Grow your CSS skills. Land your dream job.

This Site’s Domain is Now Safe

Published by Chris Coyier is now back under my ownership. Yay!

Quick review of what happened

A criminal stole the ownership of They transferred it from GoDaddy to PlanetDomain. I got it back. You can read a whole saga of the events.

This wasn't just, this happened at the same time to many other domains that were all "Web tech related blogs."

How did it happen?

From the perspective of GoDaddy, where the domain was registered, the transfer looked completely legitimate. The criminal logged into my GoDaddy account, unlocked the domain, and transfered it away.

How did they get into my GoDaddy account? To this day, I don't know.

I do know that they got into my GMail account. By doing this, they were able to delete any emails about the transfer, so I was unaware it even happened. I don't have proof of the deletions, but I have proof the criminal was in my GMail account. My GoDaddy account password was never changed and didn't exist in my GMail account, so the criminal was able to get that password another way. On the first day of the hack, a file was also changed on my server, which suggests they had my FTP password as well, which also did not exist in my GMail account. All three were also different. I wish I could tell you exactly how all three of these passwords were hacked. I cannot.

How did it get returned?

I spoke with GoDaddy about the theft. They spoke with PlanetDomain. PlanetDomain agreed to give the domain back to GoDaddy. In my case, both companies were helpful and did all the right things. I actually did very little. I spoke with GoDaddy, filled out their Domain Dispute form, wrote a blog post, did my fair share of worrying, and ultimately it got resolved.

Who is to blame here?

The only person I can find to blame is the criminal (there has been some contact with this criminal, see video).

It's not GoDaddy's fault. From their perspective this looks like a standard domain transfer, thousands of which happen every day. They didn't simply allow a criminal into my account. It's also unlikely that the criminal broke into my GoDaddy account via a specific GoDaddy weakness. There were many domains affected here from many different registrars. I think it would be nice if GoDaddy offered two-step authentication, but their lack of that didn't cause this.

It's not GMail's fault. Yes, my account was hacked into. I have no idea how. I know the password was reset, but I don't know if that was a part of the criminal getting in, or because they wanted to keep me out afterward. Once in, theoretically the criminal could have gained access to anything else of mine by resetting passwords, but that wasn't the case. My GoDaddy or MediaTemple passwords were never changed. Again, there were many domains affected here and the owners of those domains didn't all use GMail. So it wasn't GMail specifically that was the vulnerability that caused all this.

It's not other random technologies fault. I heard some people blaming WordPress, which is just weird.

I'm willing to take some blame here myself. Perhaps I used an unsecure network or something. I'm just not sure.

It's hard to figure out exactly what happened. You might think that since so many of us were affected we could find the commonality. But unfortunately that has made it harder since we've been able to discover so little in common between our situations. It seems to me the most likely case is that the criminal is just damn good at being an internet criminal. Unfortunate that kind of talent is going toward making the world worse instead of better.

What can you do to protect yourself?

This is the section I was looking forward to writing the most. Sadly, I have little to say.

I think you should use really strong passwords that you change frequently. You should probably run antivirus stuff and make sure you don't have anything nasty like a keylogger. I think you should use 2-step verification if you use GMail, which should theoretically make it much harder for a criminal to get in.

The thing that allowed this to happen under my nose was that the email notifications I should have gotten were deleted. So one thing I have done was to start using Domain Monitor and having it notify an alternate email address of changes.

I've also enabled GoDaddy's Domain Protection. is now about as protected as can be. Nobody, including myself, can transfer the domain. The only way it's possible to transfer is to cancel the service, and part of that process is legally proving my identity with official documents.

So yes, I'm going to keep on GoDaddy. They were the folks that were with me during all of this and now, especially with the protected registration, I feel secure there.

How are the other people doing?

It's mostly good news. There are only three unresolved cases that I know of.

  • The worst of which is Soh Tanaka's Soh needs 1and1 to start being responsive and cooperative and accept the domain back from PlanetDomain who is ready to give it back. Soh's site has been offline for days which is super uncool.
  • A similar situation is Ali A.'s Ali needs 1and1's cooperation but doesn't have it. At least Ali's nameservers are pointed to the correct place.
  • Kirupa Chinnathambi is waiting for Network Solutions to get rolling on getting back to him. Apparently the two companies are talking though.

