Came here to post the exact same comment. They have a history of amateur-hour stuff like this, too, don't they? For me, the brand has always been associated with "bet it all on marketing" rather than technical competence.
It's literally the largest registrar in the world, by a large margin.
When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.
That's what makes this particular story so egregious.
Domains are a very funny business. I can't think of anything so crucial to businesses, that at the same time generates so little revenue per customer. Your entire technological infrastructure depends on it, yet it costs $15/yr. Making a single support request can turn you into an unprofitable customer.
They are the biggest because they undercut all the other registrars and spent millions on Superbowl commercials among other strategies. Size does not automatically equate to competency. Sometimes bigger can mean more mistakes are likely to occur and customer voices may be more likely to be unanswered in the ocean of support issues.
How many stereotypical male tech nerds flocked to GoDaddy after hiring Danika as "spokes" model. Did she ever speak? Glorified booth babe is more like it. After that, every non-tech dude would remember those commercials. Of course they are popular, of course for the wrong reasons. It goes to show exactly how well advertising campaigns work.
Sortof? [0]. All the commercials I saw [1] were just meant to get guys to visit their site so the speaking was just for fun. The later fake body-building commercials [2] were unusual.
IIRC, when I used it for my employer .com was $100/domain year, registry lock for eligible tlds was $1000/domain year (I forget if that included the domain), and there was a minimum annual spend that I don't remember, but might have been $10k-$30k. They have new ownership since then, so I dunno.
The only issue we had was when we wanted to change our nameservers and our authorized contact for registry lock didn't answer the phone for the verification call, so we had to postpone the change for the next day. But that's what is supposed to happen, so no big deal.
Better than networksolutions changing our nameservers when one of their support agents got phished.
Porkbun. Their prices are very reasonable and their support team is consistently responsive and helpful. Honestly, even if their pricing was higher I would still choose to use them because it's clear their goal is to maintain a useful product, not infinite growth andendshittification
Interestingly, Cloudflare (don't shoot me for mentioning the name, HN!) identify Porkbun as "GoDaddy-Porkbun" but I don't know the relationship.
Edit: "Top Level Design [Porkbun owners] was the domain name registry for several top-level domains including .wiki, .ink and .design, until the company sold these domains to GoDaddy Registry in April 2023" --Wikipedia
Top tier is still MarkMonitor. Last I spoke with them, they had a five-figure minimum spend, but the per-domain costs are competitive. That cost buys you proper named support contacts, etc.
If you look up the whois for microsoft.com or yahoo.com, that's who you'll find.
Five-figure minimum spend sounds pretty expensive for the vast majority of businesses out there. Of course, just a drop in the bucket for major brands.
Definitely. I don't use them for my personal domains, of course.
But as others have pointed out, there's basically zero margin on simple domain sales. So if you want proper support, you need to go to someone who bundles it with other enterprise business (e.g. AWS), or who makes it their whole business (e.g. MM).
>It's literally the largest registrar in the world, by a large margin.
When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.
It's also literally one of the most criticized and awful registrars in the world, by a large margin. If decades of stories like this don't convince you to go with a more reliable registrar then I have very little sympathy.
This story is not egregious, it's in fact typical of GoDaddy. Every so often we get a HN post with a GoDaddy horror story. You'd think people would have learned by now.
> When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well.
That is also at least 10 years old stale matter. Have you ever read people wrongly being locked out from a BIIIIG provider unable to get through to get remedy? Apparently no. I did. I am sure several other people here did too.
Motto: "Eat shit! A trillion flies cannot be wrong!"
> They're more likely to have established processes that work for all sorts of cases.
In my experience the sentence is only correct this way: "They're more likely to have established processes for all sorts of cases"
They have lots of clients. They have big opportunities to streamline support (which is a cost center). ... do you see where it leads? Read the OP, if not!
>
When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well.
For offline goods, definitely. For digital services, 10+ years ago, definitely. For digital services, in 2026, it's a bad strategy even if you're a business and want something reliable.
