I just had a huge security breach on Godaddy.com ---- What to do next....

[The Stigenator]

Somehow my soon to be ex business partner got into my godaddy account managed to get them to do the following.

1. change my password!
2. change my email associated with my godaddy
3. I never got a fucking email other than one saying " Account Settings Change Confirmation" at 12:00am...

I have already turned on 2 factor authentication

I dont use similiar passwords, but I will admit older accounts may have similar root words, I use last pass for my password keeping.

Whats next.. Godaddy is now claiming nobody can get into the account without the customer ID # or my PIN #.. both of which I have changed.

What next... .?

 

[Ns1]

if your ex business partner knows your password (and I assume he knows your email...) isn't this basic website functionality?

1) log into site with PW
2) change pw
3) input old pw and change to new pw

What am I missing here?

 

[Ns1]

1) if he's your ex biz partner and can guess your username, he can use that to login to godaddy (customer number definitely not required)
2) if he's your ex biz partner and can get your pw, he can login to godaddy
3) after that, seems like easy as fuck to accomplish the things you stated if "pin validation only" checkbox is unchecked and two step auth is off.

 

[Rakehellion]

Call the cops.

 

[halik]

Somehow my soon to be ex business partner got into my godaddy account managed to get them to do the following.

1. change my password!
2. change my email associated with my godaddy
3. I never got a fucking email other than one saying " Account Settings Change Confirmation" at 12:00am...

I have already turned on 2 factor authentication

I dont use similiar passwords, but I will admit older accounts may have similar root words, I use last pass for my password keeping.

Whats next.. Godaddy is now claiming nobody can get into the account without the customer ID # or my PIN #.. both of which I have changed.

What next... .?

You should be able to fax them your drivers license if it's in your name and change it back.

 

[The Stigenator]

Dude, Godaddy reset the password, he didnt have my password! Sure he could have guessed my user name (but not the customer number or email attached to it). Nor did he have my pin, unless he guessed that 4 digit pin.

Then the cake, they reset the email associated with the account to something else.

He tried getting into my gmail I think on Tuesday, but I have 2 factor on, so i got a confirmation code on that one.

 

[The Stigenator]

I just got control of one of the domain things he did... fucking A~

 

[Jeff7]

Dude, Godaddy reset the password, he didnt have my password! Sure he could have guessed my user name (but not the customer number or email attached to it). Nor did he have my pin, unless he guessed that 4 digit pin.

Then the cake, they reset the email associated with the account to something else.

He tried getting into my gmail I think on Tuesday, but I have 2 factor on, so i got a confirmation code on that one.

My experience with my webhost: I asked them by email how I could regain access to my account after after I locked myself out by accident. They simply emailed me the password in plain text in an email.

1) Shouldn't that be stored in hashed form, and thus be inaccessible to anyone?
2) Looks like the "password" for my account is actually "I'm locked out, please send me my password."

 

[The Stigenator]

One thing for godaddy to reset the password, that would send a link to the account owner, but not only did they reset the password, they gave it a new email account to it.

Does anybody have a godaddy higher up complaint line .. this needs more than your regular tier I support, it needs Tier 4 and above

 

[The Stigenator]

anybody got a godaddy exec or security person i can contact. I am not getting anywhere with their support.

 

[M0oG0oGaiPan]

pay him a visit at his house

 

[jlee]

My experience with my webhost: I asked them by email how I could regain access to my account after after I locked myself out by accident. They simply emailed me the password in plain text in an email.

1) Shouldn't that be stored in hashed form, and thus be inaccessible to anyone?
2) Looks like the "password" for my account is actually "I'm locked out, please send me my password."

Lol, credentials in an email is how Target got breached...

 

[ViviTheMage]

Work it out with the ex partner, that's the simplest route. No need to get petty and malicious.

Oh wait, you are saying the new email and password is not known by either of you now? If so, you're only option is to get godaddy to help you out.

 

[JEDIYoda]

My experience with my webhost: I asked them by email how I could regain access to my account after after I locked myself out by accident. They simply emailed me the password in plain text in an email.

1) Shouldn't that be stored in hashed form, and thus be inaccessible to anyone?
2) Looks like the "password" for my account is actually "I'm locked out, please send me my password."

They very easily could have checked your IP address and determined that it was you......no smoking gun.....sorry

 

[Jeff7]

Lol, credentials in an email is how Target got breached...

Very smart mathematicians figure out how to encrypt things, and smart computer scientists implement them.
But all you have to do is ask and you bypass it.


You've got Fort Knox, but the other secret passcode to get in is a simple shave-and-a-haircut knock on the door.


Or deliver pizza.

They very easily could have checked your IP address and determined that it was you......no smoking gun.....sorry

Because I always log in to check or send emails from the same computer every single day.


Yeah.