GoDaddy Transferred 27-Year-Old Domain to Stranger Without Any Documentation

Domain Registry Giant Hands Over Organization's Critical Infrastructure to Unknown Account with Zero Verification

A catastrophic security breach at GoDaddy resulted in a national nonprofit organization losing control of a domain it had actively used for 27 years. The company transferred the critical asset to a stranger's account without requiring any documentation, leaving the entire organization offline for four days across all 20 of its U.S. locations.

The incident, which occurred on April 18, 2026, began when a GoDaddy employee initiated an account recovery process and transferred the domain within three minutes of sending a notification email. The transfer was marked as "Change Validated: No" in the audit logs.

How It Happened

Lee Landis, a partner at Flagstream Technologies, an IT firm based in Lancaster, Pennsylvania, discovered that one of his client's domains had vanished from the GoDaddy account on April 19. The account had dual two-factor authentication enabled and the domain itself had ownership protection activated—security measures that proved entirely ineffective.

The transfer was initiated by what GoDaddy identified as an "Internal User." When Flagstream attempted to recover the domain through GoDaddy's support channels, they encountered a fragmented and unresponsive system:

• 32 calls to GoDaddy support
• 9.6 hours spent on the phone with various agents
• 17 emails sent with zero callbacks
• Multiple case numbers generated for the same issue, each treated as a separate problem

Support staff repeatedly instructed Flagstream to "wait a day or two," directing them to different email addresses each day: first undo@godaddy.com, then transferdisputes@godaddy.com, and finally artreview@godaddy.com.

The Domain Vanished Into Thin Air

When the domain went dark, every chapter of the organization lost access to both its website and email systems. The organization was forced to begin an emergency migration to a new domain, requiring coordination across multiple teams and causing significant disruption to operations.

After four days of escalation attempts, GoDaddy sent a shocking response: the registrant had provided the necessary documentation to transfer the domain, and the matter was now closed. The company offered no explanation of what documentation had been submitted and provided only three links—a WHOIS lookup, ICANN arbitration providers, and information about hiring legal representation.

A Stranger Accidentally Reveals the Truth

The resolution came not from GoDaddy but from an unexpected source. Susan, an executive assistant working 2,000 miles away, noticed something unusual in her GoDaddy account on April 22. She had requested recovery of a different domain two weeks earlier but discovered the wrong domain in her account.

After making several phone calls and connecting with Flagstream, they performed a simple account-to-account transfer to return the domain to its rightful owner. The entire process took less than five minutes—a stark contrast to the four-day ordeal that GoDaddy's official support channels had inflicted on the organization.

No Documentation Required

When Flagstream investigated how Susan's account came to possess the domain, they discovered a startling security failure: GoDaddy had approved the transfer without Susan submitting any documentation whatsoever.

Susan's email signature happened to reference her chapter's website, which operated as a subdomain of the parent organization's domain. GoDaddy's recovery team apparently saw this signature, identified the parent domain, and transferred it to her account.

GoDaddy sent Susan a link to upload required documentation, but the link expired before she used it. She requested a new link, but before it arrived, she received an email confirming the domain transfer had been approved.

No documents were ever submitted for either domain—neither the one she requested nor the one she received.

A Critical Security Vulnerability

Had Susan been a malicious actor, she could have intercepted email communications, used the domain to reset passwords across the organization, launch phishing attacks, deploy malware, or redirect financial transactions. The organization was forced to implement emergency protocols requiring all users across every location to verify that the compromised domain had been removed from their banking systems, payroll accounts, email services, and other critical platforms.

The scope of potential damage was substantial for an organization of this size, yet it hinged entirely on the integrity of a single stranger who happened to recognize that something was wrong.

Broken Communication Channels

Attempting to report the security vulnerability through proper channels proved futile. An email sent to security@godaddy.com bounced with an automated message stating the mailbox was no longer monitored. The email directed recipients to either use an abuse reporting form or submit vulnerabilities through HackerOne.

The security report was eventually filed through HackerOne (report #3696718), but the lack of a functional public security disclosure channel represents an additional vulnerability in itself.

The Path Forward

Flagstream plans to migrate all of its domains away from GoDaddy, viewing this as the only reliable protection against future incidents of this nature. The company notes that GoDaddy's support system proved responsive only when faced with the prospect of losing business.

"The only way to get GoDaddy's attention is to leave," according to the account of events.

GoDaddy has not provided a clear explanation of how the transfer was approved without documentation, nor has the company offered a detailed internal review of its account recovery and validation procedures. The organization has not received a direct call from a named individual at GoDaddy, instead continuing to receive responses from generic email accounts.