FTC takes action against GoDaddy for alleged lax data security

Original Article ↗ Hacker News Discussion ↗

FTC action and political context

  • Several comments praise the FTC’s case against GoDaddy as the kind of enforcement they want to see, but note the press release predates the new administration.
  • Discussion branches into politics: commenters worry that the new FTC leadership will prioritize anti-DEI moves over consumer protection, citing recent FTC press releases.
  • Broader anxiety appears about U.S. democratic “guardrails,” presidential immunity, and the potential for abuses of power by the executive branch; others argue courts and Congress might still limit excesses, though optimism is fading.

GoDaddy’s reputation and customer base

  • Many describe GoDaddy as sleazy, insecure, and hostile to users: aggressive upsells, confusing UX, lock-in via tools like a non-exportable site builder, and frequent breaches.
  • Despite this, they remain dominant due to early advertising (e.g., Super Bowl ads), strong brand recognition, and appeal to non-technical users who are unaware of the bad reputation.
  • Commenters contrast this with technically oriented alternatives (Cloudflare, AWS, Gandi, Namecheap/spaceship, Porkbun), but note casual users rarely know or switch.

Security incentives, penalties, and regulation

  • Security professionals express frustration that breaches rarely hurt companies financially; fines are seen as a “cost of doing business,” leading executives to de-prioritize security.
  • Healthcare is cited as an exception: HIPAA penalties per affected person and regular training make organizations take security more seriously, though some argue real-world consequences are still weak (e.g., Change Healthcare incident).
  • There is debate over how high per-user penalties should be: some push for very strong fines up to or beyond profit; others warn this could destroy small services or be abused, and suggest scaled, risk-adjusted penalties instead.
  • Several argue that if companies had to return all revenue associated with leaked customers, they would radically minimize stored data and use existing security features properly; others oppose allowing insurance to blunt these incentives.

Security practices and training

  • Multiple anecdotes describe very poor practices: unchanged passwords for a decade, GoDaddy “security” add-ons that introduce new vulnerabilities (e.g., caching admin pages publicly), and support-driven social engineering takeovers of domains.
  • Commenters describe the wider web-hosting and “cybersecurity” industries as normalizing lax security and superficial compliance, with certifications (e.g., ISO 27001) seen as proof of spend, not of real safety.
  • Security awareness tools and frameworks (KnowBe4, ProofPoint, NIST guidance) are mentioned as useful starting points, though often boring or superficial; tailoring to audience and using “painful” incentives (extra training) is seen as effective.

Specific GoDaddy issues and practices

  • GoDaddy is criticized for:
    • Charging extra for MFA and enhanced security, seen as irresponsible.
    • Selling privacy services while allegedly failing to protect underlying data (Domains by Proxy dataset mentioned as leaked).
    • Possible domain front‑running/parking behavior after searches, and steep markup on “premium” domains.
  • Network Solutions is cited as somehow worse in UX and DNS management, underscoring that the registrar market is broadly low-quality and inertia-driven.