If GoDaddy accepted Bitcoin PayPal wouldn't even be involved and GoDaddy instead of asking for information which is apparently easily pilfered could have requested the caller sign a message with their private key Bitcoin key corresponding to the public key from which they paid GoDaddy for the domain services to begin with.
If GoDaddy separated authentication of requests from payment information and had any of a wide number of different authentication methods, this wouldn't have been an issue, either. Using PayPal -- or accepting credit card payments by other means -- does not imply (or normally involve) using the last four digits of CC number as if it were a PIN for authentication. (In fact, since CC numbers are widely exposed information, doing so is insane -- especially the last four digits, which are frequently used without the rest as a reference to identify a credit card to the owner of the card in contexts like receipts where the information is expected to be particularly public.)
Payment methods are really largely irrelevant here, GoDaddy could easily have adopted an equally stupid and brain dead authentication method if they took bitcoin as payment.
