Did GoDaddy Transfer a Domain Without Verification for 27 Years? Customer Lodges Serious Complaint

A Domain Safeguarded for 27 Years Disappears Overnight

On April 29, 2026, a scandal shook GoDaddy, a major domain registrar. A customer, referred to as Mr. X (pseudonym), who is the CEO of a tech-related company, claimed that a domain name he had owned for 27 years and which formed the backbone of his business, was transferred to a third party without prior notice or security verification. This incident is not just a personal issue but has raised fundamental questions about the reliability and security of the global domain infrastructure.

Incident Overview: “Even Two-Factor Authentication Didn’t Work”

According to Mr. X, the issue came to light in mid-April 2026. When he attempted to access his long-running company website, it was no longer displayed, and the DNS records had been altered without his consent. Alarmed, he checked his GoDaddy account and discovered that the domain’s “ownership information” had been changed, and the domain itself had been “unlocked” and transferred to another registrar.

What was most shocking was that Mr. X received no notifications throughout this process. “Normally, transferring or changing domain ownership requires approval emails or two-factor authentication (2FA). However, I was not contacted, nor was I asked for an authorization code (EPP code) during this process,” Mr. X stated. Moreover, the 2FA that had been set up on his account failed to prevent the transfer, which lies at the heart of the issue. It appears likely that GoDaddy’s system either had vulnerabilities or that there were serious lapses in its internal processes.

Background: Domain Names as “Digital Real Estate”

Why is the transfer of a domain held for 27 years such a significant issue? Because domain names are not merely URLs; they represent a company’s brand value, customer trust, and even its business assets. Long-used domains are directly linked to search engine rankings (SEO) and email reliability. If a domain is fraudulently transferred, it risks being altered, exploited for phishing scams, or, in the worst-case scenario, becoming irretrievable for the original owner.

According to industry insiders, cyberattacks targeting domain names and “domain hijacking” have been on the rise in recent years. Attackers use increasingly sophisticated methods, such as deceiving a registrar’s customer support team to reset passwords or exploiting system vulnerabilities for unauthorized access. However, this case is particularly severe as it suggests a breakdown in the registrar’s process without any apparent fault on the customer’s part.

GoDaddy’s Response and Industry Implications

Following the incident, GoDaddy announced that it had launched an official investigation. However, amid a flood of customer complaints, the company has been criticized for its slow response. “I submitted a support ticket, but all I received were automated replies. The accountability remains unclear,” Mr. X lamented.

This incident has sent ripples across the domain registrar industry. Major registrars like Network Solutions and Google Domains are likely to expedite the review of their own security processes. Particularly, registrars handling vast customer datasets must strengthen internal controls and develop multi-layered authentication systems to prevent fraudulent transfers.

Regulatory bodies like ICANN (Internet Corporation for Assigned Names and Numbers) may also consider tightening domain transfer standards. For instance, they might reintroduce rules requiring a mandatory waiting period (e.g., 72 hours) for domain transfers to allow owners time to verify and confirm. Making 2FA mandatory for all users could also be a topic of discussion.

Future Outlook: Challenges in Rebuilding Trust

This incident has highlighted just how fragile the “trustworthiness” of digital infrastructure can be. Users naturally expect their domains to be safe when entrusted to registrars. However, even major corporations are susceptible to human error and system failures.

Mr. X is now exploring legal options while attempting to recover his domain. “The brand and customer trust that I’ve built over 27 years could vanish in an instant. This isn’t just my problem; it’s a risk every domain owner faces,” he emphasized.

This case underscores the urgent need for domain registrars to ramp up their security investments, while users must also regularly audit their accounts and enforce advanced authentication settings. A “new normal” for protecting digital assets is now being called into question.

FAQ

Q: What should a domain owner do if their domain is fraudulently transferred?
A: First, immediately contact your registrar’s support team and request a halt to the transfer. You can also consult ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP) or local consumer protection agencies. Simultaneously, update your account passwords and 2FA settings, and review DNS records and server logs for signs of unauthorized access. Quick action is critical to preventing further damage.

Q: What measures should domain registrars take to prevent fraudulent transfers?
A: Multi-layered security measures are essential. These include mandatory two-factor authentication (2FA), multi-step confirmation emails for transfers, systems for detecting unusual account activity, and stringent verification processes for customer support interactions. Registrars should also provide users with clear guides on security settings and encourage regular security audits.