Another business says it lost its domain to a web developer.
I know I’ve written about this many times, but if these stories prevent just one legal issue then it’s worth it.
Please, don’t give your web developer full access to your domain name registrar account.
Yesterday, a web site owner in Nevada filed a lawsuit (pdf) against a contract developer alleging that the developer has taken over his domain name and business.
EB Publishing, Inc. publishes ApplianceRepair.net. It hired Adrian Bursill to do work on its website. Now it alleges that he abused his access to the registrar account and switched the ownership of the website to his name.
Historical Whois records for the domain show that it changed from EB Publishing to Bursill in 2016. The domain has not switched registrars.
EB Publishing has operated the website since 1998 but says it has now lost control of it.
Your web developer should not need access to your domain registrar account. If they want access to change nameservers (which I still recommend you do yourself), make sure the access limits what they can do in the account. They should not be able to change domain contacts or transfer the domain.
Greenberg & Lieberman is representing EB Publishing.
Rob Monster says
Thanks Andrew. That is a good point.
The way folks do it at Epik is they allow domain delegation which works like a domain lease but without the lease fees. The delegate can work with the domain and hosting features of the domain but cannot transfer out, change the WHOIS or list the domain for sale at Epik or at an MLS like Sedo or Afternic.
H says
Kudos to Epik, but most registrars only allow either full access or none, and it is often a developer’s task to set up NS, email MX records etc. For most, having unnecessarily deep access to the client’s assets is a burden (since somebody else might mess with something there, and if you did never have that access, you are not getting accused) as well. However, when you suggest clients to make necessary changes via Skype share screen under your guidance, most would be like ‘oh, too much of a hassle, could you do it yourself please’…
What should really be advised, is, for anything more serious than a hobby website, to work only with trusted developers and always with a written contract where all responsibilities are clearly outlined.
In this situation, I don’t see anything scary. Since they were able to file a lawsuit, they are to get their domain back and if the dude did something wrong, he’s gonna be held responsible.
Rob Monster says
As a registrar, we do see these disputes happen on a fairly regular basis — a web developer hijacks (or keeps) the domain because of some dispute with their former client. If the domain is held at an unaccredited reseller, it is probably even more complicated to sort out, but for sure Andrew has highlighted a relevant area of counterparty risk when dealing with outside developers.
Really only very few people in any organization should be allowed to access the registrar credentials. Keep in mind that services like Google let you take control over all Google app services simply by verifying control of the domain which can be quietly done by inserting a host record. Once you hijack their email, you can then reset all their passwords.
So, yes, protect those registrar accounts, and use some combination of 2FA, Authenticator, IP allow and strong passwords to keep access to it restricted to only the most trusted personnel.
D says
I had this happen yesterday by a local company that used fear tactics and manipulation to gain access to my domain through name bright. I can log in but they restricted my account. What can I do?
abursill says
Contact the domain registrar company and tell them about this. As long as you were the original person or at some point were the main administrator for the domain they should be able to revoke their access. This original article was about me, but the case was dropped, because as I said the case was built on lies.
My advice to anyone is do not purchase from another person without a legally binding contract. If you do they can take it back from you, and you will lose your investment. Just like I did.
Never allow a developer to register a domain for you. As long as you, or you can never prove that you owned it.
In your case if this developer was the one that registered the domain, then you will have no case. I always tell my clients to register the domains themselves. As long as you can prove ownership and you never sold it to another person you should be fine/
Crowdfunding Capital says
Naively I got burned by a developer who stole my domain after attempting to extort unbelievable additional fees. After they irresponsibly let it expire, I grabbed it back through an open purchase agreement later arranged with GoDaddy.
Word to the Wise: Proceed Very Cautiously!
CrowdfundingCapital.net
Sipylus says
When it expired, was that for the period you paid for or did they renew for a few years then let it slip?
A customer as being ask to pay 700$ for an expired .net and we got it back for them 3 years later from the cybersquatter.
Debbi Rigdon says
Sorry, but all my clients allow me to keep over their Domains so that I can ensure they don’t naively hand off ownership to DROA or some of the others who send solicitous emails that appear to be legitimate
But then again, I’m in a small town and think of them all as family. If any wanted to move elsewhere, I’m always more than happy to assist in doing so.
Douglas Girard says
Simply unethical and a poor way to conduct business in my opinion.
We have access to many clients registrar accounts and we will never steal their domains.
CHARLES HEITZ says
Give them access then change the password. Simple, secure and effective.
chrishindefjord says
Hon is that sockret? You give the Dev the password, the dev changes the password and moves the ownership of the domain.
Scott says
We have full control over most of our clients domains or actually own then as we made the purchase for them. We have never and would never hold a clients domain ransom or abuse our control in any way. With that said, in general, I agree completely. Because we are ethical and others here state the same doesn’t mean others are. Be careful with who you trust when it comes to your domain. We’ve had to help many new clients who had these exact issues regain control that benefits them.