I think it may be of benefit to apply a little social pressure to @netsolcares and @1and1 on these folks behalf, if you are up for it.

Thank you

I'm also quite sure that each of you helped. The community outpouring of support got the attention of the companies involved and surely expedited things. is now safe. I'm very grateful for that. Now back to your regularly scheduled programming. There are many more articles and screencasts to come!


  1. Connie
    Permalink to comment#

    one question was not asked in your post:

    why did this happen? What is the aspired result of a domain theft?
    Or is it again just “hacking for fun” ?

    • Seems like this person was targeting high traffic sites for ransom.

    • For the record, I was never contacted by the criminal (which they would of course have to do to request a ransom). David Walsh did get some suspicious emails eluding at random, but they were very vague and no proof came of them.

      I suspect we got onto the fight to get them back before their plan was fully hatched. I also suspect that they do this to a lot more domains that just the few from this saga. And I also suspect they may not have some “grand plan.” No proof of any of this though.

  2. Permalink to comment#

    Glad to see everything worked out!

  3. gof
    Permalink to comment#

    Might it be that you logged in a some site and messed up site’s password with your gmail one?

  4. Glad to see you got it back

  5. Tony
    Permalink to comment#

    Sad story with happy end! I’m using keepass tool to generate and keep long unique passwords. And I’m changing them all regulary. It takes about 3 hours each time (yeah, many passwords to change), but makes me feel little more safety (most important – make regular backups for keepass)).

    • jwwishart
      Permalink to comment#

      I use KeePass also and use DropBox to sync it across all devices giving me a nice helpful solution to the backup issue (i.e. automatic). Really useful setup. 3 hours is hard, but you would have to do that regardless of KeePass anyway I suppose.

    • @jwwishart I’d be careful using dropbox… there were reports of vulnerabilities with it back in June (ref).

  6. Angel E. V.
    Permalink to comment#

    Were you on a Mac or PC?

  7. Permalink to comment#

    Glad it all turned out ok in the end. Thanks for sharing the experience and documenting it so methodically.

    A useful and salutary lesson in not getting complacent about web security of any kind. Not that I’m saying you were complacent though. But a complete domain theft isn’t high on many average webmasters/bloggers agendas I’m sure.

    I shall be analysing things on this front. Paying far too much attention to stopping hackers and leachers damaging actual site content – not enough time on the bigger security picture.


  8. Permalink to comment#

    There has to be some commonality!
    Were you all using Macs? What about your website hosts? Some software that reports back to the criminal?
    Surely hacking all these individual websites or domains must be very difficult without some commonality.

  9. @Chris Coyier

    Hello sir,

    I’m the biggest fan of yours, you’re ideas and creativity are just awesome :) thanks for sharing such an informative post with us.

    Actually I also wanna ask a question which is much different from the post simple to read but difficult to answer :)

    Which is your favorite web browser, if any please share with us why?

    (Cause your answer is valuable for new comers in the web industries like me and can help us a lot in defining the best browser on the earth)
  10. If your gmail password changed, that’s a signal to me that the attacker got into your email by somehow resetting your gmail password. Either by intercepting the email to your secondary account, or by somehow being able to predict the contents of the reset link that gmail generates.

    If he’d used a keylogger, he wouldn’t have needed to do any of that.

    From that point on he may have been able to retrieve your passwords from GoDaddy by using their forgotten password systems. If he was able to retrieve your password and not reset it, then that would suggest that is certainly a vulnerability with GoDaddy.

  11. Permalink to comment#

    I too am interested in how this happened. Most perplexing. It sounds like there’s no one clear place all, or enough, of your passwords exist side by side. A few questions if I may:

    1. Do you use a password storage system like LastPass?
    2. Or a password generation system like SuperGenPass?
    3. Do you save/remember the passwords in your browser?
    4. Does your browser cloud-sync your passwords between machines?
    5. Do you backup your primary OS(s) somewhere (e.g. Time Machine)?

    At the end of the day, as with most crimes, if there’s enough effort you can hack most systems. They need to be open enough for Joe Public to be able to use them in meaningful ways thus they can never be truly secure. All that said: criminals will normally only put in that level of effort if there’s enough of an incentive, and in the case of most of the domains in question, there’s no clear ‘payout’ – which in turn implies that this was either relatively easy and generally malicious. Worrying.

