Ask HN: Gandi is holding my domain hostage. What can I do?

46•ohgandihelpme•1d ago

The short version of the story is that I was on a two-year internet hiatus. During that time my Gandi account with a decade-old domain name got locked. I have been emailing back and fourth with their Abuse department for the better part of a week and they’re slow-walking me at best.

I had assurances from the CEO, who I reached via text, that if it wasn’t resolved today to text him back. He has now gone dark on me.

I used to love Gandi, but they’re holding my domain name hostage. This doesn’t sound awful until I mention that the nameservers were changed when the account got locked, so I have no access to the domain whatsoever. This isn’t just a domain I’ve done nothing with, but it has my entire life attached to it.

I know they went downhill since they were acquired, but I didn’t think it’d be this bad, obviously.

What can I do? Other than “learn a lesson with backup codes and transfer the domain name.”

Comments

abxyz•1d ago

What you’re describing doesn’t make much sense: why would a registrar lock your account? Why would a registrar change your domain’s nameservers? If you have direct contact with the CEO then you’re already far ahead of wherever people here can get you.

You said “backup codes” so I’m going to guess what’s actually happened is you lost access to your second factor, your domain has expired and you’re unable to log in to your account to renew it. Does that accurately reflect the situation?

ohgandihelpme•1d ago

My guess is someone eventually got in (my password wasn’t great, and my Gmail attached also got hit) and then they locked it out of suspicious activity. I didn’t mean to imply the registrar did, but it was changed.

The domain didn’t expire—my partner was able to renew without having to login, not knowing that my account was “locked, please contact support”ed.

The CEO said it’s out of their hands and the abuse department would take care of it, but he seems to have now offered radio silence. I’m not sure what to do next short of sending a demand letter, or if that would get me anywhere with a FR-based entity, albeit they do have an office in San Francisco…

thisislife2•1d ago

If your account has been hacked, and even possibly misused, the company would be well within its right to take the time to verify everything you say. They wouldn't, after all, want to fall foul of the law in any manner and be liable for something illegal. That said, check the consumer laws in your country - In mine (India), when I wish to file a complain and send such notices to a company (informing them to resolve the issue or else be dragged to court), I generally have to give them a "reasonable" time to resolve the issues (around 15 to 30 days). (And yes, if the company has stopped communicating you, send them such notice / demand immediately so they will have to respond to you - nothing gets a company moving faster than unnecessary legal expenditure and being summoned in court. If they have an office in your country, they are bound by your country's law). (For more on the legal aspect, ask in law.stackexchange.com and consult an attorney).

namegulf•1d ago

How did your partner renew the domain without logging in? There is only 2 ways to renew.

1. Auto-renew if configured and credit card is in good standing 2. Manual, you'll get email for renewal, you click, login and then renew

Something doesn't add up here.

joshmn•1d ago

Weird indeed: When renewing a domain registered at Gandi, you don’t have to be the account owner: “The owner of the transferred domains cannot be modified as per registry policy. The owner will remain the same after the transfer. Owners will not change for renewed products.” And later, “Please be aware that you are about to renew a domain you do not own.”

Just tried it myself.

namegulf•1d ago

Are they confusing transfer for renewals? Because the message above all talks about transfers.

joshmn•1d ago

I interpreted the message as “Gandi isn’t what they used to be anymore, I’m going to transfer out, you don’t need to tell me this.” It could also be a language barrier by OP.

dogecoinbase•1d ago

Many registrars allow renewal of domain names without authentication (you're unable to change any of the domain settings, however) -- some just let you do it, others it's a process, e.g. https://www.namecheap.com/support/knowledgebase/article.aspx...

namegulf•11h ago

That requires an account created before renewal even though it's not the same account as the domain name.

This may be useful for gifting a renewal or something like that.

yowlingcat•1d ago

It's quite a stretch to go from "Gandi is holding my domain hostage" to "my password wasn't great" -- while my heart goes out to you (I personally don't like that we live in a world where just because people can engage in digital thievery it just happens), I don't know if you could reasonably expect Gandi to do anything other than having it work through their fraud department.

