惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
MongoDB | Blog
MongoDB | Blog
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
aimingoo的专栏
aimingoo的专栏
B
Blog
博客园 - 聂微东
博客园_首页
D
DataBreaches.Net
F
Fortinet All Blogs
小众软件
小众软件
M
MIT News - Artificial intelligence
H
Help Net Security
Microsoft Security Blog
Microsoft Security Blog
The GitHub Blog
The GitHub Blog
大猫的无限游戏
大猫的无限游戏
Apple Machine Learning Research
Apple Machine Learning Research
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
F
Full Disclosure
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
Y
Y Combinator Blog
Google DeepMind News
Google DeepMind News
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 【当耐特】
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
G
Google Developers Blog
B
Blog RSS Feed
Attack and Defense Labs
Attack and Defense Labs
W
WeLiveSecurity
N
News | PayPal Newsroom
Recent Announcements
Recent Announcements
AI
AI
人人都是产品经理
人人都是产品经理
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
TaoSecurity Blog
TaoSecurity Blog
S
Security Affairs
Martin Fowler
Martin Fowler
Webroot Blog
Webroot Blog
P
Palo Alto Networks Blog
S
Schneier on Security
Latest news
Latest news

The Register - On-Prem

Ohio hits pause on datacenter tax breaks draining its coffers Europe told to cool its datacenter boom before water and power run short Kyndryl takes employees' pulse while cutting off circulation for some Outlook has an image problem Microsoft says cu l8r to text message security 'Workforce rebalancing' comes for Kyndryl, and delivery teams are in the firing line MAGA's Mace wants to make power bills great again, calls for datacenter moratorium Datacenters slurping up so much juice they boosted prices 75% in largest US energy market Utah mega datacenter could dump 23 atomic bombs worth of energy per day Rust stalks IBM mainframes, but only in nightly form Iran war hits datacenter building supply chains, upping costs ON CALL: Custom PC worked in the lab, failed on site – and so did the angry client ShinyHunters claims dump puts 119K Vimeo emails in the wild Vodafone dials up full control of VodafoneThree Palantir CEO: 10 percent of world 'professionally hates us' Bad news for OpenClaw stans: Apple’s Mac Mini starts at $799 AWS networking lab tour: Making networking disappear Royal Navy chief backs drones, robot ships Bank of England is gold standard for tech projects, says PAC UK pensions dept shopping for spy-van tech worth up to £2M Microsoft boss tells investors the company is working to 'win back fans' What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Microsoft levels up Azure Local for sovereign clouds Cloudflare: autocrats, wars, and votes caged the net in Q1 ZTE & XLSMART launch Jakarta AI & 5G-A Innovation Center When robots join the race: 5G-A powers a new kind of marathon 5G-A powers a new kind of marathon Oracle plans to power its New Mexico DC with fuel cell farm DCMS to new CDIO: Microsoft migration, overhaul ERP, survive Document sent Boeing Core Scientific accelerates crypto-to-AI pivot Meta seeking energy from space for earth-bound datacenters Golden Dome gets $3.2B of contractors and an AI sprinkle ICO boss Edwards steps back amid workplace investigation DARPA seeks deep-sea drones for autonomous warfare push ZTE Q1 revenue up 6% to RMB 35B; computing mix hits 27% UK govt shells out £550 for Digital ID panel, bans press TUIT & ZTE launch student internship and tech job programs US farms have new steward for their safety nets: Palantir Tesla stakes AI dreams on Intel's unfinished AI chip If malware via monitor cables is a matter of national security, this might be the gadget for you Grafana offers AI assistant for free, warns users not to go mad Right to repair champ Framework punts modular 13in laptop with Core Ultra Series 3 Scotland Yard can keep using live facial recognition on Londoners, say judges Phone-to-satellite use goes into orbit, growing 25% in 8 months FAA grounds Blue Origin's New Glenn as it probes missed satellite delivery 'mishap' AMD's Ryzen 9 9950X3D2 Dual Edition tested: Gratuitous overkill with a price to match Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters England's school phone ban gets teeth, just in time to bite no one Panasonic creates device-locked QR codes to speed facial biometric capture NASA Inspector fears new spacesuits won’t be ready for Moon landing Trump-branded datacenter project fails to make itself great, again World's blandest man steps down from CEO job to spend more time in tastefully appointed home Chase got a spiff of $77 million to create one job with New York datacenter AI is reshaping Britain's datacenter map away from London HP's remote desktop push retreats as Anyware heads for end of life 'Invisible mouse' made a mess of PC rebuild Indonesia’s game rating system paused amid claims it leaked developer creds and glimpses of major new titles Intel eases reliance on TSMC with 'Merica-made Core Series 3 processors Attention data hoarders: Alexa loses its Plex appeal as voice feature gets canned Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Capita won disastrous UK pensions gig after acing performance checks Maine to pause big bit barns as local opposition spreads Iran has something America can only dream of: cheap broadband Guide to GPU virtualization: passthrough, vGPU, and MIG Brussels tells Google to hand rivals its search crown jewels as privacy row brews Cops hand Motorola £25M to keep 2000-era radios alive QUIC will soon be as important as TCP – but it's vastly different Networks not ready for the challenges of AI traffic US states can't account for datacenter tax breaks. Literally UK told its Big Tech habit is now a national security risk The only technology that died more times than VR is AI, and that seems to have worked out Oracle taps Bloom for fuel cells to support datacenter binge Amazon pays $11.5B to satisfy satellite-envy while cowering in Musk's shadow Microsoft raises UK Surface prices as RAM crisis reaches the checkout UK state bank considers lengthening disastrous IT program Japan going back to the future by reviving its chip industry FAA seeking gamers to fill air traffic control ranks Veterans Affairs software licensing under fire in GAO report NHS pays £46K to prep next Microsoft licensing round France’s digital agency dumping Windows desktops for Linux IT manager approved lunch downtime, but made a meal of it China wants AI to prepare school lessons and mark homework Apple update turns Czech mate for locked-out iPhone user Hungary officials used weak passwords exposed in breach dump Amazon rejects AWS climate disclosure proposal Tiny violins as Amazon execs face pay packet pinch John Deere agrees $99m right-to-repair settlement Iran war piles more pain on already battered PC market AWS put a file system on S3; I stress-tested it UK to spend £15M on AI mapping in knife crime crackdown Rebrand automation as 'zero-token architecture' to master AI Supply chain challenges risk delaying Nvidia's Rubin GPUs Amazon thanks loyal Kindle devotees by bricking their kit DXC lands Metropolitan Police contract worth up to £1B NHS Scotland-linked domains push pr0n and illegal streams How to navigate the storage crunch in the AI era Supermicro launches probe after staff charged with China export violations
Non-profit’s GoDaddy nightmare and the IT chaos that ensued
Connor Jones Connor Jones · 2026-04-29 · via The Register - On-Prem

