What you’re describing doesn’t make much sense: why would a registrar lock your account? Why would a registrar change your domain’s nameservers? If you have direct contact with the CEO then you’re already far ahead of wherever people here can get you.
You said “backup codes” so I’m going to guess what’s actually happened is you lost access to your second factor, your domain has expired and you’re unable to log in to your account to renew it. Does that accurately reflect the situation?
My guess is someone eventually got in (my password wasn’t great, and my Gmail attached also got hit) and then they locked it out of suspicious activity. I didn’t mean to imply the registrar did, but it was changed.
The domain didn’t expire—my partner was able to renew without having to login, not knowing that my account was “locked, please contact support”ed.
The CEO said it’s out of their hands and the abuse department would take care of it, but he seems to have now offered radio silence. I’m not sure what to do next short of sending a demand letter, or if that would get me anywhere with a FR-based entity, albeit they do have an office in San Francisco…
Weird indeed: When renewing a domain registered at Gandi, you don’t have to be the account owner: “The owner of the transferred domains cannot be modified as per registry policy. The owner will remain the same after the transfer. Owners will not change for renewed products.” And later, “Please be aware that you are about to renew a domain you do not own.”
I interpreted the message as “Gandi isn’t what they used to be anymore, I’m going to transfer out, you don’t need to tell me this.” It could also be a language barrier by OP.
If your account has been hacked, and even possibly misused, the company would be well within its right to take the time to verify everything you say. They wouldn't, after all, want to fall foul of the law in any manner and be liable for something illegal. That said, check the consumer laws in your country - In mine (India), when I wish to file a complain and send such notices to a company (informing them to resolve the issue or else be dragged to court), I generally have to give them a "reasonable" time to resolve the issues (around 15 to 30 days). (And yes, if the company has stopped communicating you, send them such notice / demand immediately so they will have to respond to you - nothing gets a company moving faster than unnecessary legal expenditure and being summoned in court. If they have an office in your country, they are bound by your country's law). (For more on the legal aspect, ask in law.stackexchange.com and consult an attorney).
It's quite a stretch to go from "Gandi is holding my domain hostage" to "my password wasn't great" -- while my heart goes out to you (I personally don't like that we live in a world where just because people can engage in digital thievery it just happens), I don't know if you could reasonably expect Gandi to do anything other than having it work through their fraud department.
The world is pretty messed up out there. Please use products like haveibeenpwned and a good password manager like 1password (which can help automatically check your passwords for breaches) to structurally ensure you can remediate these situations for the future as well as prevent them from occurring (strong un-reused passwords). If this site is something that your whole life is attached to it deserves your attention to protect it.
Good luck. Hope you get this resolved. It's not your fault but crimes of opportunity rarely are.
That's absolutely frustrating - domain registrar lockouts can feel like digital kidnapping, especially when it's a domain tied to your identity.
Immediate steps you can try:
File a complaint with ICANN - They have a domain dispute resolution process specifically for registrar issues
Contact your state's consumer protection agency if you're in the US
Document everything - Save all email exchanges, screenshots, dates
Try reaching out on their social media publicly - Sometimes public pressure works faster than private emails
For the future (I know this doesn't help now, but might help others reading):
Always keep domains at least 2 years ahead on renewals
Use a separate email just for domain management
Consider using domain monitoring services
Alternative approach: If you can prove ownership of the domain (old DNS records, historical whois data, etc.), you might be able to build a case for transfer. Tools like NameGator.net actually have domain history features that could help you gather evidence of your ownership - might be worth checking if they have any records that could support your case.
Hope you get this resolved. Gandi's acquisition really did change their customer service culture unfortunately.
I've always wondered, is it possible to completely lose access to domain name, if registrar decides to ban my account? Or I have a way out through IANA or something like that? I'm supplying my personal information to them for a reason, after all? So can I forcibly transfer my domain to another registrar?
Give it time? Just because the CEO hasn’t texted you back in the hours after close of business in Paris doesn’t mean the person is ignoring the issue. What are they supposed to do until business opens tomorrow?
It also sounds like you’ve been in touch with support for a weekend and a few business days and it’s not resolved yet. But it also sounds like communication is ongoing.
In a subsequent message you say your Gmail was compromised and probably your Gandi too. Do you think it’s realistic or desirable for them to sort that in just a few days?
I’ve not loved the direction of the new Gandi but if it were me in your shoes I’d be shocked if it were resolved as quickly as you expect it to be. They have the unenviable task of sorting out your hacker from you from thousands of miles away. I don’t think it’s bad, neccesarily, that they need more than three business days to do it.
1. I'm certain they mean to "access the domain in Gandi's control panel" so that they can make adjustments to it, not just accessing the website on it.
You disappeared for two years, your account got broken in to, and you’re wondering why it might take perhaps more than one week to untangle this?
It’s amazing they’re entertaining the idea of recovering it at all honestly.
What you’re describing doesn’t make much sense: why would a registrar lock your account? Why would a registrar change your domain’s nameservers? If you have direct contact with the CEO then you’re already far ahead of wherever people here can get you.
You said “backup codes” so I’m going to guess what’s actually happened is you lost access to your second factor, your domain has expired and you’re unable to log in to your account to renew it. Does that accurately reflect the situation?
