Our company's domain was transferred to a third party without our consent, but the registrar explained it was a legitimate procedure, and we were able to restore it after contacting the third party.

Web developer Austin Ginder has written a blog post about an incident where the domain management service GoDaddy mistakenly transferred a domain to someone else.

GoDaddy Gave a Domain to a Stranger Without Any Documentation

https://anchor.host/godaddy-gave-a-domain-to-a-stranger-without-any-documentation/

The domain in question belongs to Flagstream, a client of Mr. Ginder's friend. The domain had been in use for 27 years and was not just a website URL, but a critical infrastructure supporting the entire organization, including its email system and internal tools.

The account for the domain in question had two-factor authentication (2FA) enabled, and various security settings were in place, including locking the domain itself. Despite these security settings, the domain was transferred to someone else.

After the incident, Flagstream reviewed the audit logs and found a record indicating 'transfer to another GoDaddy account' and that it was 'executed by an internal user.' It also recorded that the operation was performed 'without verification,' suggesting it may have been processed as an internal operation on the service provider's end rather than an unauthorized external access.

The loss of the domain caused all related services, including the website and email, to shut down, severely impacting the organization's operations. Furthermore, there were reportedly problems with GoDaddy's support. The response lacked consistency, with different contact points and case numbers being assigned to each inquiry.

Flagstream called GoDaddy a total of 32 times over four days following their initial inquiry, totaling 9.6 hours of calls. However, GoDaddy ultimately refused to return the domain, stating, 'Our investigation has revealed that the new owner has submitted the necessary documents. GoDaddy considers this matter resolved.' They were unable to disclose the new owner's identity due to privacy concerns.

As Flagstream reluctantly prepared a different domain and began migrating various services, they received a call from a third party claiming they had received your domain without your knowledge. This third party was in the process of reclaiming a completely different domain when they noticed that a domain entirely different from the one they had applied for was registered to their account, and contacted Flagstream.

Thanks to a third party voluntarily returning the domain, Flagstream was able to restore its service to the original domain. Ginder stated, 'If this third party hadn't contacted us, it would have taken several months to resolve.'

This third party testified that they 'did not send any documents to GoDaddy.' Although GoDaddy had sent the third party a URL for submitting documents, it had expired, and by the time they requested a resend, Flagstream's domain had been moved.

Normally, changing domain ownership requires a rigorous identity verification and approval process. However, this incident strongly suggests that GoDaddy did not follow proper procedures internally, indicating problems with governance and internal controls in domain management.

Ginder contacted GoDaddy about the post, but has not received any response as of the time of writing. He stated that 'the only way to get GoDaddy's attention is to cancel your account,' and added that 'Flagstream will also transfer all of its domains to another registrar.'

GoDaddy has been involved in various 'incidents' in the past, and a dedicated Wikipedia page has been created for them.

Controversies surrounding GoDaddy - Wikipedia
https://en.wikipedia.org/wiki/Controversies_surrounding_GoDaddy

Furthermore, it is said that they have been involved in numerous incidents that are not listed on Wikipedia.

Due to flaws in domain verification, 8,850 SSL certificates were fraudulently issued and subsequently revoked.
- Perform performance measurements by inserting JavaScript into the hosting user's website.
- Unilaterally canceling a domain and then charging a fee after a short delay in responding.
- Business practice of acquiring expired domains and reselling them at high prices
- Examples of cases where domains have been illegally transferred.
- Additional reports alleging domain theft