FTC takes action against GoDaddy for alleged lax data security
175 comments
·January 28, 2025ziddoap
stackskipton
>If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
kstrauser
> As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Honestly, I'm more afraid of reputational loss than government fines. Our customers don't have to use our product. They do because they trust us. Lose that trust and it's awfully hard to get it back.
tsimionescu
The whole thread is related to GoDaddy's numerous breaches not affecting their bottom line or market position. So it seems lots and lots and lots of people really don't care.
adrr
Crowdstrike took down all windows boxes that had their software installed and didn’t really affect them.
philsnow
That reputational loss is almost exclusively among those who understand how the crowdstrike products work, but the Venn diagram with those folks and “people at companies who can approve large expenses” is nearly empty.
Yes, the CRWD ticker took a hard hit, dropping about 50% over the course of 2 weeks last July. But... it recently topped its previous high, only 7 months later (which is like 1/2 or 1/3 of an enterprise sales cycle!).
stevenicr
I feel this is more important for a younger or smaller company, and less so when stopping a product from one company to switch to another is a pain in the ass or has other problems / risks..
switching from godaddy to another registrar is not super hard, but there are hurdles and sometimes problems occur that even people with experience run into.
I think (some?) people also hope a place that suffers a breach learns from it and makes it near impossible for similar to happen again.
zelon88
Most customers use your product because it was on the first page of their Google search results.
The only people who's reputation gets ruined are the D-Level Directors and Managers who run this stuff and regularly run into budget or resource shortfalls that prevent them from doing all that they are capable of doing.
philipov
Creating lock-in which prevents customers from having an alternative is a more effective use of money, because it "solves" not just the threat of reputation loss due to security failures, but many others at the same time.
ted_dunning
Many people consider building a business on customer trust to be a strategic mistake.
reaperducer
As SRE, I've heard executives say this "There is no penalty for breaches, why care?"
Depends on the industry. I'm in healthcare, and our legal department is always reminding the devs that even a small breach can be financially catastrophic for the company, as they are totaled as $xx,000 per person affected.
We get training on it every six months.
stackskipton
Except Change Healthcare got hacked, lost a ton of records and they are still operating. So those fines must be, could be up to xx,000 per person affected but in actuality, those affected will get Arbys coupon and C Suite will lose a week of yacht time.
infogulch
So the answer is to put the same kind of onerous penalties that companies pay for leaking healthcare data and apply them to any PII / user data. If it can't hit the bottom line bigcorps don't care; liability is the only language they understand.
stevenicr
I'd like to hear more about this training -
I have started to put together some resources to teach C suite, maybe new-to-the-field lawyers, other interested stakeholders - about website compliance issues..
looking to mimic other good training / learning materials, extra info to consider, maybe collab and send business I can't take on, etc.
pyuser583
Yeah I got those trainings when I was merely healthcare adjacent adjacent adjacent.
plagiarist
It turns out HIPAA is a pretty good incentive to do the right thing, and the key difference is that there are actual consequences for violating HIPAA.
Even better, the consequences are stronger in the event that the company obviously wasn't giving a fuck about security.
I wish we had HIPAA for all PII.
benoau
We’Ve eVaLuaTeD the RisKs
honestSysAdmin
[flagged]
inetknght
> And people wonder why Luigi is seen by some as "the good guy".
There are many reasons to explain why people wonder. No one single reason is enough to explain it.
Luckily, no penalty for breaches can be resolved with laws and/or regulations. I suggest you take this matter up with your lawmakers instead of making comments which incite those very same people you describe.
demosthanos
It's a bit exhausting that every time anyone says anything about executives in any context, we have to make sure to bring up the cold-blooded murder of one of them and make sure to remind everyone that some people on the internet think that that murder was justified.
It's free internet points, I guess, but it's also not constructive and frankly more than a little bit creepy.
retrochameleon
They are also the worst hosting provider I have ever worked with, multiple times. Awful customer support and high prices. The only reason I work with them anymore is to migrate new customers to a different provider.
wsatb
GoDaddy had really good marketing at one point and as of the last time I used it, which was years ago, they make it very difficult (I'm pretty sure by design) to leave. Their UX was one of the worst I've ever experienced in my life and they were consistently moving things around to make it worse. They essentially trap you, and someone without either the savvy or diligence will just give up.
dustywusty
The sad truth is that for the most part, the web hosting industry has normalized a fairly lax approach to security, and sees settlements like this, and even breaches, as a cost of doing business. Look at Wordpress maintenance, for example.
