NEW YORK, NY – Last week, multiple organizations with domains registered with Squarespace had their websites hijacked by hackers, with most of the instances primarily targeting cryptocurrency-based businesses, such as Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains.
The hijacks took place between July 9 and July 12, and involved Google Domains assets; Squarespace had purchased the Google Domains service in June 2023 – along with approximately 10 million of its domains – and has since been gradually migrating those domains to their service since then.
However, many former Google Domains customers have yet to set up new accounts with Squarespace, and reports indicate that hackers discovered that they could take over any of the migrated accounts that had not been registered simply by utilizing an email address associated with an existing domain to log in on Squarespace’s website.
And since the domain in question didn’t have a password due to the fact that it was unregistered at the time, the hacker was then offered an option to create one, giving them control of the domain.
Experts say that the main reason Squarespace overlooked this security issue was due to their assumption that most – if not all – Google Domains customers who had migrated over to their service would utilize their social media logins, as opposed to email. Seems like both a foolish and critical mistake.
This past weekend, Squarespace closed this security loophole that had been exploited by removing the email login option on their website, but the damage had already been done; hackers had redirected the hijacked domains to phishing sites that, in turn, stole the cryptocurrency funds of any visitor unfortunate enough to visit them.
Industry experts have offered advice and assistance to Squarespace in order to beef up the security of their migrated Google Domains assets, including removing unnecessary user accounts, disabling reseller access in Google Workspace, and requiring multi-factor authentication, a feature that was disabled during the migration.
About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®
Leave a Reply