    As a side note, all the drop-downs on the above fields for auto-completing them are just black. I’m using Opera 11.60, which has the new HTML5 parser so it might be that. I’ve logged it with Opera, but you might want to take a look.

    Good luck!

  12. Alex Perepelitsa
    Permalink to comment#

    Being from Ukraine myself all issue weirdly makes me proud (don’t get me wrong I’m glad everything is fine with Chris ‘ domain now and hope those who still have this problem unresolved shortly will) and ashamed simultaneously. Think it has made all of us, including Internet giants, pay much closer attention to security.
    By the way Chris, when I highlighted and dragged a line in a new place within this paragraph it hadn’t updated in Comment Preview aria. I use last common Chrome at the moment.

  13. Permalink to comment#

    Yeah, what a relief!
    I’ve been using the Google phone authentication for a while now. Also, I don’t know if the gmail HTTPS connection is by default, but it’s a good idea.
    What about connecting through an ssh tunnel when you’re browsing on unsecure networks?

    • Permalink to comment#

      GMail does not default to HTTPS (at least it didn’t before I turned it on) and it’s a great idea to force HTTPS over all pages, not just when logging in/out.

      There has been a lot of fuss lately about SSL and some major sites not using it 100% of the time (Facebook now has the option as well to force SSL over all pages). I don’t know if anyone remembers, but a while back Eric Butler released a tool essentially making sniffing unsecured wireless data a breeze.

      That tool, as well as some others, has basically made “hacking” easy enough, and user-friendly enough for any random person to do.

      If you think that your GMail account was the point of origin, then you could consider SSL over all pages.

  14. Rafael Dourado
    Permalink to comment#

    I’d like to know WHY the criminal did it? What he gained from it?

  15. Permalink to comment#

    I’m using and their “NameSafe” feature (which is free). It uses Verisign’s “VIP Mobile” app (or you can get a keyfob) and it’s essentially the same thing as Google’s two-factor authentication.

  16. Very interesting read. Well done Chris your work will not go down for the sake of lives that you impact on a daily basis. We all must tighten our belt and it just proofs the point that no system is 100% secure.

  17. Ronan
    Permalink to comment#

    Delighted to hear the problem’s all sorted now. Can’t quite figure out why they’d have done it in the first place, but that’s crooks for you I guess. I also set up 2 step gmail verification after reading about the issue. Just glad you managed to sort it all out. :)

  18. robert
    Permalink to comment#

    FTP is unsecure. Should be using ssh.

  19. benjamin
    Permalink to comment#

    What a nightmare! I’m glad you where able to get it back.

  20. qborreda
    Permalink to comment#

    Glad you got it back, Chris

    btw, and totally unrelated, we are receiving your RSS twice per post .. very recently, thou ..

  21. Permalink to comment#

    2-factor authentication only works when you’re doing it over the web. Were you ever checking the email over IMAP? Or set up gtalk? What I’m asking is have you issued any “Application specific passwords”? If you have – revoke all of them (and re-issue if you’re brave).

    An application specific password allows you to access GMail over IMAP – meaning that you can delete all the messages without having to confirm over the phone. If someone gets ahold of that – they can do whatever they like with your Google account as long as there’s APIs for that…

  22. Permalink to comment#

    css-tricks = chris coyier .. can be JUST ONE in the world! Thanks for share your knowledge :D

  23. مبرووووووووووك

  24. I am glad you could resolve it. I sometimes have the feeling, that online criminals are not taken serious enough. But steeling someones domain, or hacking their page, e-mail account etc is nowadays the same as breaking into someones store or steeling their identity….

    I am happy for you, that it went that smooth.

  25. Saurabh Shah
    Permalink to comment#

    Good to hear that it’s safe now … was that the same story as this ?

  26. Permalink to comment#

    If the perpetrator got hold of your GMail account, be that with a keylogger or something else, it’s all he needs. I know this because it happened to me but they hacked my PayPal account (and bought 10 licenses of WoW, hence my hatred of the game). Once he has access to your email, he can set automated filters to mark as read and archive any email that comes from (or in my case!). This way you would never know that you received a “password reset” email or anything similar. With all this in place, he can reset any password he needs (domain, ftp, etc) and gain access anywhere. I’d suggest you check your filters and be very careful with your email password as that’s the only one anyone needs to hack everywhere.