It's a tough business hosting arbitrary UGC, and doing it well costs a lot of time effort and money (ask me how I know). But I fully agree: treating this as just another line-item cost is absurd.
roenxi
I'd be less amazed if people could articulate why this matters. What is the harm being done here and why is it more costly than GoDaddy raising their prices by a few dollars?
barryrandall
One example: They're selling domain registration privacy, but don't sufficiently secure the private data. The entire Domains by Proxy dataset is available on the dark web.
gtech1
So basically like Microsoft ?
zelphirkalt
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider, footing their businesses on shaky foundations.
wswope
Yeah - selection bias and apathy is the root of it, IMO.
GoDaddy attracts the unwashed masses who don’t care about security, and who remain unphased after learning about breaches. Meanwhile, the tech-savvy crowd who would care about breaches already know to avoid GoDaddy and view the inevitable breaches as the plebs reaping what they’ve sown.
Ergo, no one getting breached by GoDaddy cares, and nobody informed watching it happen feels a need to intervene.
reaperducer
They profit a lot from uninformed CTOs and founders just going for whatever they heard of, instead of looking into whether it is a good provider
If it wasn't for those old Super Bowl ads, GoDaddy wouldn't exist today.
Sex sells.
overstay8930
Most companies are way too incompetent to even know how to secure their own data because it is just too expensive to actually hire someone that knows what they're doing - so most of the "cybersecurity" industry is just grifters talking about buzzwords and building dashboards to show how good they are at patching CVEs.
I have had to tell multiple cybersecurity vendors that brag about working with huge companies and governments that we cannot work with them because of how poor their own cybersecurity practices are (i.e. not using secure compute/hardware crypto when dealing with our private keys).
These are companies that should know better, I have had to stop ADP professional services more than once from disabling certificate validation on critical pipelines pertaining to confidential employee and customer information. I do not want to imagine what happens at 99% of companies with cybersecurity teams that don't even know what certificate validation is.
calibas
GoDaddy is one of the sleaziest companies I know of.
I ran a website hosted on GoDaddy for a local business when the server cluster was hacked. GoDaddy admitted it was their fault, but the business ended up having to pay me to fix the site. GoDaddy also managed to convince the business to pay for an additional monthly "security" plan, which included page caching. They set everything up over the phone without talking to me at all.
The next day I notice some odd behavior with the admin pages, then realize they're being cached, not only that but they're now publicly accessible. GoDaddy's improved security plan ended up being responsible for a data leak. They really screwed up twice but there was zero penalty, the only consequence was they made more money. The business chose to stay with GoDaddy, despite my recommendations. They saw the ads on TV and were convinced GoDaddy is the pinnacle of web hosting.
Also, check this out: https://www.butterflyave.com/
Those assholes have parked my old business name, and want to sell it back to me for $1,499.
brikym
They seem to park so many domains it wouldn't surprise me if they park new domains based on domain searches. There is a clear motivation there so I always run whois in the terminal instead of searching on any domain registrar with the exception of cloud providers who don't make much of their money from domains.
jmholla
I've definitely heard stories of people saying GoDaddy grabbed their domain right after they searched it. There's almost always someone following those stories saying that it was just coincidental.
I have zero trust in GoDaddy. I remember when I was kid using their service because my grandparents had bought a website and hosting services through them and they wanted me to create the site. Their interface was so confusing and I felt like I suddenly had no understanding of how computers work.
Fast forward to today, and yes, past me was not very knowledgeable, but not to the degree their site made me feel. They use custom terminology for industry standard things, group things together in weird locations, and have so many dark patterns.
My point: sleazy tactics like domain front-running would honestly be on brand. I tell people not to use GoDaddy and definitely not for domain searching.
tkems
I was shocked when I purchased a domain recently on GoDaddy (I normally use Cloudflare or AWS) and noticed that they have an 'upsell' with more security options (MFA and some other features) for something like $10/yr. Why wouldn't they want their customers to be more secure by default? To me it just reeks of money-grabbing for people that are none the wiser.
grajaganDev
It is outrageous and irresponsible to charge for MFA.
It show a cavalier attitude toward the greater security of the internet.
Terretta
Same for OIDC (and even traditional SAML SSO).
If every stolen or potentially stolen credential was billed to the breached provider at even $100/account*, SSO would become free so fast your head would spin.
Every credential in the provider's DB would be correctly seen as a liability.
* Arguably the number should be higher and contribute to a infosec response, detection, and preventative measures warchest. Though, ultimately, this would probably just enrich cybersecurity insurance firms.
grajaganDev
Agreed.