Blair says
Never ever leave your domain with a web developer. Always have this under your account only. Recommend as a IT Professional
Jack says
I manage some client domains as they don’t care or know enough about these things. When renewal is due and invoice I also send them a screenshot of what I manage. Needing to login to their registrar or remind them to pay their renewals is a hassle neither of us want. They’ve also sent money to scammers who send out the false renewal notices. If they have their own IT guys they can do it themselves, but usually want me to take care of it.
Like a lot of other things it’s a trade-off/compromise. There’s a small risk the relationship with the developer cold break down, like if your not paying your bills…
Emil says
I agree with many comments here. ALL my clients let me access their registrar and most of the time they even ask me to buy and set up the domain under my account so I can manage it in their behalf. I’m not in the business to take over somebody’s domain and I think most developers would so the same.
CreateIT says
This is more a question of morale and trust. As we mostly use Cloudflare for most of our clients projects, we encourage our clients to change domain NS records to Cloudflare. Afterwards we prepare an account with full client ownership directly on Cloudflare. By following such way, we don’t have to access their domain registrar if we need to add any DNS records for their domain.
Wendi says
I gave my domain/auth code to my website designer so she can help me set up/load up my new website on GoDaddy. My domain has now been changed/registered under “registration private” without my consent and now the only way to get it back is to buy it back.
She couldn’t help, barely gave me info on how this could have happened, etc.
She claimed she doesn’t have my domain but I have told her on occasions SHE was the only one that had access to my domain and auth code.
Kinda sucks now.
Eric says
Sounds like private registration was added to the account.
You might be able to resolve that. Can you still log in to the godaddy account? Do you have your call-in PIN or credit card on file?
Wendi says
Hi Eric,
My domain is under private registration yes. Not by me, someone took my name and changed it without my consent (my website designer is the only person who had my domain/auth code).
I called GoDaddy several times using my customer # and PIN to try to resolve this mess.
My domain is under another account unknown to me.
GoDaddy suggested I use their brokerage service to buy it back and I told them why do I need to buy back my domain that was misused/stolen?
Russell Grover says
I think this is a more of a “get reputable” company to work for you. I’ve had access to all my clients domains since 1997. And like someone else pointed out that there is no partial access. Clearly this article was written by someone who doesn’t know how things work. Go figure!
No says
Most registrars offed a sub account or way to share access. You are bad at your job.
Web Tech Aruba says
Well, five fingers are not equal from both side. Client and developer.
I as a developer, have more than 100 domains in my Godaddy account which my clients transferred to me, without any doubt. As a company, it is my responsibility and loyalty to take care of them, not to cheat.
If a developer cheating their client, then he is not loyal to his own business.
Andrew Allemann says
They’re actually in your account? Do they have a backup plan to access the domains in case you get “hit by a bus”?
Web Tech Aruba says
Of course, I’m not the only one in my company 😉
Andrew Allemann says
Are all of the other people who have access to the domains contractors or employees? What do you have in place to prevent them from doing something bad?
Web Tech Aruba says
I completely understand your point here, there are only two people in company have access to all the confidential information and of course saved as a file in company’s computer and in cloud as backup. So in case they both died at the same moment then other employees in the company can follow up from there.
If we think like this then the same applies on client as well. If client suddenly dies then who will take care to renew the domain?
As I mentioned in my first comment it’s all about loyalty and your responsibility 🙂 if you can’t stay loyal to your business or to your clients then nothing else to say.
Thank you.
MikeW says
Really, what does it matter if they are contractors or full time? Do you think one will be more dishonest than the other because of the tax form they fill out? It’s obvious you don’t have a background in business management.
Andrew Allemann says
Obviously
Daniel says
We usually have access to our clients domain name registrar’s account or have to register domain names for them.
Everytime we set out a document stating that the domain name is property of the client and we are here to look after it for them.
But I totally understand the concern here.
Triqqy says
Why would you let your web developer have access to your domain? Then file a lawsuit because you failed to secure your domain from being stolen. You know I have trust issue so if they need the domain or they need to modify something I’ll normally tell them to install a remote utility such as TeamViewer or Any Desk. So I can watch them do whatever they need to do. If I see them stealing something then I’ll just terminate the session and fire them off the spot. Or if I happen to get up ill just block their input from happening. Even filing a lawsuit is funny because it’s like if someone hacked your social network account which happens everyday using brute force and various of technique. It would be a hectic day for everytime someone files a lawsuit when his or her account gets hacked or stolen from password recover that a hacker installed to your pc. Like you made the mistake move on and wait until the domain is available. Then hurry up and claim that domain again.
