Anchor Hosting documented the incident in detail, showing that GoDaddy transferred their customer's domain to a stranger with no auth code, no confirmation email, and no identity verification. They present this as a clear violation of ICANN's Inter-Registrar Transfer Policy which requires explicit registrant authorization.
The editorial argues that domains are the root of TLS certificate chains, email delivery via MX records, API endpoints, and authentication flows like OAuth redirects and DKIM signing. An unauthorized domain transfer therefore constitutes a comprehensive security breach affecting every layer of a company's infrastructure.
Beyond the unauthorized transfer itself, Anchor Hosting describes a kafkaesque support experience when trying to reverse it — escalation loops, conflicting information from different agents, and no urgency despite a live domain sitting in a stranger's account. The support failure turned a bad incident into a prolonged crisis.
The editorial emphasizes that GoDaddy manages over 80 million domains as the world's largest ICANN-accredited registrar. This is not a fly-by-night operation — their size means a systemic process failure in transfer verification could affect an enormous number of domain owners, not just this single case.
A hosting provider, Anchor Hosting, published a detailed account of how GoDaddy transferred one of their customer's domains to a complete stranger — with no documentation, no identity verification, and no authorization from the actual domain registrant.
The domain owner discovered the transfer after the fact. There was no transfer authorization code (auth code / EPP code) provided by them, no confirmation email acknowledged, and no identity documents submitted by the receiving party. GoDaddy simply handed over the domain to someone who asked for it.
When the legitimate owner contacted GoDaddy support to reverse the unauthorized transfer, they encountered the kafkaesque experience familiar to anyone who has dealt with a major registrar's support apparatus: escalation loops, conflicting information from different agents, and a general posture of institutional indifference. The domain — someone's live, operational property — was sitting in a stranger's account.
Domain names are not just vanity addresses. They are the root of your TLS certificate chain, your email delivery (MX records), your API endpoints, and often your authentication flows (OAuth redirect URIs, DKIM signing domains). Losing control of a domain is not a branding problem — it is a full-stack security incident.
ICANN's Inter-Registrar Transfer Policy (IRTP) exists precisely to prevent this. The policy requires that any transfer between registrants must include explicit authorization from the current registrant, typically via an auth code and a confirmation sent to the registrant's WHOIS contact email. A registrar that transfers a domain without this authorization is in violation of its ICANN accreditation agreement.
GoDaddy, as the world's largest domain registrar with over 80 million domains under management, is not some fly-by-night operation. They are an ICANN-accredited registrar bound by these policies. And yet, the support workflow apparently allowed a representative to process a change-of-registrant request from an unauthorized party without triggering the mandatory verification steps.
This is not the first time GoDaddy has been at the center of domain security failures. In 2020, GoDaddy employees were social-engineered into transferring control of cryptocurrency domains. In 2021, a data breach exposed 1.2 million WordPress customer credentials. In 2023, GoDaddy disclosed that attackers had maintained access to their systems for multiple years. The pattern is consistent: GoDaddy operates at massive scale with support processes that do not match the sensitivity of the assets they manage.
The Hacker News discussion (601 points — a very high score indicating strong community resonance) surfaced dozens of similar stories from developers and small business owners. The common thread: registrar support staff with the power to reassign domains, combined with verification processes that are either poorly enforced or trivially bypassed.
If you are running production infrastructure on a domain registered with a consumer-grade registrar, you need to audit your domain security posture today. Here are the specific steps:
Enable registrar lock. Every major registrar supports a "clientTransferProhibited" status that prevents transfers without first unlocking the domain. This is table stakes, but many developers never enable it. Check your domain's status with a WHOIS lookup — if you don't see `clientTransferProhibited`, fix that now.
Use registry lock where available. For critical domains, registry lock (also called "server transfer lock") adds a second layer that requires out-of-band verification directly with the registry operator, not just your registrar. This is the single most effective protection against unauthorized transfers, and most developers don't know it exists. Cloudflare Registrar, Amazon Route 53, and Markmonitor all support it.
Consider a registrar upgrade. Consumer registrars like GoDaddy, Namecheap, and Google Domains (now Squarespace) optimize for onboarding volume and upsell revenue, not domain security. If your domain is the foundation of a business, consider Cloudflare Registrar (at-cost pricing, no markup), Amazon Route 53 (tight IAM integration), or an enterprise registrar like Markmonitor or CSC. The price difference is negligible relative to the risk.
Monitor your domains externally. Services like dnstwist, SecurityTrails, or even a simple cron job checking WHOIS data can alert you if your domain's nameservers, registrant, or status codes change unexpectedly. By the time you notice your website is down, the attacker has already pointed your MX records somewhere else and is resetting your SaaS passwords.
Document your ICANN complaint path. If an unauthorized transfer does happen, you can file a Transfer Dispute Resolution Policy (TDRP) complaint with ICANN. The process is slow (weeks to months), but it is the formal mechanism for reversing unauthorized transfers. Know the process before you need it.
The fundamental tension here is that domains are critical infrastructure priced and managed like commodity consumer products. GoDaddy sells domains for $10/year and staffs their support accordingly. The ICANN transfer policies are well-designed on paper, but enforcement depends entirely on registrar compliance — and the penalty for non-compliance is rarely severe enough to change behavior at scale. Until the domain industry adopts something closer to the security posture of certificate authorities (which, to be fair, also had their own reckoning), incidents like this will keep happening. The question is whether it happens to you before you take it seriously.
Likely an inside job. I had a similar experience with AWS where my account was compromised despite the fact that I had all the proper security features enabled. It was later discovered internal contractors were responsible. But up to that point AWS blamed the issue on me with no proof. A call to the
He mentions these 3:"- Every email address that exists out in the world is now wrong. - Every piece of marketing material is now incorrect. - All of the SEO is gone."but it seems to miss even the biggest one, which is that you are effectively locked out of any online business accounts, you
Register your domain as a trademark. It costs a few hundred dollars, and can be done online. This gives you stronger rights with ICANN, against anybody who illicitly acquired the domain, against typosquatters, the registrar, and the courts. You can send intimidating lawyer letters, and quickly escal
I have no reason why would anyone use godaddy 10 years ago let alone today
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Relevant (for some reason though it shouldn’t be; GoDaddy’s track record is that bad.)Jan 2017: [Godaddy has issued at least 8850 SSL certificates without validating anything](https://news.ycombinator.com/item?id=47911780)Jan 2019: [GoDaddy injecting JavaScript into websites and how t