GoDaddy is currently investigating claims that it handed complete control of a valid 27-year-old domain to another customer, without requiring them to pass any authentication processes or upload any supporting documents.

The sensational allegations come from Lee Landis, a partner at Pennsylvania IT shop Flagstream Technologies, who claims one of his client's domains "vanished" from the company's GoDaddy account without notice.

This, said Landis, meant the client lost access to its website and email accounts throughout the ordeal. The security implications of this include potentially losing access to account recovery mechanisms, MFA codes, company impersonation, business email compromise (BEC) schemes, and all manner of other possibilities.

The client wanted to remain anonymous, but was described as an American non-profit that operated 20 locations across the country.

According to a writeup penned by Landis' friend Austin Ginder, who owns Anchor Hosting, it took just four minutes for the domain takeover process to be approved. However, it left Landis' client with four days of downtime, during which time staff resorted to using personal email addresses and SMS messages to keep stakeholders informed about progress, as numerous fundraising events were scheduled for the following days.

"Lee is one of the most competent IT guys I know," Ginder wrote. "The GoDaddy account had dual two-factor authentication enabled, requiring both an email code and an authentication app code to log in. The domain itself had ownership protection turned on."

According to the logs, GoDaddy confirmed to Flagstream via email of an account recovery request being made. Three minutes later, the transfer was initiated, and it completed a minute after that. This all took place at around lunchtime on April 18, a Saturday.

The transfer was initiated only by an "internal user," the audit logs reportedly revealed, and it did not require any of the authentication methods to be completed. Ginder appeared to imply the transfer was done by an "internal user" inside GoDaddy.

Landis' calls to GoDaddy began the following day. Support staff proved unhelpful and allegedly lacked what he believed to be the necessary urgency. 

Over the subsequent days, across 32 phone calls which in total lasted more than nine hours, GoDaddy support threw out various email addresses where it said Landis could try to seek a resolution. He claims instructions differed depending on which staffer at the hosting provider answered the phone. 

Email conversations, of which there were 17, were never with a named individual, just generic address names, says Landis, who adds that he was asked multiple times why he thought the case was so urgent. Not once did he receive a callback from any of these email exchanges.

Landis "may have said some hurtful things to GoDaddy's support personnel," Ginder wrote.

A mountain of work and a huge stroke of luck

On the following Tuesday, four days after the transfer was completed, GoDaddy allegedly closed the case without action. 

In a statement sent to Flagstream, GoDaddy said: "After investigating the domain name(s) in question, we have determined that the registrant of the domain name(s) provided the necessary documentation to initiate a change of account… GoDaddy now considers this matter closed."

