Best

My Website Was Stolen By A Hacker. And I Got It Back.

Screen Shot 2014-03-26 at 1.44.48 PM

***   ***   ***

For several days last week, RamshackleGlam.com – the domain name that I have owned and operated since March of 2010 – did not belong to me, but rather to a man who goes by the name “bahbouh” on an auction website called Flippa.com, and who was attempting to sell off the site to the highest bidder (with a “Buy It Now” price of $30,000.00). He promised the winner my traffic, my files, and my data, and suggested that I was available “for hire” to continue writing posts (alternatively, he was willing to provide the winner with “high-quality articles” and “SEO advice” to maintain the site’s traffic post-sale).

I learned that my site was stolen on a Saturday. Three days later I had it back, but only after the involvement of fifty or so employees of six different companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a sting operation that probably should have starred Sandra Bullock instead of…well…me.

Of course I’ve heard of identity theft, and of cyber hacking, but honestly, my attitude towards these things was very much “it could never happen to me.” And even if it did…I didn’t exactly understand why it was such a huge deal. Couldn’t you just explain to people what had happened, prove who you were, and sort it all out? We live in such a highly documented world, it seemed completely impossible to me that someone could actually get away with pretending to be someone else with any real consequences beyond a few phone calls and some irritation.

It’s much, much worse – more threatening, more upsetting, and more difficult (if not impossible) to fix – than I’d ever imagined.

I found out about the hacking from my father. His friend Anthony (who is his partner at Pro Italia Online and who runs a web development and consulting company called ThoughtBox) had been surfing around on Flippa and had – in an impossibly lucky coincidence – noticed that my site was up for auction, with what appeared to be a highly suspicious listing. Suddenly, I remembered the email I had gotten the day before – an email that I had disregarded as spam – from someone “interested in the purchase” of my “weblog”. I remembered the notification from YouTube that someone had accessed my account from a different location – a notification I had ignored, assuming that I had logged in on a mobile device or that my husband had accidentally logged into my account instead of his own.

But even after I saw the listing, I didn’t panic: this seemed like something that could be fixed with a couple of emails. Except the auction site was located in Australia and didn’t appear to have a phone number, and when I sent an email with a scanned ID and proof of ownership what I got back was a form letter. And when I called HostMonster, the site I pay to operate my website, I discovered that I was no longer the owner of my site: someone had used their email confirmation system to authorize the transfer of my domain name into a private account at GoDaddy (another web registrar service of whom I’m also a client).

WHY IS THIS A BIG DEAL?

If you have a business that depends on a URL, you understand why this was such upsetting news: With control over my website’s domain name, a hacker would be able to take the site down, or redirect it elsewhere. Further, it was later verified that the hacker had control over all of the site’s content, as well; he could have just rerouted everything I’ve ever written to any location he wanted.

Ramshackle Glam may be “just” a lifestyle blog about things like parenting and fashion and decor…but it’s also a site that I’ve spent five years of my life building, and the idea of it falling into the hands of someone with malicious intent was heartbreaking. I could switch to a new URL and export a copy of my content (which I do back up), but that would result in the loss of a substantial amount of traffic. The website is my primary source of income, and with a house, a child, another child on the way, a book coming out this week, and a husband in business school, this was not a joke. The loss of my URL had the potential to be devastating for my business and for my family in a very real way.

SO WHAT DID I DO?

The events of the next few days were complicated, so rather than go through them chronologically I’m going to explain how each path I took ended up panning out (I’m going into detail so that I can be as much help as possible to anyone who goes through this themselves).

on phone with hostmonster

3AM, on the phone with HostMonster trying to get the site frozen. 

1. I tried to resolve the situation directly with GoDaddy and HostMonster. This did not work.

From Sunday through Tuesday, I spent most of the day (and much of the night) on the phone with GoDaddy, HostMonster, or both at the same time, and nearly every person I spoke with gave me the same response: “Sorry, can’t help you.”

HostMonster maintained that because they no longer controlled the domain name, there was nothing they could do. GoDaddy maintained that because the account was private and the person had obtained ownership of the domain through a transfer from HostMonster, there was nothing they could do.

What finally made a difference: I cited ICANN’s policy on Domain Name Dispute Resolution.* This got my case upgraded, but it did not result in action.

Here’s why: the legal department at HostMonster informed me that in order for them to initiate a transfer dispute that would result in GoDaddy releasing the domain back to me, their “internal investigation” would have to turn up evidence that they had done something wrong in releasing the site. In other words, they would have to admit that they had screwed up…which would in turn open them up to a lawsuit.

Needless to say, I never heard from the legal department again. Despite the fact that everyone seemed clear on the fact that I owned my website and that it had been transferred without my authorization, nothing was going to be done unless I initiated a time-consuming and costly lawsuit that, in any case, would not result in action quick enough to save my domain name from being sold.

So that avenue came to an end.

Screen Shot 2014-03-31 at 10.15.47 PM

2. I called the FBI. This was a major step in the right direction.

The morning after I found out about the unauthorized transfer, I also called the FBI. I felt silly and dramatic making the phone call, but the reality is that this is an international cyber crime issue, and that’s FBI territory. And this is my business. It’s how I support my family, and it may be a “small matter” in the grand scheme of things, but it is not a small matter to me.

And let me tell you: of all the surprises I’ve had over the past week or so, most surprising of all has been the FBI. They responded immediately, with follow-up phone calls and emails, an in-person interview with two special agents at my own home within 24 hours, and a follow-up visit from two agents yesterday. Beyond that, each and every agent I have interacted with over the past week has been, without fail, compassionate, thoughtful, invested, respectful, and committed to action…in addition to treating me not like a case number, but like a human.

What I expected was to leave a message with a general mailbox and at some point receive a form letter; I certainly did not expect to see an active investigation opened immediately. I’m not going to write more about the investigation because it’s still ongoing (although I did ask for and receive permission to write about this), but I think it’s important to say how absolutely blown away I have been by the FBI’s response.

3. I tried to regain control by dealing directly with the “seller”. This worked, but not without considerable drama.

While all of the above was going on, I was also working to regain control over the site directly from the individual who was trying to sell it.

I didn’t want to contact the “seller” directly, because I felt that if he thought the “real” owner of the site was aware of the sale, he would try to extort more money. So I asked Anthony – the person who had found the original listing, and who had an active account with a positive history on Flippa – to DM “bahbouh” to see if he was interested in a “private sale”. After some back-and-forth we reached an agreement, and it was decided that a third-party money-transfer website (Escrow.com) would be used to make the sale: the money would only be released to the seller upon confirmation that the domain name had been transferred.

This appeared to be going smoothly until Tuesday night, when the seller suddenly demanded that the funds be released immediately (prior to receipt of the website). When we pushed back, he announced that he was selling it to someone else: “Sorry, bye.”

So here was my thought process: if we did not release the money to the seller, we were guaranteed to not get the website. If we did release the money to him, there was a possibility that he would take the money and run, and also a possibility that he would deliver the site as promised. It wasn’t a gamble I wanted to take…but I didn’t see any option. And so I authorized the wire transfer.

I spent twenty minutes sitting in front of the dummy GoDaddy account I had created to receive the domain name from the seller, waiting to see whether I was out thousands of dollars and a domain name, or just thousands of dollars.

And then it came through.

I immediately transferred the domain into a different account and placed it (and all of my other domain names) on what amounted to lockdown. And then I called the wire transfer company and placed a stop on the payment.

THE END RESULT:

RamshackleGlam.com is back in my possession, thanks to a number of people who dedicated hours (in some cases days) out of their lives to doing whatever they could to help me. My other accounts – bank accounts, et cetera – have been secured. I don’t have my money back yet, but the man who stole my site from me doesn’t have it, either, and won’t be getting it, ever.