> When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.
But they proven over and over and over and over and over again that they are not a reliable business partner.
You’d be surprised how many enterprises use them. Also their managed hosting support is surprisingly competent. I’m not a fan of their service but some of our clients use them and anytime their servers have had issues support was quick to fix. Way nicer than having to jump in and do it myself. And so far it’s all been local support and not offshore.
The primary reason I used to prefer GoDaddy is you could call them 24/7 and talk to a human who could fix it. Historically I have preferred companies with phone support over submit-a-ticket-and-wait.
Registering a domain usually happens very early in a business' history. It might literally be the first concrete thing the founder does. If the founder is non-technical, they're just going to Google "buy a domain" and see who comes up.
Do it, now. What comes up?
Yes, once IT gets professionalised, they should switch to a better provider. But the registration will likely be for multiple years, with auto-renewal, and when nothing has gone wrong, theoretical problems take a backseat to live ones.
The amount of dark patterns in product management (Domain renewal) UI related to selling additional services and general shadiness from godaddy make it a very poor choice as a registrar. Concur with the other person who has no idea why anyone would choose to use it.
Bob Parsons has done a pretty good job cleaning up his Wikipedia and Google search results over the past decade, so a /sarcasm tag might be needed here for the benefit of people born yesterday
Godaddy is pretty awful in a lot of things. This doesn't even surprise me. But I will say that their broker services have done me well. But I do transfer domains away as soon as possible to dynadot
I compared all of the other registrars mentioned by HN users, and Dynadot basically tied with Namecheap on price, but Dynadot is so much more user-friendly.
This comments reads sarcastic, but it makes a serious point. GoDaddy has an extremely poor reputation. At some point you must accept that choosing companies like that is your own mistake.
the thing is that it makes sense when you are small, and it's one of the hardest and riskiest things to change, so it's a decision that stays with you.
And to be completely honest, it isn't that bad, you get a phone you can call 24/7. Of course mistakes happen and staff can't always help, but it's more like a 99.9% vs 99.99% quality thing when comparing to other providers like AWS or CloudFlare.
This is at the very least debatable. The site they took down contained multiple videos of animals being tortured and killed. Not all decisions are simple black and white.
Animals die too in a genocide. I don't understand your point here. Namecheap decided they should proactively police Namecheap customers for this, Namecheap should lose all its business as a result. Let Namecheap decide whether the income from Israel exceeds the income from all Namecheap customers.
Namecheap looks really bad if someone does some due diligence and the word 'cheap' comes out, it's unproffessional and signals cheapness of materials.
Porkbun I'm not familiar, but it for sure can be a better option, it's just that when people start out they look for a familiar name rather than the marginally best option.
I just said it makes sense, not that it's the best option. It's just fine if you are a small or even medium business.
This is a textbook case for suing for compensation and punitive damages. I hope someone opened an arbitration complaint on day one to get the wheels turning. Maybe they’ll consider reviewing https://www.icann.org/compliance/complaint (one can dream).
Icann Arbitration seems like the wrong channel, those are typically used for when someone correctly technically registered the domain name, but there's a dispute from the non-owner, e.g:
1- Trademark holder registers trademark.com, malicious actor registers trademark-web.com and phishes.
2- trademark.com expires, and someone registers trademark.com and domainsquats.
This is not the case, all Icann can do is make decisions over who owns a domain. A civil court would be more appropriate for calculating and ordering compensatory damages.
Does Godaddy have a pattern of creating this sort of fuckup and then handling it in ways that uniformly favor Godaddy and deny customers contractual right to seek redress, that a judge might deem worth assigning punitive damages to warn other commodity-middleman businesses to not be like Godaddy?
Has Godaddy demonstrated a pattern of violating Godaddy’s contract with ICANN, whatever those terms may be, with regards to performance of the basic duties of a ‘registrar’ on behalf of domain owners?
I’m not evaluating these things today since I’m not their lawyer, but certainly they’re both valuable questions.
