DYDAS Professional Website Design

Security Warning: Expired Domains Vulnerable to Identity Theft

By on May 19, 2011

Self-proclaimed hacker-entrepreneur, Ben Reyes stumbled upon a security exploit after registering a domain that had recently expired.

Reyes found that those who have Google Apps setup on their domains are particularly vulnerable to a social engineering exploit. However, any personal or business domain that is allowed to expire may be vulnerable to identity theft. This warning is not necessarily restricted to those using Google Apps.

Being the owner of a domain obviously enables a person to create and use any email addresses, even those that may have been used in the past. With website histories and domain Whois registrant email addresses being archived, there is due cause for concern.

Additionally, expired domains may become a target for identity theft as news leaks out.

[Header photo via Flickr]

Google Apps for Domains Disaster

It is potentially very easy for a would-be criminal to use old email accounts with malicious intent. Reyes has provided us with a first-hand demonstration.

"This Domain Has Already Been Registered With Google Apps"

After verifying ownership of his new domain, Reyes was able to gain access to an existing Google Apps for domains account including stored emails, contacts and calendars. This leads to being able to access more sensitive information such as passwords to social networking accounts, shopping and online banking.

Personal Information Compromised

The Google Security team responded to news of the exploit with a statement that it is important to renew a domain or export your personal information. Google may be updating the domain verification process as a result of the incident.

Two Solutions to Avoiding Identity Theft by Domain

The risk associated with expired domains is so obvious that it is often overlooked. A little common sense goes a long way in protecting yourself.

1. Export and Erase All Personal Information

Before allowing any domain name to expire, erase any email accounts and personal information.

Inform all of your contacts that you will be using a new domain and provide them plenty of notice and follow up reminders to update your contact information and email address.

None of your accounts on other websites should be using email addresses associated with the domain.

2. Renew Your Domain Name Indefinitely

Domains can be registered for a maximum of 10 years. Doing so will put your mind at ease and is also said to give some website authority for SEO purposes.

All domain registrars have the option to register for multiple years or to automatically renew a domain. Be sure to have valid payment information on file. You’ll also want to be sure you are receiving email notices from the registrar. You don’t won’t those renewal reminders getting lost in a spam folder.

It’s also a good practice to use an administrator and registrant email address that is not associated with the domain name. Otherwise, you may be vulnerable to domain theft if your website or email address are hacked.

Take special care of your personal and business domains to keep your identity secure! If you are selling or re-branding, take the proper steps before transferring ownership and seek out a reputable buyer.

Please pass the word along about the security risk associated with letting domains expire.


About Mark Fulton

Mark is the Founder of DotSauce Magazine and a full time web developer, domain investor, SEO and online marketing professional residing in North Carolina, USA. Visit MarkFulton.com for information on freelance website development, SEO and consultation services.