And that’s an ending I’m pretty damn thrilled with.

SO WHY AM I STILL ANGRY?

Of course I’m angry with the person or people who stole the site, but that’s out of my hands. The reason I’m writing this post is to let people know that this really can happen – to anyone – and to offer suggestions for how to minimize the chances that it will happen to you (below), but beyond that, I’m writing this post because this incident made me very, very angry at GoDaddy and HostMonster. And I want you to know why.

No one at either company questioned my statement (supported by written proof) that the website belonged to me. No one doubted that it had been transferred without my authority. And yet I had to spend days – days during which the hacker could have done virtually anything he wanted – trying to reach one single person who was able to do anything, because the support staff and supervisors I spoke with (who had to have numbered fifty or more) were completely uninformed as to how to handle this situation beyond saying, “Jeez, that sucks. Can’t help you.”

Screen Shot 2014-03-27 at 11.38.53 AM

Screen Shot 2014-03-27 at 11.40.01 AM

HostMonster and GoDaddy screen-grabs

And once I reached people who could help me – who could literally make a single phone call or push a single button and return my property to me (or simply freeze it so that it could not be sold or destroyed) – they would not. They hid behind their legal departments and refused to do anything, knowing full well that their inaction would force me to either interact with and pay off a criminal, or lose an essential component of my business.

And hackers know that these companies will do this.

They rely on it.

There is a serious problem when a criminal enterprise not only exists “despite” a company’s policies, but actually thrives as a direct result of that company’s prioritization of their own interests over the security of the clients they allegedly “protect”. Do I understand why companies like HostMonster and GoDaddy are focused on protecting themselves against lawsuits? Of course I do. But the fact is that they not only do not “help” their customers, but actively contribute to creating situations that threaten small businesses and the families that they support.

And these companies know that when they stonewall clients whose property has obviously been stolen that these clients will have no other recourse than to pay off criminals or watch their businesses – sometimes their very lives – collapse. They know that by standing in the way of immediate action they create the very environment that these criminals depend upon to perpetuate their business model. And they do nothing.

This has to change.

MY OPINION, FOR WHAT IT’S WORTH:

Support personnel at hosting companies should be made intimately familiar with ICANN regulations involving domain disputes, and should be able to initiate a plan of action the first time a client makes them aware of a situation, not after hours and hours of repeated calls.

Further, the establishment of a TEAC** should result in an immediate freeze on the account in dispute until the situation has been resolved. This should not require an admission of culpability on the part of any parties; simply an acknowledgement that a dispute exists and an awareness that while the dispute exists the domain must be held safe from sale or transfer.

WHAT YOU CAN DO TO REDUCE THE CHANCES THAT THIS WILL HAPPEN TO YOU:

1. Have a really, really good password, and change it often. Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense.

2. If possible, use a separate computer (an old one or a cheap one purchased for this purpose) for things like banking; if your family computer is the same one that you use for bank transactions you risk having your kids click on a bad link that results in a hacking.

3. Turn off your computer and personal devices when they’re not in use.

4. Have antivirus software on your computer (but remember that virus scans only catch 30-40% of viruses, so unfortunately a “clean” check doesn’t necessarily mean that you’re safe).

5. Purchase CyberRisk Insurance (learn more about it here; it basically protects businesses from cyber attacks and data breaches.

BUT IF IT DOES HAPPEN TO YOU, HERE’S WHAT TO DO:

1. Begin taking careful notes (and screenshots) immediately. Don’t delete any emails or other information; it could all be important later on.

2. Immediately change all of your passwords (including – but not limited to – domain registrar, website hosting, website login information, email, bank accounts, wireless home electronics, and Apple ID) according to the rules stated below. I changed mine every few hours while this situation was still up in the air, and am continuing to change them every few days for the time being.

3. Contact the registrar(s), citing the ICANN policy below, and see if together you can arrive at a speedy resolution. Don’t be surprised if you find yourself running into dead ends.

4. Make sure to inquire about “filters” and “rules” that may have been placed on your email (basically, any kind of device that the hackers may have placed to forward emails, et cetera).

5. Contact appropriate law enforcement (I contacted the FBI because it appeared to be an international issue, and was at the very least an interstate issue because Escrow.com is located in California, and I’m in New York).

Note: Every situation is different, and I can’t wholeheartedly recommend the steps that I took that ultimately resulted in me regaining control over my domain name largely because they involved interacting with criminals. Obviously that isn’t ideal, and can have unpredictable consequences. (Although my husband says that he would like it to be known that he thinks I’m a huge badass. While this is ordinarily very far from the truth, in this specific instance…I’ll take it.)

The End. (That was long. Thanks for reading.)

***   ***   ***

*ICann.Org is the Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for managing and coordinating the Domain Name System (DNS)ICANN’s policy on Domain Name Dispute Resolution essentially states that in the case of a domain dispute, the Losing Registrar (the registrar that maintained possession of the domain name pre-transfer, as opposed to the “Winning Registrar”, who maintains possession of the domain name post-transfer). must immediately establish a Transfer Emergency Action Contact (“TEAC“) in an effort to get the ball rolling in the direction of resolution right away). Once I had this information, my case was immediately upgraded.

**TEAC: A contact that is established by ICANN and used by other registrars and ICANN if there is a need to quickly address issues with domain transfers between two registrars. The contact must respond to inquiries within four hours, though final resolution may take longer.

{ Follow along on TwitterInstagram or Facebook }

{ Subscribe to the RG YouTube channel }

  • antheapena

    O.M.G. what a nightmare but SO well handled & great of you to share

  • Jessie

    So, did they hack your GoDaddy account? Or how did the domain get transferred in the first place? You may have explained this and I just didn’t get it – all this is a tad over my head technology-wise, but i’m very interested.

    • jordanreid

      No, it’s confusing. I left out some details to keep the post just “really, really long” as opposed to “unreadably, thesis-length long,” so ask away.

      Basically, when I relaunched my site last fall I switched the hosting and domain name from GoDaddy to HostMonster, but left my email system over at GoDaddy for no especially good reason other than it seemed complicated to switch over.

      So what we think happened was that the hacker got in through my GoDaddy email and then used that access to “prove” who they were to HostMonster and transfer the site into their own account. Basically, both companies experienced a security breach.

      Does that make sense?

      • Tim

        Yes, that seems likely, but how did they get access to your email account? Was you password changed by them, preventing you from getting in? Was your password that easy to guess? If not easy did you ask GoDaddy to investigate this breech?

        • jordanreid

          They didn’t change my password, no. I don’t know why. And trust me, I have asked GoDaddy to investigate, but I think moving forward with something like that would require a court order. (HostMonster is also doing an “internal investigation.” I’m not holding my breath for the results of that one, either.)

      • Brandon

        You may want to consider moving your email to Gmail or Google Apps; both mail services from Google support two factor authentication. Someone would have to get your password AND access to your cellphone number in order to breach your email. Also, Google has a paranoid level of heuristics if you try to login to your email account from somewhere they’re not expecting you to (which is a good thing).

        EDIT: Any email provider who supports 2 factor authentication should be fine.

        https://support.google.com/accounts/answer/180744?hl=en

        • jordanreid

          I have 2-step authentication on all accounts that offer it now, and have taken additional security measures re: hosting and email. To transfer the site at this point you’d have to have my password, my cell phone and my wallet 😉

          • Mxx

            Might want to double check that all your services have 2 factor auth enabled. There’s a community effort to have an extensive list of sites that support 2factor auth at http://twofactorauth.org/

            It also sounds like you didn’t have “domain lock” enabled on your domain(s)?

      • newman

        It’s most likely your own security practices that caused your domain to be stolen. Emailing passwords, saving them in plain text, downloading trojans, etc.