My guess is someone eventually got in (my password wasn’t great, and my Gmail attached also got hit) and then they locked it out of suspicious activity. I didn’t mean to imply the registrar did, but it was changed.
The domain didn’t expire—my partner was able to renew without having to login, not knowing that my account was “locked, please contact support”ed.
The CEO said it’s out of their hands and the abuse department would take care of it, but he seems to have now offered radio silence. I’m not sure what to do next short of sending a demand letter, or if that would get me anywhere with a FR-based entity, albeit they do have an office in San Francisco…
How did your partner renew the domain without logging in? There is only 2 ways to renew.
1. Auto-renew if configured and credit card is in good standing 2. Manual, you'll get email for renewal, you click, login and then renew
Something doesn't add up here.
Weird indeed: When renewing a domain registered at Gandi, you don’t have to be the account owner: “The owner of the transferred domains cannot be modified as per registry policy. The owner will remain the same after the transfer. Owners will not change for renewed products.” And later, “Please be aware that you are about to renew a domain you do not own.”
Just tried it myself.
Are they confusing transfer for renewals? Because the message above all talks about transfers.
I interpreted the message as “Gandi isn’t what they used to be anymore, I’m going to transfer out, you don’t need to tell me this.” It could also be a language barrier by OP.
Many registrars allow renewal of domain names without authentication (you're unable to change any of the domain settings, however) -- some just let you do it, others it's a process, e.g. https://www.namecheap.com/support/knowledgebase/article.aspx...
That requires an account created before renewal even though it's not the same account as the domain name.
This may be useful for gifting a renewal or something like that.
If your account has been hacked, and even possibly misused, the company would be well within its right to take the time to verify everything you say. They wouldn't, after all, want to fall foul of the law in any manner and be liable for something illegal. That said, check the consumer laws in your country - In mine (India), when I wish to file a complain and send such notices to a company (informing them to resolve the issue or else be dragged to court), I generally have to give them a "reasonable" time to resolve the issues (around 15 to 30 days). (And yes, if the company has stopped communicating you, send them such notice / demand immediately so they will have to respond to you - nothing gets a company moving faster than unnecessary legal expenditure and being summoned in court. If they have an office in your country, they are bound by your country's law). (For more on the legal aspect, ask in law.stackexchange.com and consult an attorney).
It's quite a stretch to go from "Gandi is holding my domain hostage" to "my password wasn't great" -- while my heart goes out to you (I personally don't like that we live in a world where just because people can engage in digital thievery it just happens), I don't know if you could reasonably expect Gandi to do anything other than having it work through their fraud department.
The world is pretty messed up out there. Please use products like haveibeenpwned and a good password manager like 1password (which can help automatically check your passwords for breaches) to structurally ensure you can remediate these situations for the future as well as prevent them from occurring (strong un-reused passwords). If this site is something that your whole life is attached to it deserves your attention to protect it.
Good luck. Hope you get this resolved. It's not your fault but crimes of opportunity rarely are.
That's absolutely frustrating - domain registrar lockouts can feel like digital kidnapping, especially when it's a domain tied to your identity. Immediate steps you can try:
File a complaint with ICANN - They have a domain dispute resolution process specifically for registrar issues Contact your state's consumer protection agency if you're in the US Document everything - Save all email exchanges, screenshots, dates Try reaching out on their social media publicly - Sometimes public pressure works faster than private emails
For the future (I know this doesn't help now, but might help others reading):
Always keep domains at least 2 years ahead on renewals Use a separate email just for domain management Consider using domain monitoring services
Alternative approach: If you can prove ownership of the domain (old DNS records, historical whois data, etc.), you might be able to build a case for transfer. Tools like NameGator.net actually have domain history features that could help you gather evidence of your ownership - might be worth checking if they have any records that could support your case. Hope you get this resolved. Gandi's acquisition really did change their customer service culture unfortunately.
I've always wondered, is it possible to completely lose access to domain name, if registrar decides to ban my account? Or I have a way out through IANA or something like that? I'm supplying my personal information to them for a reason, after all? So can I forcibly transfer my domain to another registrar?
3/10 fanfic from a competitor, too many inconsistencies
Give it time? Just because the CEO hasn’t texted you back in the hours after close of business in Paris doesn’t mean the person is ignoring the issue. What are they supposed to do until business opens tomorrow?
It also sounds like you’ve been in touch with support for a weekend and a few business days and it’s not resolved yet. But it also sounds like communication is ongoing.
In a subsequent message you say your Gmail was compromised and probably your Gandi too. Do you think it’s realistic or desirable for them to sort that in just a few days?
I’ve not loved the direction of the new Gandi but if it were me in your shoes I’d be shocked if it were resolved as quickly as you expect it to be. They have the unenviable task of sorting out your hacker from you from thousands of miles away. I don’t think it’s bad, neccesarily, that they need more than three business days to do it.
why would you post this customer support request to hacker news??
First, laugh at them.
1. You can access your personal domain by just updating your /etc/hosts file on Mac or Linux or googlebke file on Windows.
2. No details in your post so I’m convinced that you’re only telling the part of the story that paints you in a good light and Gandhi in a bad one.
3. Good luck
1. I'm certain they mean to "access the domain in Gandi's control panel" so that they can make adjustments to it, not just accessing the website on it.