Another example of a long list of stories where GoDaddy practically destroys decades of business trust for a customer by just ripping their domain away for no reason. What an awful company.
Oh, please do. Mistakes happen, and the scale of GoDaddy means that even rare mistakes will happen. But they may still be liable for damages, how much is the reputational damage, and the possible lost business? Why wouldn't you go this route?
Probably ten years ago with name.com I had a .at domain expire.
I caught it like a day or two later, and successfully renewed it through their site but it did not take.
There was somehow already someone up squatting my domain. I contacted support and they told me there's apparently no renewal window for .at but they could recover it for $140 - oof .. sure. It was nothing super important but would be annoying to lose.
Then it took like a week for them to get back to me, but after that week I got my domain back. I have no idea what gymnastics happened on their side.
Often there's a redemption period (depending on tld i think) where the domain can be recovered. Registrars will generally charge a redemption fee during this period.
You're absolutely right, and they often blame the registry for the fee, but support for one of my domains once gave me the impression they inflate on top of the fee for extra profit.
Wait few hours. Some CTO or PR guru will post a message here.
- We are totally revamping our processes. This never happened out of incompetence. Humans make mistakes. We are contacting the client for 1 year free renewal - waiving. Will mail a coupon code. We consider this issue closed.
HN is the only real support channel in tech. First level customer service is AI, second level is outsourced idiots who blindly follow a script, the third level is ”Issue has been closed”
There's Discworld bit [0] that often comes to mind for me, where the protagonist is reading a press-release by a fantasy version of a communications monopoly:
> The Grand Trunk’s problems were clearly the result of some mysterious spasm in the universe and had nothing to do with greed, arrogance, and willful stupidity. Oh, the Grand Trunk management had made mistakes—oops, “well-intentioned judgments which, with the benefit of hindsight, might regrettably have been, in some respects, in error”—but these had mostly occurred, it appeared, while correcting “fundamental systemic errors” committed by the previous management. No one was sorry for anything, because no living creature had done anything wrong; bad things had happened by spontaneous generation in some weird, chilly, geometric otherworld, and “were to be regretted.”
"- Every email address that exists out in the world is now wrong.
- Every piece of marketing material is now incorrect.
- All of the SEO is gone."
but it seems to miss even the biggest one, which is that you are effectively locked out of any online business accounts, your bank, your crm, anything that says "we noticed an unusual login, please enter the code we just sent to your email to verify the login."
Also huge opportunity for scams etc if this ever was a targeted takeover type thing. Emails and other stuff go to the same domain, and an impostor could just keep answering correspondence like nothing had happened
And even worse, if I wanted to take over npmjs.com tomorrow and godaddy would kinda... just hand it over (?!?!?!) then i could probably become a crypto billionaire overnight
Same reason I dislike SMS based 2FA, or worse SMS/email based 1FA codes.
You dont truly own your cell number or domain. Meanwhile passkeys are certainly hardware I own, likewise my TOTP codes are stored and calculated locally.
exactly, few years ago I was thinking to bind all on domain email, thinking when I own it, I can host anywhere and seemed best option. After thinking it through, had to stick to a gmail, again. Due to the possible catastrophy scenario!
Luckily in EU, they still hardly depend on presencs validation, therefore all these sorts of errors can be resolved in couple of hours.
Ouch. That's worse than the reddit accounts I lost for a similar reason.
Nearly lost a dozen other accounts when I moved from Canada to US and changed my phone number. Fortunately I had to foresight to pay about $1/mo to transfer my Canadian number to some VoiP service just so I could keep it active for scenarios like this!
Namecheap has had its own host of issues like a few years back breaking hsts and causing tons of sites to break for quite a while and their response was basically oh well. That incident along made me move my domains off to porkbun.
Realistically you should never use the registrars dns to begin with. But you can set your own dns with porkbun, I have customs dns on all of my domains. I especially have been doing that since the Namecheap hsts issue. Can't trust any of them.
