Yet another reason not to use GoDaddy.
Stories like this are why I’m so hard on apps that ask for your email credentials. If someone has access to your email account, they can get access to everything else you do online pretty quickly by password resets. (In related news, I’ve enabled two-factor authentication on a lot of accounts recently, and I suggest you do the same.)
The problem, as always, is people. These hacking stories increasingly include fake calls to big web services’ support lines, begging the human agents for password resets. It doesn’t matter how many non-repeated letters, non-consecutive numbers, and unique symbols are in a password that’s new every 6 months and not similar to the previous 10 passwords if attackers have no need to crack it.
Services have always needed to allow such requests because people really are legitimately that forgetful, and their online lives really are that turbulent. People forget their website passwords and lose access to their email accounts all the time.1
Smart services are closing these doors, but it’s not easy. If there’s any way for a human to override the security mechanisms if someone on the phone is crying and sounds legitimate, attackers can get in. And if there’s not, you’re going to have a lot of legitimate customers locked out and crying.
It’s not a safe assumption that people will always have access to the email account they signed up with. Often, people use school or workplace accounts that get deleted or redirected out of their control when they graduate, leave, or get fired.
And this is assuming that they typed their own email address correctly into your registration form in the first place. ↩︎