"Lee is one of the most competent IT guys I know," Austin Ginder wrote — praise that landed amid a five-day scramble after a 27‑year‑old domain reportedly “vanished” from a GoDaddy account and was transferred to another customer without what Flagstream Technologies says were any authentication checks.
Audit logs and the April 18 transfer
According to logs cited by Flagstream partner Lee Landis and written up by Austin Ginder of Anchor Hosting, GoDaddy confirmed an account‑recovery request by email, and three minutes later a transfer was initiated. The transfer completed one minute after that — all around lunchtime on Saturday, April 18. Ginder and Landis report the whole change of control took approximately four minutes from request to completion.
The audit trail allegedly shows the transfer was initiated only by an "internal user" and did not require the account's dual two‑factor authentication — which flagged codes to email and an authentication app — nor the domain ownership protection that Landis said was turned on. Ginder suggested the "internal user" referenced was inside GoDaddy; the company has disputed the characterization.
Flagstream, the nonprofit client, and immediate fallout
Flagstream Technologies says the affected domain was a 27‑year‑old name used by an American nonprofit with 20 locations. Landis told The Register the organization's website and email accounts were inaccessible while the transfer stood, producing four days of downtime that forced staff to rely on personal email and SMS to communicate about imminent fundraising events.
Over the subsequent days Landis logged 32 phone calls with GoDaddy support totaling more than nine hours and 17 email threads. He says support staff gave inconsistent instructions, declined to escalate with urgency, and never called him back from email exchanges; GoDaddy, he added, closed the case without action four days after the transfer.
How the domain was returned — the role of "Susan" and an account‑to‑account handoff
GoDaddy's decision to approve the transfer, Flagstream says, appears to have been driven by confusion between two similar domains. For storytelling the parties used the examples HELPNETWORKINC.ORG (Flagstream's client) and HELPNETWORKLOCAL.ORG (the domain Susan owned). Ginder said Susan's email signature referenced a subdomain of HELPNETWORKINC.ORG, and GoDaddy staff may have mistakenly transferred the parent domain rather than the intended name.
Susan — not her real name in the reporting — told Flagstream she received a link to upload supporting documentation but that the link expired before she could use it. She then called the nonprofit's CFO after noticing she had the wrong domain and worked directly with Flagstream to initiate an account‑to‑account transfer that Ginder said took less than five minutes and proceeded without GoDaddy support or oversight. Ginder called her "the hero of this entire story."
GoDaddy's response and the disputed documentation
Flagstream and Susan insist no documentation was provided to justify the transfer; GoDaddy denies that assertion. In a statement to Flagstream, GoDaddy said: "After investigating the domain name(s) in question, we have determined that the registrant of the domain name(s) provided the necessary documentation to initiate a change of account… GoDaddy now considers this matter closed."
When The Register contacted GoDaddy, a company spokesperson said: "While we cannot comment on specific customer accounts, we have reviewed our protocols, and confirmed that we received proper documentation and authorization, and our standard operating procedures were followed." The spokesperson added that GoDaddy is reinforcing processes to identify miscommunications between customers and representatives early, "before they create downstream issues."
Flagstream says it had not been contacted by GoDaddy as of the reporting and that an email to GoDaddy's security team bounced when the firm attempted to report the issue.
Security implications and operational mitigation
Landis and Ginder framed the episode as a high‑risk security failure. The loss of control over a longstanding domain, they said, exposed the nonprofit to a range of threats: losing account‑recovery mechanisms, interception of multi‑factor authentication codes, impersonation of the organization, business‑email‑compromise schemes, and exfiltration of decades of archived data.
While Flagstream worked to migrate the nonprofit to a new domain and new email addresses, the team also disconnected company email addresses from linked accounts — from banking and payroll to cloud services — in anticipation of potential abuse. The work required "several guys working on this constantly, even at night," Landis told The Register.
Flagstream has opened discussions with lawyers about legal recovery options that Landis said would likely have succeeded but could have taken months, and is evaluating whether to continue using GoDaddy for hundreds of domains due to the perceived risk.
What this means for Flagstream Technologies, GoDaddy, and nonprofits
- Flagstream Technologies: Evaluating offboarding from GoDaddy, preparing legal contingencies, and auditing domain recovery procedures across hundreds of client domains.
- GoDaddy: Stated it confirmed receipt of proper documentation and is reinforcing processes; it is investigating the incident and disputed the claim that it approved the transfer without authorization.
- Nonprofits and small organizations: Experienced operational disruption and lingering staff fear after losing access to a long‑standing domain — one CEO told The Register operations had largely returned but staff remained cautious about interacting with systems.
The episode leaves a central contradiction at its core: GoDaddy says approved documentation justified the change; Flagstream and the individual who briefly held the domain say no such documentation was provided or processed successfully. For the nonprofit, restoration came through cooperative action by a private individual and frantic mitigation by their IT partner — not the registrar's escalation process. GoDaddy says it has reviewed protocols and is reinforcing them; Flagstream is preparing for the possibility that the next incident will not end in good luck.