CloudFlare since they sell domains at cost and have really good DNS infrastructure with some free protection features. If the TLD isn't supported by them for registration then I'd just use their nameservers.
Or Route53 if you're using AWS since that makes it easier to integrate with the rest of AWS and manage in IaC, and AWS also has robust network/DNS infrastructure.
(I would say GCP if using GCP/Google Workspace, too, but since they split domains off to Squarespace I really don't know what is happening over there anymore as far as domains go.)
So far those 3 have been more than sufficient for all of my domain needs.
Domain registration and all other services should be separate. You don't want DNS, web hosting, mail hosting, etc. ToS applied to your registrar account because it increases the risk of the account getting locked.
I haven't had that experience at all with them before. I also don't put much stock in one off experiences from someone who is admittedly not in a situation that almost anyone else, much less someone registering their domains through GoDaddy currently, would find themselves in (i.e. operating an online casino and engaging in behavior that is very obviously a legal/ToS gray area at best).
They specialize in domains management for businesses who consider their domain to be _very_ important. Think Google, Amazon, Microsoft, Wikipedia... (all of those are listed as clients on the wiki page)
As in "pay a lot of money", and we'll dedicate someone to your domain who makes sure that "giving a domain to a stranger without any documents" will _never_ happen.
a number of the largest companies that used to be 'clients' of markmonitor have now basically become their own domain registrars and have a direct relationship with ICANN. Amazon for instance. It's curious that google was one and has offloaded it to squarespace.
I'm pretty sure google never used them for their own domains, and the whole markmonitor/squarespace thing was their "google domains" product where they sold registrar services to others. Besides that they also are a registry for .app/.dev and others, but don't sell them via their own registrar anymore.
See other sibling comments to yours, but you basically have named support contacts who would have been the human-in-the-loop ensuring that a situation like OP's can't happen.
I haven't spoken to them in like a decade, but they also offered other monitoring stuff like notifying you of likely phishing registrations, etc. And it's no longer novel now with options like Route53, but they used to be one of the only solutions with proper RBAC/delegation/audit logs.
It does sound snarky, maybe GoDaddy was the cheaper option at one point and they stuck with it. I get that.
I use some square space for a lot of stuff, but it's largely because Google Domains sold out and the price is "fine." Sure, I could use something else, but this works, the cost is correct, and - I can't stress this enough - it already freaking works. I also use a python as a service tool I point at frequently. Their customer service is great, so I doubt this would ever happen there? But yeah, I'm not manually configuring a server somewhere most of the time.
Is it the "best" possible tool for the job? Not really, but it works well enough for the stuff I use and my workflows are already rock solid to deploy code to prod, etc. Is it because it's impossible for me to spin up a VPS or I'm too stupid to figure out Hetzner? Probably. But no, I've done it before, I could do it again, but that would take me X hours that I'm not getting paid for to migrate for limited utility, possible customer interruptions, and stress. I might need to migrate in a year or so, but until then, I'm not going to bother.
I reckon that's a similar sort of thing that happened here and depending on what they're doing business-wise, Lee could be insanely competent IT person and was just unlucky because the hammer he reached out for with GoDaddy actually turned out to be a foot gun that took years to fire.
It happens, it's not ideal, but it happens - I'm just glad they got it figured out and I'm glad that these sorts of events percolate up in the hn zeitgeist, because I definitely know who I won't be turning to in the future. Like, I kind of already knew GoDaddy was trash? I used them something like 10 years ago to spool up a website for a friend of mine. The whole experience was garbage then and I said, "never again" - but also that was kind of at the beginning of me even learning about how this stuff works? But I could totally see a scenario where I get snared into a product ecosystem and the opportunity cost of switching out of it outweighs staying put until it blows up in my face.
I was in the Google Domain sold to Squarespace boat too. To this day, that sale makes zero sense, mind boggling they would offload such a critical part of consumer infrastructure. Anyway, I had zero trust in Squarespace, so I spent some time and moved all my domains to Cloudflare and couldn’t be happier. Lots of nice bonus features also popped up.