        I’m just saying, your statement “both companies experienced a security breach” is pointing the finger at them when the security breach is most likely your fault. But yeah, godaddy and hostmonster customer support are both terrible.

      • Jessie

        Yes! Thanks. You have switched all yours over, but for others out there reading this GoDaddy has 2-step verification also.

      • electric

        >> Basically, both companies experienced a security breach.

        I don’t mean for this reply to be insulting. My purpose is to shed some light on *how* this kind of hacking occurs.

        It is very unlikely that either company had a security breach. I actually own a web hosting company, and we frequently (at least a few every day) have customers who “lose” their websites, just like you did… and then claim the fault is ours because we allowed a security breach.

        (No, my company is not affiliated with hostmonster or godaddy.)

        We investigate every claim, and the result is *always* the same. Here are the reasons why/how a website and/or domain name is able to be “hacked”:

        – Most common is that the hacker somehow got a “keylogger” virus or malware installed on the customer’s computer. There’s a hundred ways to get your computer infected by a virus/malware so I won’t go into that here. Essentially, the “keylogger” records every keystroke and mouse-click, and then sends them to the hacker. The hacker then simply searches for anything that looks like a login link and the associated un/pw you sent to the site to login, and bingo… now they know your credentials.

        i would say 95% of our customers with a hacked website, email or domain name had this happen.

        The solution is to install and use a good virus/malware scanner. There are several free ones and also pay ones. Do a google search for “free malware and virus scanner” to get some links.

        – Second most common is when some website you use gets hacked, an the hacker installs a file that records logins. This is the same sort of problem as the reason I just listed, but basically instead of your computer getting a keylogger installed it is the website/service you use that has the keylogger installed. So when you login to the website you give the hacker your login un/pw, and now they have access to your account. Most people use the same un/pw and email address for everything, so it’s very easy to see where your domain or website is registered and hosted, and then try to login as you.

        There is no way to detect a keylogger virus/malware for a website or service you don’t own or control, so the only solution here is to use different passwords for *every* website/service you use. NEVER use the same password for anything. Then use a good password management software such as keypass or laspass or one of the dozen others to manage all your passwords and the associated website. (Do a google search for “free password management service” to find some other good pw management services and tools.)

        – The third most common method of hacking is when you click on a “phishing” link that arrived in your email. This is when the email has a link to a hackers website, but it is disguised to look like the “normal” link to the service you use. So the email might appear to be from paypal and have a “click here to login” link. You then click that link, go to the website (and don’t pay attention to the URL) and login as normal. Poof. You have just provided your login un/pw to the hacker. Now they redirect you to the real website, and you might wonder why your login didn’t work so you enter it again, and you get in. You probably won’t even think twice about it and assume the website just had a glitch. Nope. The hacker now has your login info for this website.

        The only solution to this “phishing” problem is to use different usernames and passwords for every website. Same as above. This way, if the hacker gets your un/pw they only have access to the one website and nothing else.

        – The fourth most common method of hacking is social engineering. This is when the hacker knows something about you already such as your email address or username.. but they don’t know your password. So they call up the company they want to hack, and use social tricks to get access. “Hey, this is xyz and I lost my password and can’t remember my secret code. Can you help me out?” You would be surprised how often this works.

        Again, there is no solution to this method of hacking, except to use different passwords for every website. If the hacker manages to trick the company into resetting your password, they (the hacker) will only have access to that one website.

        – The last common method of hacking is simple brute-force. This is when the hacker just guesses your password, and since you used something super easy and common as your password… they get access. You might be surprised to learn that many many people use basic words and numbers as their password. These can be “guessed” by a password guessing machine in seconds. Yes. Seconds.

        The solution to this is easy — always use difficult passwords that have no “words” or phrases that are in a dictionary. As Jordan mentioned, you should use a combination of Up/LoWeR case characters, numbers, and symbols. Once again, any decent password management tool will help you keep track of all your individual website’s and services passwords since it is difficult to have a separate password for every website.

        I hope that helps. Sorry for the wall of text, but hopefully this will help. I see so many victims of hacking, and it’s no fun. The above points will protect you from the vast majority of hacking attempts.

        TL/DR – Never use the same password for every website. Use a good password management tool to keep track of your individual passwords. Use difficult-to-hack passwords; never a word/phrase that is in the dictionary. Install and regularly run a good virus/malware software on your computer to detect and remove any “keylogger” virus that is installed.

        Cheers!

  • Jess

    Curious, was the site locked previously? And they somehow got your gd pw then transferred as you? I seem to remember when transferring mine they asked security questions, which no hacker would know if they’re good enough – even if they had email access they wouldn’t have been able to answer those so they wouldn’t have been able to proceed with the transfer

    • jordanreid

      I did have privacy and something called “site lock” on my site, but it turns out that’s more about malware monitoring and verifying your credentials to clients. The process to transfer the domain from HostMonster, as I recall, does not involve security questions but rather requires the owner to use their email to receive a file, which they then upload to confirm the transfer.

      I now have 2-step authentication on all my accounts, which means that in order for anything at all to be done, I have to verify a code that I receive in my cell phone. I also paid for an upgraded protection plan that requires me to do the cell phone verification AND send in a government ID in order to transfer the site in the future. The hacker is still trying to transfer my site (I’m getting repeated notifications that a “transfer request” has been initiated) so this triple protection is making me feel better, but I’m still trying to implement other security measures (a really good password that I change frequently, banking on a separate computer, et cetera).

      • Jess

        Yup was going to suggest 2 step. It seems silly to only require email access for something like this, when security questions would help prevent most of these unauthorized transfers. There are extentions/apps that generate gibberish long tough passwords and change them often for you, which may help at least for a while during the frequent changes.

        It’s scary when you see them still trying, right. I had a different experience due to my cluelessness years ago – I registered an LLC FIRST then went to grab the domain and within a few hours a squatter had grabbed it and tried to sell it to me…based only upon the state business registration files which are public. Kept quiet for a year and snatched it back as soon as it dropped, but it was a pain.

      • jordanreid

        PS I’m also, to some extent, speculating about how exactly the hacker got access based on various pieces of evidence. Since it’s an investigation at this point I just want to be clear that this is how I (as a non-expert in these matters) *think* the hacker got in, not what the investigation has determined *definitely* happened.

        • You should also try to disable logins from remote locations. Most websites which offer the feature to notify you when someone has logged in to your account from a different location also have the functionality to entirely disable such logins.

          You should also enable two-factor authentication on your Google, Facebook and other accounts which allow you to login to other websites.

    • jordanreid

      PS I’m also, to some extent, speculating about how exactly the hacker got access based on various pieces of evidence. Since it’s an investigation at this point I just want to be clear that this is how I (as a non-expert in these matters) *think* the hacker got in, not what the investigation has determined *definitely* happened.

  • Tara

    ….April fools??

    • jordanreid

      lolol, nope, not this time. that would be kind of amazing, though (and also terribly mean of me to make you guys read a novel and then be all HAHAHA).

  • KB

    Oh poor you, I do hope you are trying rest and relax post this apocalypse. We’re all here for you and, just to re-state, you are such an excellent writer, even something as technical as this was illustrated and expressed beautifully. Don’t give up JR! We love you, take a deep deep breathe, bath and have a banana split, they always help.

    • jordanreid

      <3 thank you! banana splits on the way :)

  • This has to be an April Fool’s right?

    • jordanreid

      unfortunately, not this time.