Another example is Microsoft charging extra for enhanced logging. This came to light during the SolarWinds debacle.
philsnow
Not exactly the same but this reeks of https://sso.tax.
fastball
Why did you purchase a domain on GoDaddy if you know better?
sethammons
SendGrid, pre IPO, had a GoDaddy security incident: someone social engineered one of the GoDaddy support reps into giving them control of our domain. We were able to re-secure the domain before the attacker fully locked us out. They could have powned all of our email links.
honestSysAdmin
A good law would be that if a customer's data is leaked, any and all revenue that was made with/through that customer must be returned to the customer. All of a sudden companies will magically remember how to do half-way sober IT again.
JoshTko
This would be awesome, few if any companies would be able to take the risk of storing customer info, since they would need very good security, and very good reason for every piece of data they store, and insurance to cover themselves in case they do lose your data. In fact companies would go out of their way to not store any of your data.
honestSysAdmin
> since they would need very good security
As someone with 20+ years experience in IT/DevOps/Cloud/whatever, I disagree.
They would simply need to actually use the security that is already there. Data leaks that happen due to lack of "very good security" are extremely rare. In almost every case, someone was doing something very stupid that everyone already agrees is a very obvious thing to not do.
.
> In fact companies would go out of their way to not store any of your data.
The companies that already use existing IT systems, as they are already designed to be used, have no problem protecting customer data and not leaking it. The companies that can not properly hire our outsource competent IT people shouldn't be storing data in the first place. Commerce is subject to regulation, due to human nature, and different regulation is needed today.
.
> and insurance to cover themselves in case they do lose your data
I would prefer that this kind of insurance not exist.
maxclark
The FTC action is because GoDaddy claimed to have security when they didn’t - not because they didn’t have security in the first place.
Subtle but important difference.
Also the remedies include having a complete security program within 90 days IIRC, on what world would anyone think that’s remotely possible?
They wouldn’t even have an RFP drafted in 90 days.
asr
GoDaddy will have known of this investigation since it began—probably for years. So it’s 90 days from now(ish), but they (should) have gotten a head start.
josefresco
If you think GoDaddy is the most terrible, you have never been exposed to the hell that is Network Solutions.
GoDaddy is big, safe and terrible. Network Solutions is big, safe and even worse.
nnf
I can't pass by this comment about Network Solutions without an enthusiastic second. Several times per month I help various customers with their domains, and when I see that one is with Network Solutions, I know I'm going to have to waste a bunch of time with their terrible DNS editor and will have to wait around for at least 20 minutes before their own editor reflects the changes I've made.
The worst part is that when replacing an A record with a CNAME, it lets you delete the A record but then blocks you from adding the CNAME, because "a record with that name already exists" (referring to the one that was just deleted). This is where the 20+ minute wait changes from "inconvenient" to "downtime". It's been like this for at least 15 years.
datavirtue
You just brought back a fifteen year old memory. I have used a lot of hosting services but have always avoided GoDaddy. The name sounded too playful...and that was after being a Host Gator customer for years. They were decent back in the day and let me serve rediculous amounts of data from a shared hosting tier that always performed well...I was probably the noisy neighbor.
rybosworld
Years ago, before I was very computer literate, my friend turned me onto Network Solutions for hosting.
Long story short I got locked out of my account. It truly seemed like the support didn't want to help me get back in. This went for what felt like forever but was probably just a few weeks. I never got a resolution and was never able to log back in to my account.
I eventually did a chargeback because I couldn't use a service that I was paying for. They were all of a sudden proactive about reaching out - with an accusatory email nonetheless. In their view, the chargeback was fraudulent.
bbarnett
I can't believe they still exist. I remember having to fax my changes to them, pre-2000, when they were the only game in house.
Crazy.
insane_dreamer
I can't believe GoDaddy is still in business. Shows you can be a horrible company -- borderline scammy back in the day -- and somehow survive.
