At least a dozen organizations, primarily in cryptocurrency and decentralized finance, have had their domain names and hence their websites hijacked from Squarespace Inc.

The hijacked domains belong to former Google Domains customers that had not set up new accounts with Squarespace. Google LLC announced in June last year that it was shutting down Google Domains that it held and sold its assets, including customers, to Squarespace.

As detailed today by Krebs on Security, it’s believed that those behind the domain name hijacks learned that they could commandeer any migrated Squarespace accounts that had not yet been registered with Squarespace by supplying an email address tied to an existing domain.

The domain hijacks took place between July 9 and 12 and targeted cryptocurrency and DeFi businesses, including Celer Network Foundation Ltd., Compound Labs Inc., Pendle Labs Ltd. and Unstoppable Domains Inc., the last a crypto domain name and wallet address registrar. In some cases, the attackers reportedly redirected the hijacked domains to phishing sites set up to steal login details and cryptocurrency funds.

According to researchers from Metamask, formally Consensus Software Inc., and Paradigm Operations LP, what likely happened is that Squarespace presumed that users migrating from Google Domains would select the social login options — such as “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

It’s alleged that Squarespace never accounted for the possibility that a threat actor may sign up for an account using an email associated with one of the domains. With no multifactor authentication in place or password required, it was as simple as registering using an email linked to one of the domains to hijack it.

The alleged oversight by Squarespace will undoubtedly be discussed more extensively in the coming days, but one of the researchers who works with Paradigm suggested that the best solution is for Squarespace customers to consider taking their business elsewhere.

multiple crypto projects have had their domains mysteriously hijacked from their @squarespace account. consider transferring your domain to one of these instead:
– @Cloudflare
– @awscloud Route53
– @markmonitor
– @CSCDBS

— samczsun (@samczsun) July 11, 2024

At least some of the companies that have had their domain hijacked have managed to get them returned. SC Media reported that both Celer and Pendle said they recovered their domains. The latter emphasized that no cryptocurrency assets had been compromised as a result of the intrusion.

Image: SiliconANGLE/Ideogram