  • Some of their policies may seem kafkaesque and have legal holes in them, but understand that *every* policy can be leveraged by bad actors. Every day, every person you talked to on the phone is dealing with people pretending to be people they are not. So despite all the evidence you had proving that you were the owner of the site, there are people with just as much evidence that are trying to social engineer their way into taking sites from people. Basically, a company has to rely on one method of proof for domain ownership, in this case it is ‘ownership of the email account’. You may not have realized just how much power your godaddy email had, but it was basically the key to your safe deposit box.

    if you are 100% certain that your email address had a unique, complicated password ), then godaddy may have had a breach, but its actually more likely that some other service that you used in the past was breached, and had the same password.

    Further, the establishment of a TEAC** should result in an immediate freeze on the account in dispute until the situation has been resolved

    That sounds good to people who have had a domain stolen, but it would immediately become a way that people with no ownership of a domain could use to shut down a competitors site.

    What *really* needs to happen to prevent these sorts of account takeovers is for godaddy/hostmonster and everybody else to implement two factor authentication. So that in order to transfer a domain ownership, they would have to steal your email *and* steal your cell phone – so much less likely.

    • jordanreid

      You make excellent points. But still: I was floored by the extent to which NOBODY I spoke with – support staff to supervisors – knew about the ICANN policy until I cited it, and once I did even supervisors admitted that they didn’t know how to proceed since they’d “never had one of these before.” If the very system that exists in order to protect people against isn’t even something that staff members know about, there’s no way it’s being used effectively. It shouldn’t take days to “convince” a company to take initial steps to come to the assistance of clients who are dealing with time-sensitive matters that affect their businesses; I do understand that people abuse the system, but that’s no excuse for a total shutout of assistance.

      Once I escalated to the legal department they knew what I was talking about (re: TEAC) and how to fix it, but would not help. For reasons that I understand, but still cannot agree with; at that point I had been able to provide sufficient documentation and proof of FBI intervention to at the very least immediately place a hold on the account preventing it from transfer or shutdown.

      The thing is, the point of a TEAC is to presumably open up a real-time conversation to resolve the issue. But a TEAC couldn’t even be initialized in my case because I got stonewalled by the legal department’s desire to communicate that they hadn’t done anything “wrong”. What I’m saying is not to make it easy for people to freeze up competitor sites, but rather to make it easy for people to *start the process* during which they use thorough methods of discovery to rapidly prove ownership and prevent the site from transfer or shutdown. It’s a matter of taking it to the level of human beings, and looking at the documentation that exists, and then making an efficient decision to take initial measures to protect clients.

      I do agree that 2-step authentication is an excellent starting point to reduce the number of these cases.

      P.S. I don’t think I was clear on this point: my old password was not very good at all. It’s been suggested that it was a brute force hacking.

  • Kevin Chen

    GoDaddy sucks. Try someone with better customer service, like Hover[1] or Namecheap[2].

    [1]: http://hover.com/atp
    [2]: http://www.namecheap.com/?aff=65963

  • chelse

    This happened to my husband and I. Thank you for sharing. Our experience with GoDaddy was exactly as you described. So happy you got your URL back. Love you to pieces!

    • jordanreid

      so sorry to hear that :(

  • Guest

    How it was possible to transfer domain more than 2 times in so short period? If there is transfer limit for 60 days.
    “If I bought a name through one registrar, am I allowed to switch to a different registrar?
    Yes. The Inter-Registrar Transfer Policy, applicable to all
    ICANN-accredited registrars, provides that registered name holders must
    be able to transfer their domain name registrations between registrars.
    You must wait 60 days after the initial registration or any previous
    transfers to initiate a transfer.”
    http://www.icann.org/en/resources/registrars/transfers/name-holder-faqs

    • Matt

      If it was from one GoDaddy account to another then it’s not technically an ‘Inter-Registrar Transfer’

      • jordanreid

        Correct. The first transfer was from my account at HostMonster to the hacker’s account at GoDaddy. The second transfer was from the hacker’s account at GoDaddy to my dummy account at GoDaddy. At one point we were going to have him transfer the account from his GoDaddy account to an external (non-Godaddy) account, but that would have taken up to several days to process.

        (Again, this is what I believe to be true. The discovery process could certainly turn up other facts.)

        • Canuck

          “At one point we were going to have him transfer the account from his GoDaddy account to an external (non-Godaddy) account,”

          Ah no. Once it’s been transferred from one registrar to another there is a 60 day holding period. From then you can only do a registrant to registrant transfer at the same registrar as you did.

    • debbiee

      hi there my name is deb, if you are stuck or in need of a brilliant mind to help hack your cheating spouse phone,text ,email or account contact blackhatcreator@gmail.com he is simply genius

  • daniel

    Avoid GoDaddy and HostMonster. Seriously, I can’t believe their poor services. I stopped using GoDaddy couple of years ago and now I’m happy with NameCheap

    • Matt

      +1 for Namecheap – they are fantastic

  • Oh good god and you still managed to email me back in the middle of all this? You are indeed a huge badass.

    So glad it all turned out ok and fingers crossed it’ll get properly resolved. That’s also making me question how safe all my passwords really are..

  • A

    The “best passwords” are not ones that “look like nonsense.” It’s about length, not entropy.

    • jordanreid

      Actually I disagree. I’ve been informed that they should essentially look nonsensical to anyone else, but make sense to you so that you can remember them. Length is important as well (also the inclusion of symbols, numbers and capital letters), but most important of all is to avoid “real words” that could facilitate a brute force hacking.

      • Nathaniel

        Hey Jordan!

        Web developer here. I’m afraid our friend “A” here is right. Length matters far more than whether it’s a random string or a bunch of words. Each character you add to your password increases the difficulty of cracking your password exponentially. Here’s a couple good reads on it:

        http://preshing.com/20110811/xkcd-password-generator/
        http://www.baekdal.com/insights/password-security-usability

        • jordanreid

          I stand corrected. Thank you!!!

          • Nathaniel

            Absolutely! What’s great as well is that easy to remember passwords ( like “children play trees fight” ) is both easy to remember AND secure, just because it’s long :)

          • Caleb Lane

            As long as the password is not contained within a list of commonly used words and isn’t in the dictionary, length is the most important thing. The second most important thing I would say is using the widest variety of characters possible including lowercase letters, uppercase letters, numbers, and special characters.

            You want to generate a secure password from a password generator such as GRC’s Password Generator (https://www.grc.com/passwords.htm). I always generator my passwords to be 50+ characters but everything over 15+ characters will be fine.

            Also, make sure you change your passwords every 3 months and don’t share your password with anyone. Lastly, store your passwords securely using a password manager such as LastPass (https://lastpass.com/). You should have a strong master password with LastPass and use two factor authentication. You should also use two factor authentication with all of your other accounts that offer it.

            If a site requires a secret question, make sure the answer to that question no one else would know or make it a password or phrase that you would remember. Don’t reuse passwords on other things as well (only use the same password once).

            Make sure when you are logging in that the site is using HTTPS (the browser addon HTTPS Everywhere can help with that) and you aren’t logging in from a public network such as from Starbucks. Even if you are logging in from a private network, I recommend using a VPN that uses encryption such as proXPN. For your home or office network that you are logging in from make sure it is using WPA2 encryption, it has a random network name, a secure password, you have changed the default credentials for the network settings to something secure, you have disabled WPS, etc.

            That is all I can think of right now in terms of password security, but those are the main things that you should focus on in terms of secure passwords.

          • Nathaniel

            ^ yup. +1

        • Another link, good old XKCD: http://xkcd.com/936/

        • SaltwaterC

          Actually that’s not necessarily correct. Don’t take your security advice from web comics without understanding all the consequences. There are things to consider: are you defending against an online attack (ie: there’s a very low probability of having a database leak) where brute force is less likely to succeed or an offline attack where all bets are off if you have a password generated by using either of the methods from the XKCD #936.

          In case of offline attacks, any reduction in entropy can have dire consequences. The folks who run multi-GPU clusters take into consideration these password generation schemes. Only a true pseudo-random password is your friend if this happens.

