Godaddy Security hole
Hi,
Yesterday, I got an email from Godaddy stating that I made changes in my account, while I didn't go there.
I jump immediately to Godaddy, and oh surprise my account has been hacked and I couldn't log in anymore.
I sent a support ticket and an email to support, and waited almost 90 mn.
I then picked up the phone, I live in France, and called Godaddy.
A support guy answered me and told me that he need either the 6 last digits from my credit card on file or the four-digit Shopper PIN, 4 digit Paypal Billing ID.
As I created this account 4 years ago, I didn't remember whet's the four-digit Shopper PIN, 4 digit Paypal Billing ID and have no credit card setup in my account but only a Paypal account.
While I was trying to make the support guy understand that I need to be able to login, the guy who hacked my account used my Paypal account and purchased for $200 in 3 times.
I was on fire , and asked to talk to the supoort manager. A women came on the phone, and after another 30 minutes high stress she finally accepted to send change my email address that has been changed at the same time that the password and send me an email to reset the password and I finally went in.
Finally after 1h and 15mn I could go in and deleted all the domains the guy purchased. Now the problem is to get my money back, I went to Paypal for a refund.
Now what is the big thing to remember for every one, even if you have a "secured" password, mine was 8 caracters long and quoted as 80% strong you are never sure your account is safe.
So take a paper and a pen, and take note of every useful information you could be asked in case your account is hacked, and put this paper in a safe place.
If you don't have the required info, they ask you to fill a form that will take 3 days to grant you a new access, but in the meantime your bank account is wide open
Here is an excerpt on the email I got from them
"If you are unable to log in and would like us to modify the e-mail address on file for an account, we will first need to verify the account. To verify the account, please reply to this message with your four-digit Shopper PIN, 4 digit Paypal Billing ID, or the last 6 digits of the credit card on file, as well as the new e-mail address that you would like to be on file for your Go Daddy account. The change will be made promptly upon verification of information and your reply and you will receive an email confirming that the change is complete.
If you are unable to receive the login information at the email address on file with the account or provide account verification, you will need to fill out the Change of Email/Account form on our website to have this information updated. Please click the link here to proceed to the change of email/account form. The more information you are able to provide on this form the faster we will be able to process your request"
I hope the lesson I got will be helpful for everybody.
And don't forget, even a site showing a "Secure shopping" login, is not so secured :evil:
Yesterday, I got an email from Godaddy stating that I made changes in my account, while I didn't go there.
I jump immediately to Godaddy, and oh surprise my account has been hacked and I couldn't log in anymore.
I sent a support ticket and an email to support, and waited almost 90 mn.
I then picked up the phone, I live in France, and called Godaddy.
A support guy answered me and told me that he need either the 6 last digits from my credit card on file or the four-digit Shopper PIN, 4 digit Paypal Billing ID.
As I created this account 4 years ago, I didn't remember whet's the four-digit Shopper PIN, 4 digit Paypal Billing ID and have no credit card setup in my account but only a Paypal account.
While I was trying to make the support guy understand that I need to be able to login, the guy who hacked my account used my Paypal account and purchased for $200 in 3 times.
I was on fire , and asked to talk to the supoort manager. A women came on the phone, and after another 30 minutes high stress she finally accepted to send change my email address that has been changed at the same time that the password and send me an email to reset the password and I finally went in.
Finally after 1h and 15mn I could go in and deleted all the domains the guy purchased. Now the problem is to get my money back, I went to Paypal for a refund.
Now what is the big thing to remember for every one, even if you have a "secured" password, mine was 8 caracters long and quoted as 80% strong you are never sure your account is safe.
So take a paper and a pen, and take note of every useful information you could be asked in case your account is hacked, and put this paper in a safe place.
If you don't have the required info, they ask you to fill a form that will take 3 days to grant you a new access, but in the meantime your bank account is wide open
Here is an excerpt on the email I got from them
"If you are unable to log in and would like us to modify the e-mail address on file for an account, we will first need to verify the account. To verify the account, please reply to this message with your four-digit Shopper PIN, 4 digit Paypal Billing ID, or the last 6 digits of the credit card on file, as well as the new e-mail address that you would like to be on file for your Go Daddy account. The change will be made promptly upon verification of information and your reply and you will receive an email confirming that the change is complete.
If you are unable to receive the login information at the email address on file with the account or provide account verification, you will need to fill out the Change of Email/Account form on our website to have this information updated. Please click the link here to proceed to the change of email/account form. The more information you are able to provide on this form the faster we will be able to process your request"
I hope the lesson I got will be helpful for everybody.
And don't forget, even a site showing a "Secure shopping" login, is not so secured :evil:
Ed Sunderland