  27. Permalink to comment#

    That’s a good news
    i felt like watching a suspense horror movie all these days. its so horrible to feel that your domain is gone from you

  28. Permalink to comment#

    Yay! The header of this post alone makes me smile.

  29. Thanks for sharing your experiences, I definitely learned something. I signed up for a novice DomainTools account today.

    You’ll get tons of free advice about security, so I’ll be brief in my recount of the tools I use. I take a lot of care in selecting them. You’re undoubtedly a Mac guy, so much of this may not apply, but then again, maybe you’ve got Windows too.

    Automatic updates, always
    Pretty good passwords
    Panda Cloud Antivirus
    Malwarebytes for cleanup
    Separate email address for important accounts to use as their email on record
    Gmail two-step authentication
    Chrome with ScriptNo
    Threatfire HIPS
    PC Tools Firewall

  30. Permalink to comment#

    I’d love to hear some more info about how it happened – but it seems like nobody really knows (be sure to let me know if you do figure out how they got into various services).
    Good to hear that everything is fine now! :)

  31. Glad to hear everything turned out ok, and that all parties involved were able to work together to get this resolved quickly and (relatively) painlessly.

  32. Permalink to comment#

    Thank you for sharing this experience. You have raised so many important points. Thank you for disclosing all the details of this horrible domain theft so we can all be more aware and watchful.

    Plus, your site is so lovely – a design and usability inspiration. I wish I could be you – but not badly enough to steal your domain. I will plan to keep coming back to visit often. So glad you keep working, publishing, protecting — keep it up.

  33. Andrai
    Permalink to comment#

    Thanks for sharing the whole experience and process so openly. I’m sure this will be a great help in preventing this from happening in the future.

    BTW, you should use the hackers same methods and just steal, get rid of the hyphen!

  34. Permalink to comment#

    Glad to hear everything worked out!

  35. Recently, a friend of mine get email from “unknown” person with his godaddy user/pass asking to pay few thousands dollars.

    He contacted godaddy and they reply with “Ignore that mail. It is spam”. How could it be spam with real user/password details?

  36. amidude
    Permalink to comment#

    Definitely glad to hear everything worked out. I’m on 1 and 1 but will be rethinking my professional relationship with them based on their treatment of the others affected by this problem.

    Thanks for sharing your experiences with us.

  37. Permalink to comment#

    Hey Chris,

    Glad you got the domain back, it would have been weird going to or something like that hahaha!

    I know exactly what happened! When using your virtual machine on your Mac someone hacked into the windows end and stole your passwords! That seems the most plausible to me at least!

    Enjoy Cali, just got our first snow fall here in Chicago.

  38. Permalink to comment#

    Yeahh Congo .

  39. Permalink to comment#

    Hi Chris and every1!
    Glad you’re fine now…
    Sorry for my english, but I did not understand if you used Gmail 2 steps verif. before getting in this trouble…
    I actually have Gmail 2 steps on, should I consider myself safe?

  40. Permalink to comment#

    Glad this site is now safe. I really enjoy reading your articles.

  41. Permalink to comment#

    Personal question Chris, but why do you use GMAIL as opposed to your personalize domain address?

    Also, if it’s three different passwords and if they are on your computer somewhere, you might want to check if you have anything shared over your computer. Chances are, it could’ve been intercepted if you were using a public Wi-Fi or something. I don’t know, your Key Chain access, admin password of your(s) Mac(s), something.

  42. Isko
    Permalink to comment#

    Hi Chris,

    Glad to hear you got your domain back and everything is up and running again!

    Did you check if your Gmail account suddenly had some new filters added under the Settings -> Filters? There was a hack going around that added certain filters without you noticing and they were targeting domain transfers and FTP passwords. Can’t remember where I read about this but check the filters page and see if there’s anything fishy going on in there.

  43. Permalink to comment#

    Glad you were able to get your domain back.

    It would have sucked to see the site go down with the crappy domain squatter sites.

    I visit the site a few times a month to access your useful resources.