          Other things to consider: brute-forcing of any kind is a difficult business. These criminals (can’t call them hackers) usually go for the low hanging fruit. It’s often easier to obtain a password via other attack methods: keyloggers, eavesdropping, or the “lead pipe vulnerability” if something is really valuable (http://xkcd.com/538/) – to name a few.

          A proper analysis of XKCD #936 is done here: http://security.stackexchange.com/a/6096 (the whole thread is interesting)

          To sum up some rules, not mentioned in the article:

          – Don’t browse the web over insecure networks. A public WiFi is the most common example. Use a VPN in this case.

          – SSL is as secure as the user using it. Don’t accept invalid certificates. Make sure the web address is correct and it is over a secure link. The browsers indicate this. Doing sslstrip to unsuspecting victims is easier than it looks.

          – Keep your software up to date. Qualys BrowserCheck is a good helper in this regard.

          – Don’t reuse passwords.

          – Keep your private information … well, private. Password reset systems that use a “secret” question and answer often succeed because people publish this kind of information in social networks. Besides, this is a set it and forget it thing which can hit you when you least expect this.

          – Last but not least, as mentioned in other comments: use two-factor authentication whenever possible.

          • I agree that taking steps to ensure that your passwords are sufficiently complex, unique, and are supplemented with 2-factor authentication are important, but let’s not forget that there’s no such thing as 100% security. If cracking passwords and 2-factor auth are hard, criminals will of course seek easier attack vectors/paths via social engineering, like what happened to Mat Honan because of “Cosmo the God”.

      • Hi @jordanreid :) So a number of people have recommended password managers[1][2], and others have recommended using long passphrases instead of hard-to-remember passwords with mixed caps and symbols[3][4][5][6].

        I totally agree that password length matters more than how many different symbols and mixed caps that you use, because the way the math works out, each additional character increases the number of possible combinations exponentially, while increasing the numbers of possible symbols used for each character only increases the base number. For example, if you use the 26 letters of the English alphabet, with a length of 24, then the total number of possible password combinations is 26^24.

        However, I think that coming up with a long passphrase is impractical for all the different accounts that you might have online. Each of your accounts should have a different password, so that if for some reason someone does steal the password for one account, they can’t then use the same password to steal any of your other accounts.

        Therefore, I recommend that you use a password manager that will generate random passwords for you, and that keeps them encrypted. A good and popular manager for Windows is KeePass, while 1Password is good for Apple computers.

        Just make sure that those random passwords are sufficiently long, and that their complexities are at least 128-bits, which is the minimum required nowadays to have a password that’s difficult to brute-force crack. That minimum may change in the future, however, as computers become more powerful, and better password cracking algorithms are invented.

  • Nicole

    I actually skipped to the end of this post hoping it was an April Fool’s joke. How horrible. Involving the FBI was so smart on your part. People don’t realize how much help they can be in situations like this. The amount of stress was probably off the charts, but you really handled this so well. You definitely kicked ass.
    This is so not the post to write this, but my boyfriend surprised me with your book on Friday. He preordered it for me back in December when I mentioned it. It’s really good. It’s on my bookshelf sitting between Jessica Alba’s The Honest Life and Alexa Chung’s it. Seems fitting to me. Congratulations, again!

    • jordanreid

      Oh, amazing – thank you so much!! And thanks to your boyfriend as well :) :)

  • This is not the first case about people stealing domains on GoDaddy.

    Unfortunately, it’s proven to be too easy if someone uses some social engineering, like getting the last 4-digit of your CC or you complete name or access to any email account you own.

    This guy here writes about someone that used those very same technics on GoDaddy/PayPal allowing him to gain access to the users email, Facebook and Twitter, so his whole Internet identities.

    That’s why we should avoid bad services providers like GoDaddy. They have awesome support to sell, but terrible service. I would recommend Namecheap, or any other, but not GoDaddy (just pure marketing).

  • Lauren

    Wow! This is awful, but you’ve explained it and handled it really well. Badass!

  • Andy Chang

    I suppose it would be also helpful if u had a SSL certificate to verify that you are the real owner/organization of the domain?

    • jordanreid

      That would certainly be helpful. I do have DOS proof of ownership of an LLC of the same name, as well as all the emails confirming purchase of the domain name, but that would be a good thing to keep handy as well.

  • Neither the WordPress CMS used on this blog nor the PHP programming language that it uses are considered very secure. This link lists some things your service provider can do to help protect you.

    It you tend to edit your blog from your home computer, consider using e.g. random.org to generate long random passwords, and store these in a file on your computer. Use these to log into your site. You can just copy/paste them into your browser to use them. Of course the harddisk of your computer should be encrypted…

    Since you use Disqus for comments anyway, consider switching to what is called a “static site generator” platform. This is a program that generates a website (as plain HTML pages) from articles that you can write in different formats. This can run on your home computer. You can then use a relatively secure way like rsync over secure shell to transfer this to the hosting provider. Unlike e.g. WordPress, such a setup does not require a database engine at the hosting provider, not does it require PHP. So it it not vulnerable to a whole class of attacks.

  • Jen

    Wait – so was the wire transfer company in on it when you authorized the funds then quickly pulled them? How were you sure that would work? How did the hacker not realize that’s what you would do? Are you getting the money back?

    • jordanreid

      We confirmed with them in advance that if we could show that a legal investigation had been opened re: the transfer they would place a hold on the payment, so I did know that going in, but this all went down at 9PM when the Escrow.com offices were closed, so it wasn’t until the next morning that I was able to confirm for them that the case was being investigated and get them to hold the money. For what it’s worth, they were pretty amazing – they immediately connected me to a supervisor who gave me his direct phone number and had the hold placed on the funds very, very quickly (like, within minutes).

      Basically I *wasn’t* sure it would work when I sent the guy my money; there was a good chance that a) he wouldn’t send me the site at all and b) the transfer would process before I could call the wire transfer company the next AM. But I didn’t see any other option than to take that risk. I don’t know why the hacker didn’t realize this was a possibility; I guess he hoped that if he delivered the site to me (which he did) Escrow.com would be forced to release the money to him regardless of the circumstances under which the site had been taken?

      My understanding is that I will definitely get the money back; I’ll just have to wait for everything to sort itself out…so I’m assuming anywhere from a couple of weeks to a couple of months.

    • electric

      A wire transfer is not able to be reversed. It’s like that:

      1. The wire transfer had not actually finished when Jordan put in the stop/hold order. (So the thief released the website before the wire transfer had actually finished.)

      2. The hacker uses a legitimate bank to receive the transfer (not offshore), which has agreed to hold the funds at the request of the sending bank. The sending bank could send a *request* for hold to the receiver’s bank, but normally the receiver’s bank would have no reason to fulfill the request unless they have an unusually close relationship (same parent company) or some other reason (FBI made the request, etc.)

  • IV

    Jordan, GoDaddy has 2 step verification bro why don’t you use that? Make sure your e-mail does too and if your mail provider doesn’t support 2 step verification (or two factor as Microsoft likes to call it), then your ass needs to change providers.

    It’s not only Google who are bastards when it comes to theft, Twitter is too. Just Google about the dude who lost @N Twitter handle.

    It’s the feeling of being violated that never goes away. You have to change every single password for every site you’ve signed up to when your email is hacked, even if it isn’t important. People can steal money from your bank and you can get it back quicker than any online company. If that isn’t a bitch, the bastard who stole your stuff most certainly is.

    • IV

      Not only GoDaddy*

    • jordanreid

      I have 2-step on all my accounts now (or at least all the ones that offer it). i heard about the @N story, so crazy.

  • Whoa whoa whoa what if bahbouh still owns the domain name and just made this post to trick everyone into thinking the original owner got the domain name back!

