How Hackers Can Use Your Expired Domains to Steal Data

When businesses and blogs rename or merge, old domains sometimes get left behind. Security researchers say expired domains can put data at risk.

Scammers may set up fake shops on expired domains and use them to steal credit card data from unwary bargain hunters. Or they may target email accounts linked to the domain to scam clients, steal company secrets and break into employees’ shopping and travel accounts.

Prevention is as easy as renewing and protecting all your domains—but that’s not always simple, especially if you own a lot of domains. Here’s what you need to know about your risks when a domain expires and how to keep yours current.

register domain name

What Happens When Domains Expire?

The first thing you need to know is that when domains expire, they’re available to anyone who wants to pay to register them. They’re also easy to find online, through sites that offer expired domain name searches and lists of recently expired domains to bid on. Some buyers buy expired domains for legitimate projects. Others are not so ethical.

Your expired domain could end up as a fake online store

Criminal gangs snap up expired domains to turn them into phishing sites. That damages the brands that lose their domains, the brands impersonated by the scammers, and shoppers who fall for the scam. 

Security blogger Brian Krebs profiled a photographer whose old portfolio domain was turned into a fake athletic shoe store after her registration lapsed. Thieves used it to steal credit card data for resale on the dark web.

example of expired domain used to steal credit card data

For the photographer, the damage went beyond the loss of her website. She had no way to access social media accounts that were linked to her domain email address, because the scammers changed her passwords. Now the domain that used to host her portfolio redirects to the official adidas website, after adidas and Reebok sued the scammers who exploited her expired domain along with hundreds of others. 

Your expired domain could let data thieves into your business

Last year, security researchers with Australian cybersecurity firm Iron Bastion proved that registering abandoned business and law firm domains could give criminals access to insider data.

By setting up a catch-all email forwarding service for domains they re-register, criminals can access confidential client data and emails. They can run scams using this information or sell it on the dark web. They can also take over former employees’ social media, banking, and professional accounts by changing the passwords linked to the old domain’s email addresses. 

What should you do with domains you don’t use anymore?

Security experts say the best way to safeguard your old domains is to keep renewing them, even if you’re not currently using them. Then you should close the email accounts associated with those domains and unlink those email accounts from alerts sent by banks, airlines, and other services that handle sensitive (and valuable) information.

If you must let your old domains go, you’ll need to be thorough about updating any online accounts you and your employees set up using old domain email addresses. Then you’ll need to close those email accounts.

In either case, it’s wise to let your customers and vendors know about your change of email address. Give them some advance notice, ask them to whitelist your new email address, and then ask them to delete the old address when you’ve closed that account. 

For any email account on any domain, it’s always a good idea to set up two-factor authentication (2FA). By requiring a code from an SMS message or an authenticator app, you reduce the risk of someone maliciously changing your password on your email account and other accounts you set up with your email address. 

And speaking of passwords, don’t make it easy for hackers to guess or brute-force yours. Every email address on your domains should have a strong password that’s not used for any other accounts. 

How can you keep all your domains current and safe?

Follow these recommendations from domain security experts to keep your domains in your possession.

Give your domain registrations fewer chances to lapse. Start by registering or renewing for the longest amount of time you can, like three years instead of one. Then set your registrations to auto-renew. 

Keep your registration information up to date. Update your domain registration accounts when your email address, phone number, or other contact information changes. Changed credit cards or online payment services? Make sure you change your domain payment information, or your auto-renewals will fail.

Keep your registration information private. Domain privacy protection costs a few dollars a year, and it’s worth it. If you add domain privacy when you register your domain, your registrar’s contact information is listed in the WHOIS public database. Without domain privacy, your name, email address, and other personal data are on display. That can put you at risk for spam, scams, and harassment. 

Lock your domains. Domains must be unlocked when you’re transferring them to a new host. Otherwise, lock them to keep scammers from transferring them to a different web host without your consent. 

In HostGator’s Customer Portal, you can lock your domains for free.

  • Navigate to Domains in the left sidebar.
how to lock domains in hostgator
  • Under Manage Domains, you have the option to lock all your domains at once.
hostgator manage domains and lock
  • You can also click the More button for any of your domains to lock one at a time. Under Domain Overview, click the Change link next to Locking. That takes you to Domain Locking. Then you just move the switch to Locking ON and click Save Domain Locking.
domain locking with hostgator

Now your domain is protected against theft by unauthorized transfer. And with auto-renew in place and good cybersecurity practices, your domains are safe from expiration and exploitation.

Ready for a new domain?

HostGator now offers new customers a year of free domain registration with selected hosting packages and top-level domains. Sign up for 12 or more months of hosting, register a .com, .net, or .org top-level domain, and get the first year’s domain registration for free. See complete offer details here

Casey Kelly-Barton is an Austin-based freelance B2B content marketing writer. Her specialty areas include SMB marketing and growth, data security, IoT, and fraud prevention