GoDaddy is a valid domain registrar. The customer had dual MFA set up. The customer did all the right things.
I’ve never heard of Godaddy making this kind of egregious mistake before. I’ve heard of some doozies, sure, but nothing like this.
Don’t blame the victim. “It’s their fault they got robbed, they left their door unlocked” is not a valid response to a situation like that or like this. The robber still stole, and godaddy still broke their own rules, rules that customers pay to have enforced.
When you find yourself victim-blaming, you will find yourself on the wrong side.
Maybe you havent, but I and others certainly have heard of this kind of "mistake" aplenty from them. They're infamously bad for this kind of nonsense let alone their other more predatory practices such as frontrunning domain registrations.
When you're a business and want something reliable, picking the most popular provider is usually a strategy that works decently well. They're more likely to have established processes that work for all sorts of cases.
That's what makes this particular story so egregious.
Domains are a very funny business. I can't think of anything so crucial to businesses, that at the same time generates so little revenue per customer. Your entire technological infrastructure depends on it, yet it costs $15/yr. Making a single support request can turn you into an unprofitable customer.
Sortof? [0]. All the commercials I saw [1] were just meant to get guys to visit their site so the speaking was just for fun. The later fake body-building commercials [2] were unusual.
[0] - https://www.youtube.com/watch?v=U1p9X8A2ruk
[1] - https://www.youtube.com/watch?v=o60YmD5_5-Y
[2] - https://www.youtube.com/watch?v=dBNxfarlktE
People who base their technical decisions on considerations like that likely deserve the level of service GoDaddy provides :(
The only issue we had was when we wanted to change our nameservers and our authorized contact for registry lock didn't answer the phone for the verification call, so we had to postpone the change for the next day. But that's what is supposed to happen, so no big deal.
Better than networksolutions changing our nameservers when one of their support agents got phished.
Whatever their process is, it's concerning. I wonder how many sign-offs are actually involved, or if it's just a ticket handled and closed by a rep.
Either way, GoDaddy is not the first choice for a new domain in 2026.
Off the top of your head, what would be a decent one?
Edit: "Top Level Design [Porkbun owners] was the domain name registry for several top-level domains including .wiki, .ink and .design, until the company sold these domains to GoDaddy Registry in April 2023" --Wikipedia
If you look up the whois for microsoft.com or yahoo.com, that's who you'll find.
But as others have pointed out, there's basically zero margin on simple domain sales. So if you want proper support, you need to go to someone who bundles it with other enterprise business (e.g. AWS), or who makes it their whole business (e.g. MM).
It's also literally one of the most criticized and awful registrars in the world, by a large margin. If decades of stories like this don't convince you to go with a more reliable registrar then I have very little sympathy.
This story is not egregious, it's in fact typical of GoDaddy. Every so often we get a HN post with a GoDaddy horror story. You'd think people would have learned by now.
That is also at least 10 years old stale matter. Have you ever read people wrongly being locked out from a BIIIIG provider unable to get through to get remedy? Apparently no. I did. I am sure several other people here did too.
Motto: "Eat shit! A trillion flies cannot be wrong!"
In my experience the sentence is only correct this way: "They're more likely to have established processes for all sorts of cases"
They have lots of clients. They have big opportunities to streamline support (which is a cost center). ... do you see where it leads? Read the OP, if not!
Read the last paragraph in my comment.
For offline goods, definitely. For digital services, 10+ years ago, definitely. For digital services, in 2026, it's a bad strategy even if you're a business and want something reliable.
But they proven over and over and over and over and over again that they are not a reliable business partner.
That is a strange idea to me. Some people are real fans of the lowest bidder, no matter how awful they are.
If we ask 100 likely buyers family feud style, where would they go buy a domain, GoDaddy likely is going to be the top answer by a wide margin.
They wouldn't know about any bad news/ security incident with the brand either.
