GoDaddy Domain Transfer Triggers Multi-Day DNS Outage

GoDaddy is investigating claims that it transferred control of a 27-year-old domain from a nonprofit customer to another customer without requiring authentication or documentation, causing four days of website and email downtime. Flagstream Technologies partner Lee Landis says the domain vanished from his client's account after GoDaddy logged an internal account-recovery request; the transfer allegedly completed within minutes despite MFA and ownership protection being enabled. Landis reports 32 support calls and 17 email threads with inconsistent guidance and no effective resolution, while GoDaddy says the recipient provided necessary documentation and considers the case closed. The incident raises serious security concerns around registrar processes, BEC risks, and registrar audit fidelity.

A Hacker News thread highlights a report that GoDaddy mistakenly transferred a domain to an unrelated buyer without proper documentation, sparking user outrage. Commenters criticized GoDaddy’s long-standing reputation for poor technical practices, opaque renewal UIs, and aggressive marketing-driven product decisions, with several suggesting moving domains to smaller registrars like Porkbun or Dynadot. Some advised legal or ICANN complaints to seek compensation for potential business losses, while others framed the incident as symptomatic of systemic reliability and trust issues at large registrars. The episode matters because domain ownership errors can cause business disruption, brand damage, and legal disputes, underscoring registrar choice and the need for stronger operational safeguards.

GoDaddy transferred a 27-year-old nonprofit domain to another account via an “Internal User” process, wiping its DNS and taking websites and email offline for all chapters for four days. The affected IT firm (Flagstream Technologies) had dual two-factor authentication and GoDaddy’s Full Domain Privacy and Protection enabled, yet the registrar executed an account recovery and domain transfer within minutes on a Saturday. Support was unhelpful and inconsistent—dozens of calls and emails over several days produced no callbacks and shifting escalation contacts (undo@godaddy.com, transferdisputes@godaddy.com, artreview@godaddy.com). The incident highlights risks in registrar procedures, internal access controls, and incident response for critical domain infrastructure.

A longstanding 27-year organizational domain was transferred out of its GoDaddy account without proper documentation after an "Internal User" initiated an account recovery and completed a transfer within minutes, leaving websites and email offline for days. The affected IT firm (Flagstream Technologies) says the account had dual two-factor authentication and GoDaddy's Full Domain Privacy and Protection enabled, yet the registrar reset the DNS to defaults when moving the domain, disrupting services for twenty chapters that rely on subdomains. GoDaddy support gave inconsistent instructions, slow responses, and bounced responsibility across email addresses, offering little transparency about where the domain went or how recovery would proceed. The incident highlights registrar process, internal-controls, and customer-support failures with major operational and security implications for organizations relying on domain registrars.