    The perfect crime…

    • jordanreid

      The call is coming from inside the house.

  • Caleb Lane

    Hi Jordan,

    I am so sorry this happened to you… I specialize in website security specifically with the WordPress platform which I can see you are using. It definitely looks like you have taken quite a few steps and implemented some good security practices, but I can see several areas where you can still improve and I am sure you are aware of that. :) I sent you an email just a few minutes ago as well regarding the situation and I look forward to hearing from you. I am just looking to help you out where I can.

    Cheers,
    Caleb Lane

  • Joey

    Quick thing — while your notes on picking a strong password are good advice, your method is a little flawed. Getting locked out of your account to something because you forget the password is monumentally more likely than someone hacking in.

    So how do you avoid that? Pick a phrase that may be nonsensical, but isn’t random. Add in the appropriate punctuation and capitalization. A phrase you can commit to memory is much longer (character wise) than a single random word you can commit to memory.

    For example:

    jldCX#4!!3

    vs.

    The Blue! Maple Flier?

    Bottom one will take exponentially longer to brute force hack into (how most hacks are done) and doesn’t open you to context hack risk (assuming your phrase is nonsensical).

    This was a great read otherwise!

    • jordanreid

      thank you for the advice!

    • electric

      Nope, sorry but I don’t believe this is correct. Using any words in the dictionary will decrease the randomness of your password, even if you intersperse it with symbols and numbers.

      The issue is that any decent password cracking utility will literally be able to quickly sort through billions of combinations of words, including putting numbers and symbols between them (as in the example above). There is a vastly smaller number combinations of of words than there are random combinations of letters, symbols, numbers.

      Lastly, the majority of hacks are not from brute-force guessing. Any decent website or service will have brute-force protection where they temporarily freeze the IP address of anyone who fails the login more than x times. The majority of hacking is from virus/malware installed on the user’s computer and phishing websites, which give the hacker your password.

      (Source: My own web hosting company with several thousand customers, of which about 3 or 4 are hacked every day.)

    • Mxx

      One HUGE problem with this logic is that not all services support such long passwords. And worse yet you never know if they do.
      The way they encrypt(hash) your password may be flawed so that only 1st 8 characters matter and the rest if just chopped off. Then what you end up with is an extremely simple english word that is trivial to crack using “dictionary attack”.
      Long AND totally random passwords are ALWAYS more secure than “passphrase”. And you shouldn’t have to commit anything like this to memory. Use password managers!

  • Roland Dobbins

    Did you have REGISTRAR-LOCK enabled for your domain?

    If not, why not?

    If so, how was the thief able to transfer it away from your original registrar?

  • Lindsey Leitner

    Such a scary thought! So glad you got it sorted out! Hopefully the money will be sorted out soon as well, luckily he did not get it htough!

  • Hi @jordanreid:disqus, you made the front page of Hacker News today, where there’s quite a lot of discussion going on about your article and your experiences, so you should check it out sometime.

    Please note that this is not a discussion group full of malicious hackers (well, that should mostly be the case, anyways). It’s a group full of legitimate software developers and entrepreneurs. The term “hacker” is a loaded one, and it’s used to describe two different sets of people in the tech community: (1) malicious hackers, like the one who stole your domain, and (2) skillful programmers and software developers.

    • jordanreid

      really interesting discussion. thanks for forwarding the link.

  • raoul

    USE A PROPER DOMAIN NAME PROVIDER I.E ONE THAT SUPPORTS TWO FACTOR AUTHENTICATION (and, turn it on) and use 2 factor auth on your emails.

    I suspect none of this would have happened if you were using 2FA.

  • One suggestion (for everyone really): stop using passwords (complicated, hard to remember, written on post-its, +- 8 or 9 or 10 char) passwords; start using passphrases (simple, easy to remember, no post-its, lots of characters, avg 14 chars)

    Ex: “this is my password for xpto.com” – 32 chars
    Use a different phrase; replace xpto.com with the domain of the site you’re registering at; or maybe having a single sentence/passphrase for all the sites, though it would be better to have different passwords/passphrases for each site/service.

  • Scott

    Thanks for taking the time to write this up. I’m glad things worked out (relatively) well for you.

  • Kentleigh English

    “The best passwords of all look like total nonsense.”
    Not so sure if that’s true: http://xkcd.com/936/
    Nevertheless, my passwords look like total nonsense.

  • Alexis

    I cannot believe the timeliness of this article! Read this on the way home from work, and a few hours later received an email from my credit card that my email address had been updated. Something I probably would have ignored (assuming, like you had, that it was me on a mobile device, or my husband, or something innocuous), but your experience was fresh on my mind, so I called. Sure enough, someone had changed my info and rush-ordered an additional card, in my name, to an address in another state.

    Thank you for saving me from my own little identity theft mess!

    • jordanreid

      so happy to hear you put a stop to it! nice work :)

  • Wow. Wow wow wow. How awful. And I’m so glad you got the site back.

  • Akshat Harit

    As a suggestion I would recommend using some password manager service like lastpass.com to generate secure passwords. However take care to ensure that the master password is really tough to crack.

    • Mxx

      And use 2-factor authentication everywhere it is offered.

  • jordanreid

    Just received the following response from Flippa.com (I removed the rep who wrote the email’s identifying information):

    Hi Jordan,

    A few things;

    First, I just wanted to reach out to you and offer you my well wishes. It looks like thanks to the FBI and your persistence, you were able to get your website back.

    We seemed to be caught up in the middle of this mess and I’m really glad to see that everything seems to be fine again.

    Second, I wanted to apologize. We have a variety of systems to verify ownership of websites. The two main ones are e-mail verification from the WHOIS information and a file upload. While generally speaking, these seem to be the two most secure ways to verify ownership of a site, this event has caused us to reconsider how we verify ownership in the future. No system is completely hack proof, but perhaps fail-safe mechanisms may be of help!

    I also wanted to tell you what actions we’ve taken:

    1) We’ve removed the listing from public view. If Google crawlers have caught this listing, it may take a few days for their directory to updated.

    2) We’ve banned the person who tried to sell your website. Was this the hacker? We’re not in a place to say. It’s quite possible that another user hacked your domain/website and resold it. In any case, we don’t want dodgy websites on Flippa or sites that have come from dodgy sources — so this user won’t be coming back.

    If there’s anything you need, please don’t hesitate to let me know!

    [Name removed]
    Customer Success
    [Email address removed]
    w: flippa.com

    • I’m glad to see flippa.com. I’d like someone to get Hostgator and Godaddy to respond this article as they were the main focus of issue in the first place. I want to understand why it’s not their policy to protect their customers and/or correct errors that they’re obviously the cause of.

      • jordanreid

        That would certainly be welcome, but I’m not holding my breath – my suspicion is that in order to get anything more out of them I’d have to initiate a lawsuit, and it would probably have to be a class action to even get their attention (since my case turned out “fine” in the end).

        • Mxx

          I don’t think it matters that it turned out “fine”.
          What matters is that both companies let this happen in the 1st place. Perhaps public shaming is not enough. Perhaps only a lawsuit will force them to change their practices and implement better and more secure procedures.
          Btw, don’t give biz to godaddy. Not only do they continually make borderline sexist tv ads, but their founder is an elephant murderer.

      • I think you meant HostMonster and not HostGator, but I’ve tagged the companies on Twitter and Google+ so see if that gets a public response

  • Marissa Williams

    Jordan – Thank you SO much for sharing this horror story. Immediately after reading (well, actually during) I promptly changed all of my passwords and looked more carefully into my hosting sites, etc. I’ve heard of this happening before, but I think it’s one of those things that you think will never happen to you. I love your blog and can’t wait to get my hands on your book! Keep up the great work!