An Oaf (@angryoaf) says
I have access to scores of client name servers. In many cases I’m the one who registered the domains in the first place.
I’ve never stolen, nor felt the need or urge to steal them or cause clients damage mo matter what the relationship.
Go figure.
Brian Ressler says
This article is pretty much what any other clueless client would say. I agree you should be careful, especially with financial aspects such as payment methods within the service. However, changing nameservers is hardly the most useful thing that I would possibly need to do. I could need database access, I could need to to create an ftp login, I might need to enable gzip, I could need to do a bunch of things. Realize there’s stuff you can’t do that a professional can. It’s a matter of trust. If you don’t trust em well you could micromanage em until they’re done. But your next designer will walk on you if the pay you offer is too little for the annoyance of you not understanding at all how this stuff works.
Andrew Allemann says
By all means, give your developer access to do these things. Just don’t give them control of your domain
David S. says
I second the warning. A company I joined some years ago did it and the developer took full control. This was before i joined. The owner of that company tried to talk it out but the developer stopped responding. But that good thing was the website was still new so we got a new domain after I joined. The owners must always have full control over the accounts and their details.
MikeW says
As the owner of an online marketing firm and a background in contract law, I can say with comete confidence that this post is way off mark.
The level of access you give your developer should scale with your trust and knowledge of domain management. Blanketed statements of “don’t give them access” can actually harm some people that have 0 knowledge of domain management, especially if you development firm offers full service web presence.
The exact issues you describe, the legal issue can arise from even purchasing your domain from your hosting provider.
For instance, my firm offers domain registration services through enom that is fully integrated into our website, control panel and all. At ANY point in time I can take a domain away from a client, in fact I have (non payment for the branding service). Any hosting provider can and 99% of the hosting providers out there resell with $0 investment into infrastructure.
It almost seems as if you have an axe to grind with web developers because the same issue described in that lawsuit can arise from any online provider from Bluehost(most popular hosting company) to WordPress (most popular blogging platform provider) to the very company you buy your domain name from.
Again, the key is trust, not blanketed scare tactics seemingly meant to alarm the public into giving their designer a hard time.
Peter Klika says
You took your clients name for nonpayment?! Why not sue in small claims court? You don’t have a legal right to seize someones property over a billing dispute.
Andrew Allemann says
Wow, what you just wrote here is one of the reasons you should never let your web developer control your domain. They can hold it hostage.
https://domainnamewire.com/2008/10/22/web-designers-holding-domain-names-hostage/
Bobby says
I’ve run a web development company for 20 years and would never do these things to a client. This article assumes that developers are all of a heinous nature, but it’s actually the lawyers that seem to have a reputation for this disposition.
Web Tech Aruba says
+1 MikeW – Completely agree with you – Trust / Honesty / Loyalty is the key.
Thank you so much for your comment, nailed it.
Manjunath says
Use two step verification for your domain. Whenever anybody want to change registered e mail I’d then owner of the domain will get the verification code or link. Until and unless owner approve third person can’t change ownership.
abursill says
Please contact me regarding this at [email protected] the real story is more interesting. The domain was sold to me and this guy is now trying to get it back.
I am actually the one that requires help with this issue.
Regards
Adrian
Jay Zippo says
As a developer we require full access to the registrar before even starting the project. It’s called being a legit, upstanding, honest business. The article should read, don’t give access to skeezy fly by nights… Don’t give honest and fair developers a bad name… Mmmkay?
Andrew Allemann says
Yikes. That’s crazy. Why on earth would need full access to the registrar? And why take on that liability in case something happens?
Adrian Bursill says
I am outraged by this article. Please read the court submitted complaint and then have a look at https://www.appliancerepair.net/news.html
I just created this page to prove that this claim by the plaintiff is nonsense.
I have no idea what can do any advice would be good. He has pretty much ruined my life since I had any dealings with him.
Andrew Allemann says
I’m confused after reading your site. So he sold the site to you? And then you sold it back to him? If his lawsuit is false, you should hire a lawyer to respond to it.
Adrian Bursill says
The part where I am selling it back to him was news to me. As far as lawyers go they all want way more money than the site would make me in years.
I tried reaching out to the court but got told to file the forms. I can not afford to fly half way around the world to do this. I have agreed to give the domain back to him. I do not have the money to fight this. It is a shame because I would win if I could.
Brian Eller says
“Private Registration” doesn’t, in itself mean that anyone has “stolen” your domain, or done anything unethical. That is an additional service which Go Daddy (and most registrars) offer, which “hides” your contact information from the WHOIS lookup. This prevents the (literally) 30+ calls a week from offshore designers/agencies who want to “help you make your website.”
“Private Registration” is selected by default when you purchase a domain via Go Daddy, so it is likely that your developer could have gotten this and not even realized it, if they don’t do this sort of thing regularly.