  44. Permalink to comment#

    Doesn’t gmail log the IP addresses of logins? Perhaps this can help find the hacker.

  45. stoked that you got your domain back, researching how they gained access to those accounts should be a top priority. if the hole isn’t patched it’s only a matter of time before it happens again.

  46. Anonymous
    Permalink to comment#

    I would wager with a high degree of certainty that some trojan code ran on your machine, stole all your passwords from Firefox and etc, and deposited them to the attacker’s FTP.

  47. Permalink to comment#

    Soh Tanaka’s site navigation page is error!

    “Server can’t bla..bla..”

  48. Chad
    Permalink to comment#

    Incredible.. I’m glad it turned out so well for you. I sometimes wonder about GoDaddy though. When I’ve called into their support, the support reps seem to have unlimited access to their customers information. Such as being able to read all database connection scripts, etc. on your server (including the passwords inside them). They’ve never asked if they could view files; they just take it upon themselves.

    I wish they’d put more protective measures in they’re internal systems. Such as not allow their employees access to customers server files without explicit permission.

  49. Permalink to comment#

    Glad everything worked itself out for you Chris. When you checked your GMail account did you have any of the filters mentioned in the GMail security flaw?

  50. Glad you sorted out that. Unbelivible what can happen.

  51. Congratulations…..Keep it Up….:)

  52. Kevin Caulfield
    Permalink to comment#

    Im guessing it was a key logger, which would give him access to any key you pressed over a period. People can get these to install silently and remain stealth. Scary stuff.

  53. Edward
    Permalink to comment#

    Hey Chris I hate godaddy I never ever will use them again!

    i suggest Namecheap they can hide your whois and it is free for the first year.

    all the best

  54. Permalink to comment#

    It sounds like it might be spyware. I would backup the files and reinstall the OS from scratch, just to be sure. Maybe it is from a trojan that was distributed through a tool that web designers use.

  55. script kiddie probably had a key logger

  56. Mukarram
    Permalink to comment#

    Hey Chris, Congrats!!!
    I’m really very happy now… :)

    Thank God !!!

  57. YAY!

  58. Permalink to comment#

    Passwords can be different but still predictable if you use a common technique
    ex: johnpay for PayPal
    johngoog for Google

    all the thief needs is 1 password and will figure out the rest

  59. Congratulations Chris!

    And keep it safer in future please…

  60. Permalink to comment#

    Nice to see you back Chris :)

  61. maria
    Permalink to comment#

    glad to share you are back !

  62. Victor
    Permalink to comment#

    Awesome to know that you got it back. Those sons of people. Well let’s be happy that everything is back where it’s supposed to. Good to know it’s all good again for you and for all of us. Thanks for letting us know.

  63. Permalink to comment#

    Good to hear you got it back. My FTP was hacked once and I know the pain and worrying one has to go through to settle things.

    That being said, I think there’s an important piece of advise missing from your section on how to protect yourself: Don’t use the same password for different services, also no slight varieties of the same password. There’s a significant chance you’re not hacked at all, somebody simply found your password through a less secure service you signed up for. It’s just a theory, but it is one of the most common patterns of identity theft.

  64. Permalink to comment#

    Wow glad you got it back.

    As especially a valuable domain as this one!

  65. Hein Zaw Htet
    Permalink to comment#

    “There are many more articles and screencasts to come!”


  66. I have been following this and the newer post for days. Great news you are back safe and sound.

    We love you Chris!

    I don’t think it matters what kind of passwords anyone uses if a keylogger gets on to someone’s machine. The hacker might as well be sat at that person’s computer.

    However, you can avoid typing in passwords by copying and pasting them from a secured file.

    A browser such as Firefox can also avoid typing in usernames as it saves those, so all you enter is the first letter, then click on the one you want from the drop-down menu. I used that here to enter my personal details easily. (Just three key touches were needed, one for each field.)

  67. Brannon
    Permalink to comment#

    Well, for once I’m actually impressed by Godaddy. I’m very, very, very rarely impressed by them, but for once I actually am. I’m glad they did the right thing and helped you get your domain name back.

    This kind of incident inspires me to start learning more about website security. Does anyone know any good blogs for that?

