Why is all the blame being put on GoDaddy here? The problem is that his email account was compromised. Once that happens, it's game over. Everything online linked to that account is likely up for grabs at that point.
Use two-factor auth on your Google accounts, people.
Two factor auth? You just go into your account settings, elect to turn it on, it'll have you install the Google Auth app on your phone and scan a QR code, which configures the app. Then, when you try to log into your account next, it'll ask for the code generated by the app.
The authenticator itself is just HMAC-OTP with the seed as the current time quantitized to 30-second intervals. Very straightforward.
Also to use google services that don't support it (or can't, e.g. Smtp with gmail), you can have google generate a new "throwaway" password which it will display for you one time.
It was pretty straightforward and actual kind of fun to make the switch.
Use two-factor auth on your Google accounts, people.