Andree People says
Godaddy has “Domain delegate ” system . You grant developer / designer to manage your domains or products . Depending on your access limits , developer may manage your domains / products but cant sell / transfer or cancel the domains you own .
Unfortunetelly , you give access on account base , means developer may see your all products and domains . There are no specific domain access.
You may take a look about the system .
https://livecodes.blogspot.com/2019/05/what-is-godaddy-delegate-access.html
Andrew Allemann says
Andree, I agree. I’d like the ability to grant access to make changes to a single domain in my GoDaddy account.
DavidJCastello says
Excellent article, Andrew. By far, this is the #1 complaint I’ve heard over the years. One of the most common scenarios is the web developer believes he is owed money and holds the name as ransom. I’ve heard that story over a dozen times.
Sundar says
Hi,
Well said , a web developer just needs access to resources like FTP as well as database , where he can upload / download files via FTP & manipulate the database via db client.
There is no need for providing all credentials with full access privilege to the entire domain , as this will jeopardize the client’s good will.
Being an professional web developer myself , I never ask for all the credentials with full privilege , all we need is the access to the source code & database , which is more than enough to do the website work.
Providing full access to the domain to anyone (not just the developer), is not advisable.
Skyvalley Higher Praise says
Keep your domain account in your control. Your developer should provide you with either nameservers or DNS records, which you then login to your registrar and point the domain yourself.
joesaba2014 says
I will expose what Moniker.com did with my 50 domain names after Mr. Monte Cahn sold Moniker Online Services LLC to a German company and is hiring an Mss., CEO to come from Network Solutions.
My 50 domains (.com) go from overnight to one day, month and year owned by Moniker.com that I knew through the parking domain Vodoo.com, as much as writing to the top managers in Germany and Luxembourg never have an answer until, by a search by Google, you can find the name and surname of the Mss. Moniker.com CEO and write with tests and more tests until an investor domains read one of my comments on the blog to be subscribed and write me an email from this investor domains a lawyer who was in London traveling, I respond by writing my 6 years old problem.
I answer the lawyer and write me to try to solve this serious problem, without justice in between and I accept always recover them the 50 domains (.com) I lose a lot of money to not be in parking domains, but Moniker.com won with Adsense which in Google’s program described that it was no longer dealing with domains for advertising ads.
Lawyer do a lot since I go back to recover my 50 domains (.com) in property change the DNS and no parking domains admits them all write emails that have occupied by a third company, could not sell they were kidnapped so to make the decision to follow investigating myself and in the end find the good thing that everything is planned and codified in Html and JavaScript.
I had to let 90% of the domains expire so that other domainers at the end of Moniker.com to make their own and then sell for $ 5,000 to $ 10,000, with my code discovery I change my life I only believe myself and 15 people in this domain market , that I choose to be honest with me, there is more I am sure.
Happy Day. Jose.
Gaurav says
We’re a development company & have been domain name owners as well. The incident described is not uncommon to be honest. I would urge developers not to see this as a generalisation against them but as a black-swan event which has serious/irrecoverable impact & hence needs to be avoided.
We have access to several clients’ domain names with some of them being in our registrar accounts (where the client wants us to manage renewal). Note that the registrant/admin/billing/technical contacts of the domain name do not mention our details but the client’s. And yes, we’re working on moving client domain names to a reseller account so that clients do not lose their domain names due to dependency on us.
What’s required is:
* Education around the domain name being THE most key asset of your digital existence. Losing it to renewal delays or hijacking attempts means having to start your business from scratch in a virtual & mostly faceless e-business world.
* Many registrars provide access delegation but until the point that you cannot delegate controlled-access to a single domain, I think it’s best to add third-party nameservers (e.g. Cloudflare) so that account access is no longer required in the future. I do not think a domain registrar would decline to help a client with this change (they readily handhold during renewals).amaz
Sagar says
Excellent article, this is the # 1 complaint I’ve heard over the years.
Keep your domain account under your control. Your developer should provide you with either a nameserver or a DNS record, which you then login to your registrar and point to the domain yourself.
More information
Visit:- https://www.top10news.in/
adrianbursill says
Yes a good article but in this case it was me that lost $30,000 the domain name and the case was dropped. I would advise people also when they purchase a domain to make sure they get everything in writing. Especially when the domain is transferred make sure you get something in writing from the person transferring it you. If you do not they can turn around and make a court case built on lies against you. It is very difficult or expensive to fight a court case in the USA from abroad.
Adrian Bursill says
Andrew, please write an article about the importance of getting the confirmation of the sale and transfer of a website in writing. If not people can also lose their money. It seems people in the USA can do anything they want in the courts there, This case was built up on fiction and lies and was dropped. I wanted to see something more happen, but it is expensive for a little guy thousands of miles away on the other side of the world to fight in a big US court..