A couple of weeks ago, I was sitting on the couch watching TV on a random Sunday night, around 9:30. I happen to notice an email come in from PayPal, confirming a $40 payment to GoDaddy for my virtual server. This struck me as odd, since I didn’t remember even having an active GoDaddy account, let alone one that included virtual servers. I scoured the email assuming it was some sort of phishing attempt, but it looked completely legitimate. While I was studying it, about 5 minutes later, another almost identical email came in for a slightly different service subscription on GoDaddy. Again, from PayPal confirming my order. At this point I started to get concerned, so I decided to see if there was something else going on.
I pulled up the GoDaddy website and went to login. I looked in LastPass (my password management vault) but had no listing, so I tried my email address with some common passwords I had used over the years – but don’t anymore. The 4th or 5th one I tried worked – possibly the least secure I have ever used, and a password that was exposed in 1 or 2 of the highest profile known data leaks (LinkedIn , Yahoo, etc). Once I logged in, I was shocked at what I saw.
OK, first a little background. I setup this GoDaddy account in 2008 – yes 11 years ago – to help out a friend by registering a domain name they wanted to use for some business idea that frankly never got off the ground. I set it up for auto-renew, at whatever the price for domains is – something like $12/year. I honestly don’t remember the last time I logged into the account, as I think I did a 10 year renewal last time. However, to enable auto-renew, I had to tie the account to a payment method. Rather that choosing a credit card, I tied it to my PayPal account for some reason. And unlike credit cards, this type of connection doesn’t expire. I regularly update payment information on PayPal, so it can always process a payment.
So, what did I see when I logged in? Someone had first changed the email address on the account – that’s why I didn’t get notifications from GoDaddy, only from PayPal. This change did trigger an alert to me, which I found after the fact as it was caught in my spam filter. The perpetrator also changed the language for all communications to French – an unfortunate change that made it very difficult to confirm emails that I was getting as I tried to take control of the account back. Lastly, and most important, the intruder had setup approximately $1000 / month of recurring services in everything from virtual servers to domains to toll-free phone numbers! I was truly pawned!
As for what I did, I immediately enabled two-factor authentication. Fortunately, whoever did this wasn’t quick enough to change the password, which between you and me should have been the first thing they did. Next I called PayPal to dispute the charges and refuse any additional charge requests. At the same time, I called GoDaddy to cancel and remove the new services.
Fortunately, everyone I worked with was great. The services were cancelled and the charges reversed. However, 3 weeks later, I’m still fighting to get my PayPal account off my GoDaddy account. It seems technically I have a “recurring” service even though I cancelled automatic renewal (I’ll get an email prompting me to renew). I can’t have one of those services without a payment method on the account, and I don’t want to just swap 1 headache for another by adding a credit card. I continue to work with customer service to get this rectified.
This was a perfect storm for me. An account I completely forgot about using a horribly insecure password that was exposed in numerous data leaks years ago, and an active payment method that never expires. In many ways there was nothing I could have done differently – except maybe not forget about the account. That’s the lesson here though I think. If I had remembered, of course it would have had a random, unique password, and of course it would have been protected by two factor authentication. Happily, I acted quickly when I got my first alert and it was just more of a headache than anything else. But you need to be careful. Unless you plan to never do anything commerce related on-line (or you never have), there are landmines out there you may not even suspect. Always be alert, always be diligent, and treat anything that seems unusual with the utmost urgency!
The idea of this article is not just to share my tale of woe or embarrassment. As I say, there are scams, plots, and landmines out there everywhere that we all need to navigate. With this article, we are kicking off a new feature – the scam of the month review. Every month we will highlight another scam we have seen, experienced, or heard about. They (hopefully) won’t all be as personal as this one, and hopefully they will have more actionable advice for you, but our goal is to do what we can to keep you educated and share what we see happening. If you hear of anything that might be interesting, or you want to share, please reach out and let us know! I promise we’ll protect you and your identity at all costs, but sharing makes us all better and more equipped. That’s the only way we can fight the rising tide of malicious actors looking to do us all harm!