> [...] is one of the most competent IT guys I know. The GoDaddy account had [...]
Don't think I've ever heard something good about GoDaddy.
Do it, now. What comes up?
Yes, once IT gets professionalised, they should switch to a better provider. But the registration will likely be for multiple years, with auto-renewal, and when nothing has gone wrong, theoretical problems take a backseat to live ones.
I currently use DreamHost, but I've been a little unhappy with how much clutter and other crap they've added.
I'm open to other shared and dedicated hosting providers.
I compared all of the other registrars mentioned by HN users, and Dynadot basically tied with Namecheap on price, but Dynadot is so much more user-friendly.
And yet he uses GoDaddy?
And to be completely honest, it isn't that bad, you get a phone you can call 24/7. Of course mistakes happen and staff can't always help, but it's more like a 99.9% vs 99.99% quality thing when comparing to other providers like AWS or CloudFlare.
Porkbun I'm not familiar, but it for sure can be a better option, it's just that when people start out they look for a familiar name rather than the marginally best option.
I just said it makes sense, not that it's the best option. It's just fine if you are a small or even medium business.
Once you have a bunch of international domains, it's not even generally possible to have a single registrar who can support them all.
Icann Arbitration seems like the wrong channel, those are typically used for when someone correctly technically registered the domain name, but there's a dispute from the non-owner, e.g:
1- Trademark holder registers trademark.com, malicious actor registers trademark-web.com and phishes. 2- trademark.com expires, and someone registers trademark.com and domainsquats.
This is not the case, all Icann can do is make decisions over who owns a domain. A civil court would be more appropriate for calculating and ordering compensatory damages.
Has Godaddy demonstrated a pattern of violating Godaddy’s contract with ICANN, whatever those terms may be, with regards to performance of the basic duties of a ‘registrar’ on behalf of domain owners?
I’m not evaluating these things today since I’m not their lawyer, but certainly they’re both valuable questions.
Personal experience, no relationship to either registrar listed above
Oh, please do. Mistakes happen, and the scale of GoDaddy means that even rare mistakes will happen. But they may still be liable for damages, how much is the reputational damage, and the possible lost business? Why wouldn't you go this route?
I caught it like a day or two later, and successfully renewed it through their site but it did not take.
There was somehow already someone up squatting my domain. I contacted support and they told me there's apparently no renewal window for .at but they could recover it for $140 - oof .. sure. It was nothing super important but would be annoying to lose.
Then it took like a week for them to get back to me, but after that week I got my domain back. I have no idea what gymnastics happened on their side.
I would think this fee should be, at most, the cost of 1 year of registration.
- We are totally revamping our processes. This never happened out of incompetence. Humans make mistakes. We are contacting the client for 1 year free renewal - waiving. Will mail a coupon code. We consider this issue closed.
> The Grand Trunk’s problems were clearly the result of some mysterious spasm in the universe and had nothing to do with greed, arrogance, and willful stupidity. Oh, the Grand Trunk management had made mistakes—oops, “well-intentioned judgments which, with the benefit of hindsight, might regrettably have been, in some respects, in error”—but these had mostly occurred, it appeared, while correcting “fundamental systemic errors” committed by the previous management. No one was sorry for anything, because no living creature had done anything wrong; bad things had happened by spontaneous generation in some weird, chilly, geometric otherworld, and “were to be regretted.”
[0] Going Postal (2004) by Terry Pratchett
"- Every email address that exists out in the world is now wrong. - Every piece of marketing material is now incorrect. - All of the SEO is gone."
but it seems to miss even the biggest one, which is that you are effectively locked out of any online business accounts, your bank, your crm, anything that says "we noticed an unusual login, please enter the code we just sent to your email to verify the login."
It is similar like losing phone or sim or even being in a foreign country where you can't access your number but worse.