The issue here is that no documentation was provided, according to both Flagstream and the woman who received ownership of the domain. Ginder refers to her as Susan, but it is not her real name.

GoDaddy denies this was the case.

Before Flagstream had to clean up this mammoth mess, Susan was trying to reclaim an old domain registered to a former employee. 

Again, the specifics were changed because the nonprofit wanted to stay anonymous, but for the sake of storytelling, we'll use the two domains below as examples:

  • HELPNETWORKINC.ORG (Flagstream's client)
  • HELPNETWORKLOCAL.ORG (Susan's domain to be reclaimed)

Another important detail to understand how this transfer was botched is that Susan's email signature referenced her chapter's website at a subdomain of HELPNETWORKINC.ORG. Gilder said that GoDaddy staff most likely looked at the signature and mistakenly transferred its parent domain to Susan rather than the intended one.

Susan told Flagstream that she received a link to upload supporting documents but the link expired before she could use it, which if true would mean GoDaddy was not being accurate in its statement to Flagstream which said the submitted documentation informed the decision to approve the ownership transfer.

While all of this was taking place, Landis and the wider Flagstream team were working at pace to transfer the client over to a new domain and new email addresses, an arduous, brand-harming task, but a necessary one to get the non-profit back in business.

"It was a huge stress," Landis told The Register. "We had several guys working on this constantly, even at night. Plus, the company that hosted the website had a lot of work to do too, apart from us when we decided to set them up with a new domain."

Fortune was on Flagstream's side, however, as Susan was all too helpful after noticing she was in possession of the wrong domain. 

Susan initially called the non-profit's CFO, saying she did not know what she was looking at, but knew she had to tell someone. From there, Susan worked with Flagstream to initiate an account-to-account transfer of the domain's ownership, a process Ginder said took less than five minutes, all without GoDaddy's support or oversight.

"Susan is really the hero of this entire story," Ginder wrote. "Without her, Flagstream would still have no idea what happened to this domain. Lawyers would have gotten involved, but it would probably be months until anything was resolved."

While migrating the non-profit onto a new domain, and then reverting it back after regaining access, the wider Flagstream team were contacting lawyers to discuss their options for recovering the domain through the courts.

Landis told The Register he was confident this route would have worked, but it could have taken months, and that length of downtime was simply unacceptable for any organization.

Flagstream is still in conversation with lawyers so the team can prepare itself should they ever have to face a similar situation in the future.

Security nightmare

Not only was it a stroke of good luck that Susan was helpful in reversing GoDaddy's error, but she was not someone with malign intent who with her newfound access could have carried out a range of attacks. Phishing and BEC are two of the more impactful possibilities, not to mention the opportunity for 27 years' worth of data theft.

Landis told us that throughout the episode, the primary concern was that the client's domain was in control of someone who could weaponize the situation.

"Our huge concern was that a bad actor had this domain because that would be a huge security risk. Since we no longer had control of the domain, there was nothing that we could do to stop this individual if they were a bad actor."

While managing GoDaddy's support, Flagstream worked with its client on ways to mitigate the attacks they anticipated following the transfer, including disconnecting company email addresses from all accounts, from banking and payroll to Amazon and Dropbox.

Landis told us that at the time of writing, GoDaddy had still not contacted him nor Flagstream to address the matter. And when they tried to report the issues to GoDaddy's security team via email, the email bounced.

Asked whether Flagstream will continue with GoDaddy, Landis said the IT shop is evaluating its options.

"Most likely we will probably leave because we can't afford the risk of having other domains disappear. It will be a hassle to transfer our hundreds of domains, but it will be less of a hassle than what happened this last week."

Fear is all that lingers

The Register spoke to the nonprofit affected by GoDaddy's domain transfer on condition of anonymity.

The CEO told us that technically, operations are entirely business-as-usual, though some staff remain fearful of clicking the wrong button and triggering a repeat of April's IT calamity.

"A number of our staff – we have a lot of social workers, and some of them are just not, maybe as tech-savvy as our administrative team – they were becoming fearful about touching anything," the CEO told The Register.

"I mean, even this morning I'm having issues, as everything gets back, and people are needing to log back into their OneDrive, and all these little kind of details, but there's a relief that even though this is taking extra time from my day, at least we know we have recovered the domain."

The Register contacted GoDaddy for a response. It acknowledged the request, and told us it was investigating.

It did not deny the story, but disagreed with the assertion that it had authorized the transfer without the necessary documentation and approval.

"While we cannot comment on specific customer accounts, we have reviewed our protocols, and confirmed that we received proper documentation and authorization, and our standard operating procedures were followed," a GoDaddy spokesperson said.

"However, we are taking this opportunity to reinforce processes that help identify miscommunications between customers and representatives early, before they create downstream issues." ®