Hopefully you don’t use 1 and 1, but this could happen on any registrar.
“Sophos senior security engineer David Schwartzberg describes how scammers tried to break into his wife’s online account at web-hosting firm 1&1 - via the telephone.”
http://nakedsecurity.sophos.com/2011/06/20/hackers-1and1-account-phone/