  68. Permalink to comment#

    Super post! Just like your blog professionalism! Keep up the good work.

  69. Scott Daris
    Permalink to comment#

    Good story. But what I want to know is….how the HELL did you get on the first page of Google results for the search term “gravatar”? And it shows your gravatar, too. Please teach me.

  70. Wow nice information actually this site is about Domain is Now Safe…! Thumbs up

  71. Nice to see you back Chris :)

  72. TBRudy3
    Permalink to comment#

    Prolly was a bunch of CSS-Dicks

  73. Permalink to comment#

    Ah, good to see you back! Keep this awesome blog safe :) Cheers

  74. Permalink to comment#

    Glad to hear you were able to get your domain back. That is a scary turn of events. Fortunately, you were able to work it out.

  75. Permalink to comment#

    To others asking how this happened: unless the registrar is willing to publicly reveal more details (which they “shouldn’t” do under certain circumstances) how this happened, unfortunately we’ll never really know. We can only make as educated guesses as we can, and take steps to at least strengthen (if not prevent) this from happening to ourselves.

    I once commented in Chris’ previous article how it can happen, though:

    Stay safe, everyone.

  76. Paul
    Permalink to comment#

    If he/they targets for front end web development folks, chances are the tools that they use in everyday basis such as Firebug or Web Developer Toolbar ( or Fillzilla ) is compromised.

    So there is a commonality here.

    ( Uust a theory, though. )

  77. Permalink to comment#


    I just found this site (as well as Treehouse) for the first time. Nice site!

  78. Permalink to comment#

    Glad to see it back, but how they got your password is very scary. Maybe i should be more careful too.

  79. wow, hell of a story! My whole tech blog got mirrored last year so basically the entire website was to be found identical under a different domain.

    But this is a different, animal; to get your Gmail hacked and to lost the ownership of your domain should be 1000x times worst. Use 2 ways login for Gmail!

  80. Glad to hear your domain is safe. Keep on posting Chris.

  81. Jason Witt
    Permalink to comment#

    I emailed 1and1 about those two domains that are still having trouble. This was the reply I got back

    Dear Customer,

    Thank you for contacting us.

    We would like to inform you that this case is already been forwarded to the appropriate who can actually resolve this issue.

    If you have any further questions please do not hesitate to contact us.

    Arjay Villanueva
    Technical Support
    1&1 Internet

    It’s not a typo that what they sent me.

  82. kadaj
    Permalink to comment# is back!! Yay!!

  83. Shawn
    Permalink to comment#

    100th comment WOO HOO!

    Anyways, I’m glad this domain is safe. I’m not even a designer(at least not yet), but I like coming here.

  84. Permalink to comment#

    Nice to see you back.

  85. M.R.
    Permalink to comment#

    this is why i prefer sms messages from websites when a password is changed or i’m logged in from a different ip then the usual one.

  86. Mickey
    Permalink to comment#

    I wish GMail would offer another option in verification. Some type of IP authentication. Allowing up to 4 additional IPs. Of course, people with dynamic IPs would have to have some type of CIDR or Class C option. You could use your home IP as a primary, work and others for the additional IPs. It would require a hacker to spoof that as well. Possible to spoof an IP? Probably. But that extra authentication step could deter the undetermined.

  87. Naz
    Permalink to comment#

    Just want to say, beautiful website! what font is used for the headings and body text?

  88. Permalink to comment#

    I like this website very much….

  89. Mark Watrous
    Permalink to comment#

    Fired off a scathing message to about getting their ***t together especially because 1and1 has dropped the ball – Unresolved Originally at 1and1, Bad Guy moved to PlanetDomain – Soh Tanaka’s site is offline (nameservers were removed). PlanetDomain is ready to give the domain back to 1and1, but 1and1 isn’t responsive.

    And if you have any domains at MOVE them. They are no better than GoDaddy and #sopa.

  90. I have been checking up on the Soh website for weeks and still nothing. Sad to see that, the owner must be very frustrated! That website has some really useful CSS tips and tricks.

    I had a good read of the above. Thanks for sharing, its the first I have heard of this!

    Also glad you have your domain back safe and sound.

This comment thread is closed. If you have important information to share, you can always contact me.

*May or may not contain any actual "CSS" or "Tricks".