Squarespace Inc. has been the source of at least a dozen organizations’ domain names and websites, mostly related to cryptocurrencies and decentralized finance.
The hijacked names belonged to former Google names customers who had not created new Squarespace accounts. Google LLC announced in June of last year that it would shut down Google Domains and sell its assets, including customers, to Squarespace.
It is thought that the perpetrators of the domain name hijacks discovered that, by providing an email address linked to an existing domain, they could take control of any migrated Squarespace accounts that had not yet been registered with Squarespace. This information was reported by Krebs on Security today.
The final cryptocurrency domain name and wallet address registrant, Unstoppable Domains Inc., was among the companies that were the target of the July 9–12 domain hijacks, which also targeted DeFi and cryptocurrency companies like Celer Network Foundation Ltd., Compound Labs Inc., Pendle Labs Ltd., and others. The stolen domains were allegedly in some cases redirected by the attackers to phishing websites designed to steal cryptocurrency cash and login credentials.
It is likely that Squarespace assumed users migrating from Google Domains would choose the social login options, like “Continue with Google” or “Continue with Apple,” rather than the option to “Continue with email,” according to researchers from Metamask, formerly Consensus Software Inc., and Paradigm Operations LP.
It is said that Squarespace failed to consider the potentiality of a threat actor creating an account with an email linked to one of the domains. It was as easy as enrolling with an email connected to one of the domains to hijack it, as there was no need for multifactor authentication or a password.
Undoubtedly, there will be more discussion over Squarespace’s purported oversight in the days to come, but one of the researchers who works with Paradigm recommended that Squarespace customers would be better off considering going elsewhere for their business.
Regaining control of their domains has been possible for at least a few of the businesses whose domains were taken over. Both Celer and Pendle claimed to have regained control over their domains. The latter highlighted the fact that the breach had not compromised any cryptocurrency assets.