bought and gave to them?

Wow, I didn't know that. Thanks.

 

[dna]

Becoming a lawyer must be easier
than I thought.

 

[Dave_Z]

Just like in any store, the product belongs to the person who
pays for it.

If I sent my 3-year old daughter to buy me some cigarettes at the nearest
7-11 store, then the cigarettes belong to her after she pays the cashier?

(Incidentally I don't smoke. Tried it only once and never again. :D )

You cannot expect Godaddy to settle legal disputes for
their $9 registraton fee.

Yeah. And if your credit card is in the domain name account, you can expect
a $29 charge should Go Daddy get a legal inquiry for the domain in question.

If it's for a UDRP and you win, ideally they'll refund you. Ideally, anyway.

 

[Badger]

Hmm, Interesting thread this has turned out to be.....

Contract Law would prevail here I guess.... And contract law would mean a contract that exists between a person/body or person representing a body and the vendor.

And so i guess a lot of it would deal with "state of mind", that being "what was the state of mind of the person who bought the goods/services". For example, if a person bought something they believed at the time was for or on behalf of someone else then that is not theirs to own. And in using any benefit provided to them (as buyer) to re-attain such goods/services that would then constitute fraud... And punishable under criminal law. In the case at hand, i guess Godaddy would have to arbritrate this in the first instance and act as best as they could "in good faith". Failing to do so would leave liable for, as the thread starter intimated he wanted to do, civil action against them.

But every case will be different and we can bring up multiple examples of where one person analogy would seem ridiculous when crossed. But thats just the point - each case is different and thus we fall back on basic contract law.

i think what John is doing (if you once again excuse my presumption) is take it to the next level, and one of pragmatism - in his case, from experience. i.e. Yes, you do have the law on your side, and yes, if you sue you will no doubt win. But some of these guys are children you are up against, some foreign nationals, foreign registrars and in some cases people with no tangible assets. And what this means is, you may win, but win what..??? And at what cost..?

The key to it all is 'damage avoidance' not 'limitation'.. What can we do to prevent an occurence such as this happening to us..?? Not a discussion as to the merits and cross merits of contract law and/or intellectual property law....

What should the likes of godaddy do to prevent this threat..?? An extra line at registration, "who are you buying this domain for..?" would seem the obvious route..

Anyway, the beat goes on...

And as a final point, "Incitement to riot" that must also be a crime in the US eh John?...???

I guess the model works well if your primary market is couch potatoes who watch bouncing mammary gland commercials.

 

[armstrong]

If I sent my 3-year old daughter to buy me some cigarettes at the nearest
7-11 store, then the cigarettes belong to her after she pays the cashier?

Try changing your scenario a little to an 18-year-old. As far as the store is concerned, then yes, she owns them cigs. If someone walks in the store and tries to take the stuff off of the checkout line after she paid and without her consent, store management would probably call in the police.

You mean I can go to my friends' houses and take back all of the gifts I bought and gave to them?

If you still have the store receipts, and have the audacity to tell the police that your friends stole them from you, and your friends can't prove that you gave them the stuff, then yes you probably can get your "gifts" back. If you think about it, this is similar to what happened in gdiddy's case.

 

[Badger]

If you still have the store receipts, and have the audacity to tell the police that your friends stole them from you, and your friends can't prove that you gave them the stuff, then yes you probably can get your "gifts" back. If you think about it, this is similar to what happened in gdiddy's case.

your way off base here Armstrong..

First of all, to say they stole them when in matter of fact they didnt, would be a lie. Secondly, if you claim a theft has taken place, you would have to demonstate how they came by the goods you purchased. Proving a theft had taken place would be extremely difficult and i, for one, cant think of a single example where a gift could migrate to that of theft - when it wasnt true. Unless of course you engineered the event.

