A US non-profit running 20 locations lost its 27-year-old .org domain in four minutes on 18 April 2026. GoDaddy transferred it out of the account on the strength of an "internal user" decision, with no documentation submitted by the recipient. Four days of dark email and dead websites followed. The domain came back only because the stranger who accidentally received it called the IT firm directly to hand it over.
The account had dual two-step verification enabled. It had domain ownership protection enabled. Neither stopped the transfer.
What this tells you about registrars
Most businesses think about security at the layers they touch every day: laptops, email, cloud accounts, the website itself. The registrar (the company you bought the domain from) sits beneath all of that, and it's the one place where "we have it" can become "they have it" without anyone touching your servers.
Lose the domain and you lose:
- All inbound email to your business addresses
- The website your customers know how to find
- Single sign-on for every service that uses email-based account recovery
- Years of brand recognition and search ranking
- Trust, while a stranger can plausibly impersonate you to your suppliers, customers, and bank
GoDaddy's official line was that "standard operating procedures were followed." That makes the question worse, not better. If the standard procedure can move a 27-year-old domain in four minutes on weak evidence, the procedure is the problem.
This isn't only GoDaddy. Registrar transfer fraud has been a recurring theme for years across the major brands. The control GoDaddy had on paper, two-step verification and domain ownership protection, was real. It just wasn't enforced by the support team that handled the transfer request.
What to do
The point of this filing isn't to pick a registrar; it's to make sure you've actually thought about the registrar layer at all.
- Know who holds your domains. Names, accounts, payment methods on file. If your former agency or IT person registered them on your behalf years ago, fix that today.
- Turn on registrar lock. Sometimes called "transfer lock" or "client transfer prohibited." It blocks transfers without an explicit unlock step. Different from domain ownership protection.
- Turn on two-step verification on the registrar account. Treat that login like the keys to the building, because it is.
- Check that recovery email and phone numbers are current and at addresses you control. Not the personal Gmail of someone who left two years ago.
- For your most important domains, consider a registrar that specialises in business and corporate domains. They tend to require more authentication for transfers and have human account managers rather than ticket queues.
- Ask, in writing, what happens if someone calls support claiming to be you. A registrar that can answer that question is one worth keeping.
The painful part of the GoDaddy story isn't that the transfer happened. It's that the protections the customer thought they had didn't apply when it counted. Find out whether yours actually do, before something tests them for you.
How Steelwise can help
Reviewing where your critical accounts live, who controls them, and what would happen on a bad Monday morning is the kind of work we do for clients. Get in touch.
Further reading
- Anchor.host: GoDaddy gave a domain to a stranger without any documentation
- The Register: GoDaddy customer claims registrar transferred 27-year-old domain without any security checks