    – Marissa (www.marissasays.com)

  • OmarSayyed

    Good call on getting the feds involved. Get things rolling when there are authorities involved. This was my reaction when my team played a prank on me pretending our site was hijacked. https://www.youtube.com/watch?v=VUwM62Gh-dc

    • Leanne Janine Mills

      Dashlane password mgr does a great job of auto-generating secure passwords and then storing them for you

  • I found out about this through Mashable. A heck of a story. I admire your resourcefullness, and your story has caused me to definitely review and improve my own security on my personal data. Good luck in the future.

  • Gosh, glad you got the site back. Are there more responsible hosting companies out there?

    • jordanreid

      Sounds like lots of people are recommending NameCheap, but I can’t speak for them personally.

  • Glad you were able to get your site back. Read this on Mashables. I read this like an episode of the first 48. hope you get to write a follow up on how they caught the criminal.

  • derekdickerson

    This wordpress “site” isnt locked down at all first off who supports their family on wordpress hosted by hostmonster by simple scripts no less.

    The reason why she got hacked is because she never updated her version of wordpress or sql. it takes 3 seconds with simple scripts.

    YOU CALLED THE FBI FOR A WORDPRESS SITE WTF.
    I can take everything if I wanted to.

  • Whoa, that’s so scary and so sorry to hear this happened to you! You are right it could happen to any of us. Appreciate you sharing your story and documenting the steps you took to resolve it in case it should ever happen to one of us. Hopefully it won’t though but glad you were able to get it back. It’s important to take the right precautions when it comes to managing our identity both on and offline for ourselves and our businesses. Here are some more tips on how to make sure you stay safe! http://www.asecurelife.com/security-tips-for-small-businesses/

  • Pingback: Her website was hacked away; here’s how she got it back | Naked Security()

  • Pingback: Blogger Site Stolen, Dupes Thief Into Getting It Back For 30,000 | Ongoing Information & Trends: A Weblog()

  • Pingback: ste williams – Her website was hacked away; here’s how she got it back()

  • AzzamS

    That was a super scary article to read. Nail biting like your photo! I don’t understand the part were once you transferred the money via escrow you called up and got it stopped?

    So when it was expected for you to verify that you received the domain with the escrow service as this point you rang up and stopped the funds?

  • Pingback: ste williams – Her website was hacked away; here’s how she got it back()

  • Canuck

    Use a registrar with better security. Many offer services that will lock down your domain and make it impossible to steal away. I lock mine down with both a pass-phrase and verbal phone call from the registrar – which includes ANY changes to the account. It can be a pain in the arse but at the same time I am secure in knowing my valuable domains are going nowhere fast.

    As for Godaddy – they have a terrible history of helping people with stolen domains. Only if you are a major customer will they lift a finger to help beyond reciting their legalese.

    Finally Flippa – cesspool of fake stats, phoney monetary numbers and always a few hijacked domains/websites up for sale. Their response is funny considering this is a daily occurrence there. Every website owner knows you don’t create a website selling boots for cats and have it turning $3000 in profits and get 15k visitors a month when the website is only two months old – but on Flippa – there are hundreds of such examples for sale.

  • Pingback: Boom and Bust of the Blog | The Mexile()

  • Ame

    OMG I am so glad you got it back! This stuff is TERRIFYING, and not only that, infuriating. It’s disgusting to me that these companies won’t work with their paying customers but instead pander to thieves.

    Thankfully, I guess, my blog and business are under the radar enough to not hopefully be a target, but I just don’t trust people at all anymore!

    I use 2-step authorization on any account I can use it on, as well as an app called 1Password to set up ridiculously long and tough passwords. I have it for my computer and my phone. It’s helped thus far, though I am obviously so untrusting now I am expecting someone to work around that.

  • Hi Jordan, thank you for sharing this scary experience. I was lucky to find the link to this article on the B-schooler FB page and I realized how unprepared I would be if this happened to me. I created my website only a few months ago and after all the hard work, it would be a nightmare to lose it. I will immediately implement all your advice.
    Did you have any scan protection or Firewall on your website when this happened?
    Mirella

  • Pingback: “My website was hacked & on sale…” | FraudJournal Blog()

  • SamanthaNim

    Thank you for taking the time to write this first hand account! This was wonderfully done.

  • Pingback: My Website Was Hacked And I Got It Back…But Here’s Why I’m Still Mad | Ramshackle Glam()

  • bitcoinpotato

    was it really hacked or did your domain expire and you forgot to renew it?

    • jordanreid

      really hacked.

  • Pingback: When Hackers Steal A Web Address, Few Owners Ever Get It Back | Cyber FAQs()

  • Gabella Suarez

    My name is jones clifford from USA .I am here to give testimony on how I got my husband back. My husband left me for no reason 3 years ago. He moved in with another woman, I felt like killing myself, my life became very bitter and sorrowful. Then 1 day, a friend of mine told me about a great spell caster that is very good and, he said he gave him some lucky numbers that he played in a lottery and he won. I didn’t believe it because I’ve worked with so many of them and it didn’t work. He begged me further so I decided to try this great spell caster called DR steve. I still didn’t believe. I used the spell he gave me and the next day I received a call from my darling husband Thomas last month. He apologized and came back to me. He even gave me 10,000USD as a means of compensating me. I’m very happy now. Thank you DR steve, You can reach him via email:(prophetogogalaga@gmail.com…He can solve any problem like,

    (1) If you want your ex back.

    (2) you need a divorce in your relationship.

    (3) You want to be promoted in your office

    (4) You want women & men to run after you.

    (5) If you want a child.

    (6) You want to be rich.

    (7) You want to tie your husband & wife to be yours forever
    .
    (8) If you need financial stance.

    (9) He can make you pregnancy.

    (10) He can cure you from any diseases.

    contact:prophetogogalaga@gmail.com… contact before it will be too late

  • Pingback: How Do I Make My Blog Secure From Hackers? | Blog Chicka Blog()

  • Deborah

    We were harpercsi.com on April 19, 2015 my husband’s home computer was hacked As well as our computers at our offices. leading to our company website and his personal FB, email Amazon and credit cards being hacked. It is a nightmare. We are in the process of trying to get our website back, which was parked at godaddy! As you can imagine my mind is a blur… Please if their is anything you can do to help or advice us, it would be truly appreciated.

  • Kyle Norton

    Need an account hacked?? Cheating spouse? Checking on kids? Business? send Tim a short note >>shimomurat at ayh0o dot c0m<< He replies almost immediately. Totally legit and by far the best out

  • Axle S

    Well all of this is interesting but keeping in

    mind that people who go through all the trouble of

    obtaining your personal information intend to use

    it in illegal ways. Once one takes the risk of

    breaking the law and committing a crime, there is

    pretty much no way to protect yourself. All the

    precautions in this blog may help against amateur

    hackers, but in reality one’s accounts and

    passwords can be obtained in much simpler ways. I

    have experience with computer viruses and

    especially phishers and keyloggers and anyone

    reading this article should understand that it is

    almost impossible to stay 100% protected if you

    engage in online banking or shopping using credit

    card or other services such as Paypal. Any

    skillful programmer will be able to tell you that

    antivirus programs cannot detect all viruses and

    some can be stealthy and you wont know anything

    while every keystroke on your keyboard is being

    electronically recorded and uploaded to someones

    server. I only know of the ways I have come in

    contact with to obtain access to someones

    computer, but creative hackers are coming up with

    newer and newer security breaches. Even a small

    popup on your web browser could in reality launch

    a stealthy virus of some sort on your computer.