If you claim they stole something from you and the accused then claims you gave them to him as a gift, and where no physical signs of theft had taken place, i.e. a break in etc etc, the police would advise you to take out a civil action against them. Criminal law (certainly here in the UK) falls on burden of proof and reasonable doubt... The friends may not be able to prove that you gave them the gifts, but the crown/state also wouldnt be able to prove they didnt...

 

[armstrong]

Interesting, Ian. I'm willing to stand corrected if someone could show precedent. I'm not a lawyer, and my conjectures are just IMHO, so there's a good chance you are correct here.

What if the item is small, like say a Rolex? You discover it missing after a party at your place. You eventually find it at your friend's, who refuse to give it back on the claim that you gave it to him as a gift, which of course you have no idea about. You still have the store receipt, and there's no evidence of a break-in. What happens then? You'd need to go to court to get your Rolex back? As for motive? How about jealousy?

What if the alleged thief wasn't a friend, rather more of an acquaintance, like in the GDiddy case? Would that change anything?

 

[Dave_Z]

Try changing your scenario a little to an 18-year-old. As far as the store is concerned, then yes, she owns them cigs. If someone walks in the store and tries to take the stuff off of the checkout line after she paid and without her consent, store management would probably call in the police.

Whoops! I could've sworn I typed in 23, not 3.

Bad keyboard, bad.

Actually what I cited is an imaginary scenario. But yes, the store will most
likely (if not always) think the cigarettes belong to her as far as they're
concerned.

The similar thing applies to registrars. But because they obviously can't sit
beside every person registering a domain name using their systems, instead
they'll assume whoever's listed as the registrant on record to be the owner,
and they won't care what went on behind the scenes and after.

What if the alleged thief wasn't a friend, rather more of an acquaintance, like in the GDiddy case? Would that change anything?

I think the better question to that would be "what's the person's intent?".

What can we do to prevent an occurence such as this happening to us..??

I can think of 2 words: education and vigilance.

What should the likes of godaddy do to prevent this threat..?? An extra line at registration, "who are you buying this domain for..?" would seem the obvious route..

Unfortunately that won't work. To whom the domain name will belong to will
depend on who registered it in the first place and what his/her intent is that
time.

BTW, guys, I just got an email from GDiddy. He says he's gotten all the info he
needs, so I guess he won't bother replying here anymore.

 

[Badger]

I'm not a lawyer

Me neither. Got a first in my business law units, but under the banner of a business management degree... i.e. it counts for nish....

What if the item is small, like say a Rolex? You discover it missing after a party at your place. You eventually find it at your friend's, who refuse to give it back on the claim that you gave it to him as a gift, which of course you have no idea about. You still have the store receipt, and there's no evidence of a break-in. What happens then? You'd need to go to court to get your Rolex back? As for motive? How about jealousy?

What if the alleged thief wasn't a friend, rather more of an acquaintance, like in the GDiddy case? Would that change anything?

I guess, from memory Apollo, youre delving into the old age adage of whether or not a person is dishonest: a matter of fact or a matter of law?

In your example however, it would be for the police to decide whether or not to pass the matter onto the CPS (sorry, UK again im afraid) who would then decide whether or not there was enough evidence to prosecute... Again, there is no yardstick cept the specific evidence which presents itself on each and every case.. In your case i guess sense would say that the police would ask the possessor of the rolex to simply give it back..

But, to go back on subject and using your example.

'A buys a domain on B's credit card which A says B allowed him to do. A is registrant. B demands domain from registrar. Registrar takes domain from A and gives to B...'

Well that would be wrong. What the registrar should do is contact A and say that the payment has been questioned on his domain and that he should now provide another form of payment. Under no circumstances should the registrar transfer this name to B'

In our case, Gdiddy was acting as a reseller. He had domains in his account that belonged to others yet he wasnt a reseller for godaddy.

Again, what Godaddy should have done was to create an account for the supposed owner and instigate their transfer procedure (which Gdiddy had to approve).