And even worse, if I wanted to take over npmjs.com tomorrow and godaddy would kinda... just hand it over (?!?!?!) then i could probably become a crypto billionaire overnight
You dont truly own your cell number or domain. Meanwhile passkeys are certainly hardware I own, likewise my TOTP codes are stored and calculated locally.
Luckily in EU, they still hardly depend on presencs validation, therefore all these sorts of errors can be resolved in couple of hours.
I’m locked out of my 20 year old wikipedia account because they instituted 2fa without asking and my email on file was no longer valid.
Nearly lost a dozen other accounts when I moved from Canada to US and changed my phone number. Fortunately I had to foresight to pay about $1/mo to transfer my Canadian number to some VoiP service just so I could keep it active for scenarios like this!
Since cloudflare is basically the only registrar that will not allow you to host nameservers anywhere else I'd be weary to use them (even indirectly).
Could you elaborate why?
Or Route53 if you're using AWS since that makes it easier to integrate with the rest of AWS and manage in IaC, and AWS also has robust network/DNS infrastructure.
(I would say GCP if using GCP/Google Workspace, too, but since they split domains off to Squarespace I really don't know what is happening over there anymore as far as domains go.)
So far those 3 have been more than sufficient for all of my domain needs.
This is kinda buried but the whole scenario makes a lot more sense with that context.
Depends. If it's something really high priority (like main domain for a large corporation) I'd likely be paying CSC 4 digit sums per domain per year.
For stuff a tier below that I'd be looking at companies that are serious about security and happen to do domains as well e.g. Cloudflare, Amazon
Otherwise, Porkbun or Cloudflare Domains if you're ok using their DNS.
As in "pay a lot of money", and we'll dedicate someone to your domain who makes sure that "giving a domain to a stranger without any documents" will _never_ happen.
I haven't spoken to them in like a decade, but they also offered other monitoring stuff like notifying you of likely phishing registrations, etc. And it's no longer novel now with options like Route53, but they used to be one of the only solutions with proper RBAC/delegation/audit logs.
I use some square space for a lot of stuff, but it's largely because Google Domains sold out and the price is "fine." Sure, I could use something else, but this works, the cost is correct, and - I can't stress this enough - it already freaking works. I also use a python as a service tool I point at frequently. Their customer service is great, so I doubt this would ever happen there? But yeah, I'm not manually configuring a server somewhere most of the time.
Is it the "best" possible tool for the job? Not really, but it works well enough for the stuff I use and my workflows are already rock solid to deploy code to prod, etc. Is it because it's impossible for me to spin up a VPS or I'm too stupid to figure out Hetzner? Probably. But no, I've done it before, I could do it again, but that would take me X hours that I'm not getting paid for to migrate for limited utility, possible customer interruptions, and stress. I might need to migrate in a year or so, but until then, I'm not going to bother.
I reckon that's a similar sort of thing that happened here and depending on what they're doing business-wise, Lee could be insanely competent IT person and was just unlucky because the hammer he reached out for with GoDaddy actually turned out to be a foot gun that took years to fire.
It happens, it's not ideal, but it happens - I'm just glad they got it figured out and I'm glad that these sorts of events percolate up in the hn zeitgeist, because I definitely know who I won't be turning to in the future. Like, I kind of already knew GoDaddy was trash? I used them something like 10 years ago to spool up a website for a friend of mine. The whole experience was garbage then and I said, "never again" - but also that was kind of at the beginning of me even learning about how this stuff works? But I could totally see a scenario where I get snared into a product ecosystem and the opportunity cost of switching out of it outweighs staying put until it blows up in my face.
GoDaddy is a valid domain registrar. The customer had dual MFA set up. The customer did all the right things.
I’ve never heard of Godaddy making this kind of egregious mistake before. I’ve heard of some doozies, sure, but nothing like this.
Don’t blame the victim. “It’s their fault they got robbed, they left their door unlocked” is not a valid response to a situation like that or like this. The robber still stole, and godaddy still broke their own rules, rules that customers pay to have enforced.
When you find yourself victim-blaming, you will find yourself on the wrong side.