Whether you’re renaming a website or deleting it altogether, it might seem harmless to let the old domain name expire. Yet, web domains are a gateway to other online services, making them the perfect target for stealthy cyber attacks. Expired domains allow clever cyber criminals to gain access to emails, passwords, and financial data without hacking your site. If you don’t want sensitive information to end up in the wrong hands, think twice before releasing a domain back into the open marketplace.
Why Expired Domain Names Are A Hot Commodity
A lapsed domain registration isn’t immediately up for grabs. When a domain isn’t renewed before the expiration day, it goes into a grace period and a final redemption period for several weeks. During this time, the owner can pay increasing renewal fees to restore the domain. After the most recent registration is deleted, the dropped domain becomes available to other registrants.
Unfortunately, it’s common for site owners to let a domain name expire by accident. If you don’t reclaim a domain before the deletion period, it’s possible for someone else to buy it before you do. Because registrar companies publish a list of recently expired domains, buyers have an easy way to find domain names they can potentially resell for a profit. The original registrants are willing to pay a premium to regain ownership when they don’t want to lose the web traffic and brand recognition associated with the domain,
The Security Risks of Losing a Domain
Unlike legitimate resellers, hackers find more sinister ways to exploit expired domains. In a 2018 study, Australian cyber security expert Gabor Szathmari demonstrated how cyber criminals can gather confidential data by setting up email services to capture traffic to expired domains. Szathmari’s study focused on law firms, which frequently rebrand or merge, resulting in a wealth of abandoned domains and email accounts.
As Szathmari discovered, business owners and employees use email to exchange a wide range of private information, including names and addresses, invoices, customer details, software license keys, and bank statements. Email accounts are also a standard method of verification when setting up accounts and updating passwords for other services.
Think about the loads of correspondence you receive every day from services you joined online. You probably assume linked email accounts are deleted when the domain expires, but they continue to get incoming mail from old contacts. Hacking your site or DNS records isn’t even necessary, Szathmari points out. Domain buyers can re-register expired names and set up an email server to retrieve mail from accounts linked to the domain. As long as they can verify domain ownership, cyber criminals have the power to alter mail exchange (MX) records and reroute emails to whatever destination accounts they want.
Online data breaches add to the dangers of letting your domain expire. In the study, Szathmari’s team used breach detection services, such as Have I Been Pwned?, to identify accounts that were compromised in the past. After major data breaches, personal data and account passwords are freely available to hackers online. And since the average web user recycles passwords for a variety of services, it’s open season for hackers to collect data and use it to invade accounts on a massive scale.
Armed with a valid domain and email addresses, cyber criminals have everything they need to reset passwords and take over accounts. In Szathmari’s experiment, the cyber team used expired domains as the starting point to navigate through highly sensitive services, including file-sharing hosts, shopping sites, legal and government portals, and social media profiles.
The Importance of Protecting Email Data
While the risk of a damaging cyber invasion is much lower if your domain was never pointed to an active site, you should still weigh the pros and cons before letting your domain expire. In the long run, it may be safer and more cost-efficient to hold onto domains you’re no longer using, especially when your domain is linked to accounts that were heavily involved in your business operations. In either case, it’s wise to diversify your passwords across different online services to prevent cyber criminals from finding inroads to your confidential data.