If he then declined the transfer then the ball would firmly be back in the court of the supposed owner. Which would have been an entirely different discussion. But whatever the weather;

Under no circumstances should Godaddy have given someone who simply had the credit card number of a domain that was purchased through them access to anothers account...

 

[-db-]

If I sent my 3-year old daughter to buy me some cigarettes at the nearest
7-11 store, then the cigarettes belong to her after she pays the cashier?

Whoops! I could've sworn I typed in 23, not 3.

Bad keyboard, bad.

I was wondering about that.

- Sending your 3 year old daughter to buy cigarettes?

- If the store sells the cigarettes to the 3 year old, there are deeper problems than we thought.

Ha!

 

[EbookLover]

Well, here we go. Wasting time on a long thread that ends up showing that someone is not telling the whole truth..

Attorney man, read again...

From godaddy...

The customer "gdiddy" had registered several domains under his
customer account, using the credit card of another person "X". X was also listed as the original registrant of the domains.
As per the usual change process we have in place, X called in to
Customer Service and verified the credit card information. She then changed the customer account password and moved her domains out of Gdiddy's account and into one of her own. She had the help of our employees to do this because it is by the book, and according to our policies.

Gdiddy saw the alert notifications that the accounts were being
transferred, and called Customer service to complain that domains were being hijacked. Again, according to existing policies, we assisted him in changing the password and customer email address back, but he apparently could not verify the CC info since it was not his card in the first place. He set up a PIN on the account for extra security, and proceeded to de-activate all remaining CC's in his account. Apparently, he was trying to be a reseller without having a reseller account. He had lots of domains in his account that had been registered using several credit cards, and with different people listed as the registrant.

This is a closed case. The "plaintiff" came here with less than the truth trying to make us believe he was a victim when in fact he was obviously an accomplice to this "crime".

One lesson learned here...

Use YOUR OWN money to register YOUR OWN domains and ALWAYS register them under YOUR OWN NAME AND CONTACT INFO.

If you cannot follow the above rule(s), then you are most likely doing somehting that is unlawful or unethical yourself. If not, you are just plain dumb and must prepare for the worse situation(s).

Let's not beat around the bush here. If what godaddy stated is the truth, then the "victim" here brought it all on himself. Not a tear should be shed for him and not one tax dollar should be wasted on his stupidity.

For "the victim" to accuse GD of "stealing" in this instance IS slander or libel, or what have you because it is simply NOT TRUE. The "victim" was involved in shady, unethical, unconventional, unsafe practices that led to the situation at hand...NOT GODADDY! "VICTIM" USED OTHER PEOPLE'S MONEY TO REGISTER THE DOMAINS. ALSO LAST I HEARD IT IS AGAINST ICAAN POLICY THE PERSON WHO IS LISTED IN THE CONTACT INFO IS THE RIGHTFUL OWNER OF THE DOMAIN(S).

Sorry for the bluntness, it is my nature. On second thought, I retract my apology.

 

[Dave_Z]

I was wondering about that.

- Sending your 3 year old daughter to buy cigarettes?

- If the store sells the cigarettes to the 3 year old, there are deeper problems than we thought.

Ha!

:red:

 

[LeeRyder]

ya uhh.. we established that like 2 pages ago what someone posted the exact same thing. just discussing the intricacies of the laws now.

 

[Badger]

Bluntness is fine - so long as you are discussing the same topic as everyone else...?

I dont think using Bold and enlarged text and calling a fellow member 'attorney man' is in any way clever or for that matter 'blunt'..... btw...

Frankly i, nor probably anyone else here for that matter, is in anyway concerned with the merits of Gdiddy's case anymore....

What we have moved onto is: whether or not Godaddy was right in allowing someone (who isn't the account holder) access to anothers account...?? Regardless of the circumstances at hand..

So save your clever use of the keyboard and childish name calling and pick up the thread. Either that or allow the adults to continue talking...

Sorry, that last comment was uncalled for, i apologise