GoDaddy hands 27-year-old domain to stranger, ignores 32 support calls

A Lancaster IT firm watched a client’s domain of 27 years vanish from a GoDaddy account on a Saturday afternoon despite dual two-factor authentication and the registrar’s own Full Domain Privacy and Protection product being active. The audit log attributed the transfer to an unnamed Internal User with Change Validated set to No, completed seven minutes after a recovery request landed. DNS was reset to defaults on move, taking down the website and email of a national organization with twenty chapters running on subdomains of the parent.

Four days of escalation produced nothing usable. Thirty-two calls, 9.6 hours on hold, a different dispute email address every day (undo@, transferdisputes@, artreview@), and a fresh case number per call with no thread linking them. After Flagstream supplied the registrant’s ID and business documents through GoDaddy’s own dispute form, the registrar declared the matter closed and pointed them at WHOIS, ICANN arbitration, and litigation. The team began the painful migration to a new domain, accepting permanent loss of email continuity and SEO.

Resolution came from outside GoDaddy entirely. A stranger requesting an unrelated domain noticed the wrong one had landed in her account, made calls until she reached Flagstream, and authorized an account-to-account transfer that completed in under five minutes. The story exposes a registrar whose security products and 2FA can be bypassed by internal staff, whose support has no case continuity or named ownership, and whose dispute process functionally returns the customer to lawyers regardless of evidence supplied.