A couple of weeks ago, I posted the story of my website being hacked – and how I got it back – and this feels like a good time for a follow-up. Because while things may have turned out “fine” for me…the truth is that nothing about this situation was “fine”. First there’s the fact that I’m not sure I’d call being forced to interact with criminals to keep your business secure an ideal situation, but more importantly: things could very easily have turned in a different direction.
I am certain that I was lucky; I am certain that 99% of similar cases would have turned out (do turn out) very, very differently; I am certain that it would be very, very easy for companies as big as HostMonster and GoDaddy to say something akin to “Super sorry; totally won’t happen again”…and then do exactly nothing. Because memories are short and people forget and these companies have too much money to worry all that much about what, in the long-term, amounts to a PR blip.
I do not want that to happen. Because I have my business back, but the next person that this happens to may not be so lucky, and it doesn’t matter whether you make thousands of dollars a month off of your site or just a few bucks here and there…or whether you run your site for nothing at all, just because you love it: your property – your work – matters. And so I’ve been following up with both GoDaddy and HostMonster in search of answers to why this happened, and to find out what they are doing to ensure that it will not happen again.
The responses of the two companies have been very, very different: one was, if not ideal, certainly surprisingly positive…and the other was dismissive and, to my mind, outrageous.
First, Let’s Talk About HostMonster.
On Thursday afternoon, about 48 hours after I published a piece on Ramshackle Glam and on Mashable about my website hacking and the events that followed, I received a phone call from the CEO and COO of HostMonster. They expressed their regret for how the situation was handled – but more than that, they were very, very clear in their statement that it should not have happened. They stated that registrars “do have the tools to freeze and lock a domain” (this was something that representatives had told me was not the case), and conceded that the situation was not “given proper attention.”
Over the next few days, I spoke several times with CEO Dan Handy and others at HostMonster, and the primary issue that we focused on is this: HostMonster does not, at this time, offer clients two-factor authentication, which is a very basic security procedure that requires more than one means of identification to make changes (for example, in order to change an email address associated with an account a client must first make the request online, and then enter a security code texted to her phone in order to proceed). Basically, it just makes it much more difficult for someone to pretend to be you.
The fact that HostMonster does not offer this is kind of nuts…and it sounds to me like they know this and were planning to deal with it, and are now going to deal with it faster. In a follow-up email, Dan Handy stated that the company is revising their educational structure to make employees better-equipped to handle domain dispute situations, and that “developers are working on both short-term and long-term solutions to provide additional authentication methods and security features to hosting accounts (including 2-factor authentication).” He went on to write, “I know that you are skeptical that any real change will happen, but I assure you that it’s already underway…My intention is to make things better.”
You know what? Fair enough. Companies – even huge ones – make mistakes, and if HostMonster follows through with their promises to improve security measures and employee training about domain dispute procedures…that’s great.
We’ll see.
Now, GoDaddy’s Response:
I can sum it up like this: beep boop beep boop.
It might as well have been auto-generated by a robot.
A couple of days after my Mashable article went up, GoDaddy issued a “response” (in quotation marks because…well, to me it doesn’t really count): First they stated that because it was HostMonster’s responsibility, as the losing registrar, to initiate a dispute, it wasn’t their fault that they didn’t do anything.
While this is true – it is the losing registrar’s responsibility to initiate the dispute – this doesn’t get to the heart of the problem, which is this: GoDaddy had my website under their control. They knew that it was mine. And when I contacted them to tell them that it had been stolen, every single employee I spoke with agreed that this was clearly the case…and did nothing. There is a level of basic humanity missing when there is an acknowledgement that a problem exists – and that a solution exists (freezing the site until the issue can be understood more fully, at a minimum) – but there is a choice made to instead hide behind policy and refuse to do anything at all.
Second, GoDaddy stated that, in essence, had I been able to provide “multiple forms of identification” to verify ownership, they would have “provided access to the domain.”
Honestly, this barely even deserves a reaction: obviously I sent multiple forms of identification, and would have been happy to send forms ad infinitum. Except here’s the problem: no one questioned my ownership. No one said they needed anything further to verify my identify. Because they knew the site was mine.
And then, after I spoke with HostMonster’s CEO, I tweeted this:
And then my phone rang. I knew it was GoDaddy before I even picked up. The guy on the other line, Ken, stated that he was “from the CEO’s office” (but didn’t feel like giving me his full name) and assured me that it was important to GoDaddy to “understand how I felt” while all this was going on.
Bad, guys. I felt bad. Thanks for asking.
When I asked what GoDaddy was going to do to prevent situations like this from arising in the future, CEO’s Office Guy said that he “was not quite sure about processes generally, [but would] share the information and move forward from there.” Which was super confidence-boosting.
Haven’t heard from them since.
The End.
In Sum:
HostMonster’s major flaw is their negligence in failing to install two-step authentication – a seriously basic level of security that should be at the very least an option for a service provider such as this. But while I’m of course approaching their statements that they’re working on addressing the issue with a healthy dose of skepticism…I have to say: I was impressed by how seriously they appeared to take this situation. I was impressed that the CEO called. I was impressed that he apologized, stated outright that the company had mishandled things from start to finish, and then followed up with several emails and phone calls. Most of all, I was impressed that he actually addressed my request for a specific action plan, and delivered it on the date (Monday) that it was promised.
To say I’m less impressed with GoDaddy’s response is an understatement. The major concern I had going through this ordeal as a whole was that no one at either company ever responded at a human level…and GoDaddy continues to function like a machine.
So there you have it. At the end of all this, I’m glad that HostMonster put a human face on the issue, and I’m confident that they are working to – at the very least – educate their employees and up their security measures.
GoDaddy, when informed that their policies had contributed to a situation in which I almost lost my livelihood, said beep boop beep boop.
I wish anyone going through something like this the best of luck, and am always, always here to answer any questions you have.
x
J