The world is pretty messed up out there. Please use products like haveibeenpwned and a good password manager like 1password (which can help automatically check your passwords for breaches) to structurally ensure you can remediate these situations for the future as well as prevent them from occurring (strong un-reused passwords). If this site is something that your whole life is attached to it deserves your attention to protect it.

Good luck. Hope you get this resolved. It's not your fault but crimes of opportunity rarely are.

eduction•1d ago

Give it time? Just because the CEO hasn’t texted you back in the hours after close of business in Paris doesn’t mean the person is ignoring the issue. What are they supposed to do until business opens tomorrow?

It also sounds like you’ve been in touch with support for a weekend and a few business days and it’s not resolved yet. But it also sounds like communication is ongoing.

In a subsequent message you say your Gmail was compromised and probably your Gandi too. Do you think it’s realistic or desirable for them to sort that in just a few days?

I’ve not loved the direction of the new Gandi but if it were me in your shoes I’d be shocked if it were resolved as quickly as you expect it to be. They have the unenviable task of sorting out your hacker from you from thousands of miles away. I don’t think it’s bad, neccesarily, that they need more than three business days to do it.

helpful1•1d ago

1. You can access your personal domain by just updating your /etc/hosts file on Mac or Linux or googlebke file on Windows.

2. No details in your post so I’m convinced that you’re only telling the part of the story that paints you in a good light and Gandhi in a bad one.

3. Good luck

kstrauser•1d ago

1. I'm certain they mean to "access the domain in Gandi's control panel" so that they can make adjustments to it, not just accessing the website on it.

cr3ative•1d ago

You disappeared for two years, your account got broken in to, and you’re wondering why it might take perhaps more than one week to untangle this?

It’s amazing they’re entertaining the idea of recovering it at all honestly.

greenchair•1d ago

3/10 fanfic from a competitor, too many inconsistencies

vbezhenar•1d ago

I've always wondered, is it possible to completely lose access to domain name, if registrar decides to ban my account? Or I have a way out through IANA or something like that? I'm supplying my personal information to them for a reason, after all? So can I forcibly transfer my domain to another registrar?

kiitos•1d ago

why would you post this customer support request to hacker news??

RickJWagner•16h ago

First, laugh at them.

Ask HN: Logic design books to follow after reading Thomas L Floyd?

Playing Viking Chess with Whale Bones

Swedish startup unveils Starlink alternative

Threats Detected: Trojan:Win32/Vigorf.A

The Scam of Age Verification

Trump to Rebrand Pentagon as Department of War

ActivityPub message rewrite facility (MRF) based on WASM

Sloot Digital Coding System

Phala GPU Tee Deep Dive: Securing AI at the Hardware Layer

Mark Zuckerberg Sues Mark Zuckerberg

Benefits of Coloring for Adults

Ask HN: What made you become an IT/programmer?

Build APIs for Humans and AI Agents via MCP

Common Android Data Endpoints (and the Companies Behind Them)

Some unusual drawbacks of high speed, modern aviation

You.com Raises $100M Series C at a $1.5B Valuation

Sphinx Notionbuilder: Publish Markdown and RST to Notion

Escaping the odds and a formula for life (2024)

Redis to Acquire Real-Time Data Platform Decodable

Type Checking Is a Symptom, Not a Solution

The Perceptron

Denver's Restaurants Are Dying

Statement: The Russell-Einstein Manifesto

Axis of Upheaval: Inside China's Military Parade with Russia, DPRK and Iran

Crink

Show HN: My AI agent has a browser to fix hallucinated selectors

Why RDF Is the Natural Knowledge Layer for AI Systems

Dealing with cancel safety in async Rust

Anthropic Clamps Down on AI Services for Chinese-Owned Firms

Swimming in Tech Debt