FWIW we've used Gandi for years and very happy with it.
akurtzhs
I used Gandi for a long time and switched after they were bought out and registration prices started rising. HN article from 2023 - https://news.ycombinator.com/item?id=35080777
After that I've used spaceship.com, NameCheap's rebrand, without complaint and most recently porkbun.com due to support in dnscontrol.
thinkingtoilet
The power of advertising and first-mover advantage. Outside of the tech space, people really only know of godaddy if they want to buy a domain.
msikora
Marketing and large captive audience.
ficklepickle
Are there any security related accreditations for a company that are worth more than the paper they are(n't) printed on?
dikaio
They should be looking into them for buying up all the competitors in domain selling. The bought two of the biggest competitors Dan.com and unregistery. Dan.com charge 9% on a sale of a domain now godaddy is charging 30%. Completely different company since Bob Parsons sold to a couple private equity firms.
ivoflipse
In related news, their ISO 27001 certificate just expired. Seems in line with their overall security posture then https://img1.wsimg.com//Sitecore/6/1/registrar-iso27001-cert...
goalieca
ISO 27001 doesn’t mean secure. It does mean they have invested money in compliance though.
jmuguy
I guess its just the power of advertising but its amazing to me that GoDaddy continues to be a popular solution for hosting, domain registration, etc given their absolute toilet of a reputation.
palmfacehn
They bought out another registrar I was a customer of. Now I am paying 40% more for renewals. If I want to migrate I need to expose my whois info. They're always looking to upsell me into some horrible hosting garbage.
andybak
They've bought up a whole series of services I was using and ruined them.
Anyway. Nice to see the FTC getting a few wins in before they are defanged by the new administration.
kachapopopow
Update your whois to bogus information, transfer the domain, restore whois information. Cloudflare is the cheapest domain registrar long-term, you might get cheaper ones for the first year or first 3 years.
RIMR
Using bogus whois info is a great way to lose your domain. If you are afraid of exposing your phone number and address, rent a P.O. box and get a throwaway number to use in the interim.
kstrauser
I don't use GoDaddy, but I had to transfer some domains of NetSol a couple months ago, and it made my experiences with GoDaddy look like a happy dream.
People will put up with all kinds of awfulness if they don't know better.
lenerdenator
They got their product out.
Who else is there that the average person would know about?
stronglikedan
Correct. And the average person isn't aware of their "toilet of a reputation".
apocalyptic0n3
This is the real key. They have an awful reputation amongst technical people (for good reason) but that reputation largely fades away the less technical you are. The average person knows them for their effective marketing, seemingly low prices, and seemingly decent products. They don't get into the weeds enough to expose how untrue those things really are.
For a long time, I worked in an office across from their (now former) headquarters in the Scottsdale Air Park. The number of clients we had come in amazed that we must work so closely with them and expecting great things made the location of the office so invaluable that when they moved to Tempe and Chandler, we had to seriously discuss internally if we needed to follow them.
bogwog
Squarespace advertises a lot too, probably more than GoDaddy nowadays, and they are also a domain registrar.
Maybe GoDaddy just sells themselves better? I see Squarespace as kind of an amorphous boring blob of internet business services.
stronglikedan
Squarespace positions themselves as a website builder more than a registrar. In fact, I doubt the average person would even realize they are a registrar, since that is abstracted away in the website building process.
Linkd
Squarespace is not 'tagged' in my brain under the "domain registrar" category yet. When I blindly think of domain registrars, as much as I dislike them, Godaddy is the first to come to mind.
grajaganDev
Yup they dominate mindshare.
And their UI for choosing a domain name is excellent.
null
DonHopkins
An unofficial ranking of the most NSFW GoDaddy commercials ever:
https://www.golfdigest.com/story/an-unofficial-ranking-of-th...
The Woman(!) Behind GoDaddy's Tasteless, Effective Super Bowl Ads:
https://www.forbes.com/sites/jeffbercovici/2013/02/06/the-wo...
Who Let These Commercials Be On TV?
https://www.youtube.com/watch?v=_rRopnyZaR0
GoDaddy's most infamous ads:
https://www.youtube.com/watch?v=u7yFCqOAb9Y
10 SEXIEST GoDaddy Super Bowl Commercials - Sexy Super Bowl Ads:
RIMR
Hilarious to see all the takedowns on these videos. Who the hell DMCA's a reposted advertisement? It's literally free advertising. The only reason they would take these down is because they were ashamed of them - and they probably should be.
DonHopkins
To be fair, they should also have a site gaydaddy.com and tv commercials that objectify sexy men.
It's amazing that (approximately) no one cares about stuff like this.
GoDaddy was severely breached several times over several years, yet they still rake in billions of revenue from their millions of customers. Now they have to pay someone to fill out a biennial checklist and... promise to not lie. Awesome.
If you own a company, why even bother with security? Security is expensive. Wait until a breach is exposed, offer $10 credit monitoring (at best), accept the free press coverage, maybe pinky promise to not lie if you've been particularly egregious in your handling of multiple incidents, and then carry on like normal. (This is tongue-in-cheek, I work in security, but I am frustrated with how often stories like this one occur)