    All this might be frightening and most computer

    users dont undersand the danger they put their

    private information in when they for instance shop

    online or check their bank accounts. There are an

    unthinkable amount of ways to infect someones

    computer but there is only a few ways to protect

    oneself. Perhaps the best, but also somewhat

    annoying and time consuming, is to install a

    separate operating system on your computer to use

    for banking and entering confidential information

    such as credit card number to purchase something

    from an electronic store. I recommend the blackhatcreator@gmail.com

  • CT Perry.

    reach me personally via nicolelowe.xfpovcc@outlook.com if you are looking to get any hack solutions !grades ,cash flip , Criminal records ,Mug shot removal ,basically anything !serious inquires only !

  • Serene Fox

    I just found out that Go Daddy is trying to sell my domain. I paid for this website and domain from Aztech and have had it for years. I don’t know how they got it from me, but I received a call this morning someone letting me know that Go Daddy is trying to sell it. I have contacted my host and waiting for response at this time. Hopefully I will find out something quickly.

  • Sara Rosenberg

    If you need to check on your partner’s sincerity, track there movement, employee’s honesty, recover your email passwords, Social networks, change your school grades gain access to any website. contact medussa414@gmail.com. he helped me find out that I was dating a married man though it broke my heart, he was very helpful.

  • blackherat101

    If you need to check on your partner’s sincerity,employee’s honesty,recover your email passwords,Social networks(i.e Facebook,Twitter,IG, Cell Phone, Iphons ),change your school grades,clear your criminal records, gain access to bank accounts. Contact Black Heart via Email :: worldspy86@yahoo.com

  • Congratulation! Jodan

  • Sebastian Altmann

    Hacker for Hire
    to change grades, erase or change criminal record, hacking email accounts, hacking icloud, dropbox, cctv cameras, home security systems, hacking social media accounts (instagram, twitter, whosay, facebook, snapchat) , for fake ids/passport and license. CONTACT – Email: alch3mist55@gmail.com

  • Isreal Salazar

    hello,good people my name is Isreal Salazar,i was going from site to site looking for answers till i read a post by Angelina Valdes and Mike Robison at first i did not give it much thought, but my mind was still bothered. So i decided to contact the cyberghost185@gmail.com to help catch my cheating spouse,he delivered as was promised he is really a genius,he also does P.I jobs clears your record,changes your school results(did that for my son) and helped me recover my lost funds/money i lost to scammers. impressive yes i am so lucky. i love him and his work. you should try it, only a few out there are good he is one of the best.

  • sandra calisto

    i still can’t believe that there are people out there dying of heart-break
    when there is a man called Dr. Ojeobo in this world. why leaving Dr. Ojeobo for
    another and why still languishing in loneliness and tears because your lover
    left you. there is only one solution to your problem which is Dr. Ojeobo love
    spell whose details are (dr.ojeobogreattemple@outlook.com, or
    dr.ojeobogreattemple@gmail.com, Because in my own situation he did a very great
    job for me by bringing back my ex-lover who left me 2 years back without wasting
    time and since then my relationship has been perfect and protected by his great
    powers. So better contact him now at (dr.ojeobogreattemple@outlook.com or
    dr.ojeobogreattemple@gmail.com) for help. Because if you keep your problems and
    heartbreaks you might get hurt.

  • Amy Woods

    RSN saved my life, i was in a custody battle situation with my three year old daughter and my alcoholic ex-husband. He continues to defy safety restrictions and court orders, and I never able to catch him in the act. I was referred to remoteServersNework@Gmail.com. She totally understand my situation and guided me every step of the way to put a tracker on my ex-husband phone where i could track him from his phone, knew exaxtly what he was up to directly from my phone. Tell her from amy, she can hack anything.. ,.x

    • Cindy Shereen

      Yes. She is a genuine hacker. She keeps to her word.

  • Sarah Collins

    I basically think we all dont have to face all dese deceit and lies from our spouse…in a case of mine wen i got sick and tired of all the lies and deceit i had to contact a friend of mine to get me the contact of one of the best hackers in the states ..then i met cyberphonehacker@gmail.com..He saved me from the lies of my cheating boyfriend by hacking his phone..Incase you need help with hacking any phone or account or other jobs..Tell him i reffered you.Hed help you

  • Hack Force

    Hi there, Contact Ryan Brown, an experienced

    professional, He offers services like Discrete

    Computer Hacks,Mobile hack, server hack, or if you

    need to Change Your Grades,Hack Into any wifi,hack

    Facebook, Twitter, Myspace, Instagram or any e-mail

    and obtain passwords? Erase crimnal records or obtain

    employee records? Bank transfer to any secure location

    in the world? contact today at hackforce89@gmail.com.

  • Thomas Hiltner

    Have you guys checked out this guy Aviv Nadav at whitewebdemon@gmail.com.Dude‘s a cyber guru.involved with cloning phones,hacked into my ex’s gmail and Facebook,what led to me knowing she was infidel and also just gave my nephew some really outstanding school scores which he upgraded himself,cool way to have financial freedom as well,Get your bank blank atm cards which could debit money from any a.t.m machine.Make $20,000 and more in a couple days.Bank transfers and wire transfers as well as PayPal jobs.hes that good,had to make him my personal hacker.You could mail him as well if you got issues.he’s as discreet and professional too.he’s kinda picky though so make mention of the reference.Thomas referred you.You’re welcome.

  • James Johnson

    i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or always too scared to pin anything on her. with the help a friend who recommended me to cyberhacks who help hack her phone, email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to cyberhacksolutions@gmail.com. he understands how i felt and guided me every step. tell him from james….

  • lisa omar

    visit http://www.hackterrific.com for all your hacking needs. they have veterans ready to serve you. they have been in the executing exploits for over two years now and certainly can solve any problem you might have

  • victoria smith

    Hey everyone ,do you really need hacker for hire? Do you really need to keep an eye on your spouse by gaining access to their email?As a parent do you want to know what your kids do on a daily basis on social network like facebook,twitter,instagram,whatapp,wechat and others to make sure they are not getting into trouble? Whatever it is ranging from bank jobs,flipping cash criminal record,DMV,taxes.Name it,ballinhackings will help you get the job done.They have being a professional hacker with 10years working experience contact him at BALLINHACKINGS@GMAIL.COM

  • hank white

    If you seek legitimate hacking service ,contact onlinehackmanager AT gmail DOT com, he specialize in hacking into a cheating spouse phone , phone tracking , database hack , clearing of criminal records ,code encryption,bank transfer, email address hacking , changing of grades, website hack, viber Facebook, crash website and any type of hacking job …he is a masterclass at this hacking stuff and you can always trust his work

  • carmella scott

    I really don’t know much about this scam thing..But i just came across a good hacker who helped me hack my boyfriends text messages and watts’ messages remotely..You don’t have to touch his phone while you have access to his conversations..contact cyberhacktivist1@gmail.com..Tell him garret referred you then you can thank me later.
    rdt56

  • hack king

    for any hacking services contact extremehackerservices@gmail.com hes cheap and would offer you the best services.tell him victoria referred you.

  • Database Lord

    Hack Hack Hack ! !! !!

    Contact via Email :: hackanydatabase@gmail.com

    If you need to check on your partner’s sincerity,employee’s honesty,recover your email passwords,Social networks

    *Institutional servers-keylogging -*University grades changing / Admin(staff)

    *Account hack -Access/Password

    *Facebook, instagram, bbm,Skype, snapchat, twitter, badoo, Word Press,zoosk, *Various blogs, icloud, apple

    accounts etc

    *Clearing of criminal records-

    *Email accounts hack ( gmail,yahoomail,hotmail )*Databases hack- Untraceable IP

    *Change your school grades,

    *Gain access to bank accounts.

    Contact via Email :: hackanydatabase@gmail.com

  • Ivan Grytsenko

    Contact us for any kind of hacking Job and you will be glad you did. for security reasons, i won’t say much here

    Contact:: hackyzone247@gmail.com