Our SquareSpace Domain Was Hijacked! Here’s How Blockchain Can Prevent This From Happening To You

On Thursday, July 11th, around 10 PM EST, we experienced a security incident involving the compromise of unstoppabledomains.com. Fortunately, we regained account access with Squarespace by 3 PM EST on Friday, July 12th.

The attack aimed to spoof emails; however, there is no evidence of data or account compromise, and no spoof website was launched. There’s also no evidence of large scale phishing campaigns as the attacker was unable to access our customer contact data. We are happy to report that our backend services, smart contracts, and other critical infrastructure remain unimpacted. At this time, we have no evidence of any user data leaks or account compromises. The incident appears to be limited to our DNS settings on Squarespace.

However, as a precautionary measure, we have placed unstoppabledomains.com in maintenance mode while we undergo thorough security checks and clean up and have also reached out to partners to rotate api keys and other access points out of an abundance of caution. We anticipate that the website will be operational early next week.

Why did this happen?

There’s a great investigation happening right now (link) and Squarespace has not made an official announcement yet because the threat is still ongoing and they are prioritizing assisting customers and containing the threat as a first priority.

As a quick summary, the current theory is that during Google Domains migration process to Squarespace, accounts were automatically created for each domain:

• Email address associated with the Google Domains account where you managed the domain
• Any contributor email address associated with the domain
• The email address listed as the Admin, Tech, and Billing contacts on the domain

If any of these emails owned a Squarespace account prior to the migration, attackers may be able to access via other means. There may also be some other vulnerability which allows the threat actor to take over Squarespace accounts for new accounts automatically created during the migration process (link).

In our case, the ownership of the account was compromised even though the migration from Squarespace had not been fully completed, and the owner of the domains had never created an account on Squarespace. This points to some vulnerability in auto created accounts from the migration process.

Unfortunately, similar breaches have affected several other crypto companies including Coinlist, Compound Labs, and countless others. If your company was on Google Domains and was migrated to Squarespace, you are vulnerable and should alert your engineering team immediately.

There appears to be an issue in Squarespace’s accounts system, where migrated accounts are able to be compromised. If you were part of this migration, we suggest the unusual step of creating a NEW, never-before-used email and setting it as the primary admin with the proper security settings.

Here are our suggested remediation steps:

• Ensure that you still have access and control of your account and log in as the primary owner.
• Create a COMPLETELY NEW EMAIL unassociated with any of your accounts. The best and easiest way is to create a free email from one of the larger service providers like gmail.
• Remove ALL admins except for your primary owner from the account. then, CHANGE THE EMAIL of the primary account to the newly created email.
• Setup and configure 2fa for the account and actively monitor the account. Keep account access limited on the account until Squarespace posts an update.
• Finally, for extra security, use a lock service like Verisign’s Registry Lock.

In light of this security breach affecting Unstoppable Domains and other companies, it has become increasingly evident that the transition of domains to onchain systems holds promise. This incident underscores the vulnerabilities inherent in traditional Web2 domain registrars and highlights the potential for “self custody” or “custody plus” solutions.

Registrars are custodians of your domains. If they are compromised, like Squarespace today, your website traffic can be routed without your permission to somewhere else.

Domains secured onchain are managed through a private key, protecting against hacks without the users permission. By creating verified onchain records for domains, we can offer an extra layer of protection browsers and others can check to help fight these types of attacks. Registrar DNS records could be configured to not update unless you provide a verified onchain signature. Or, Registries themselves could implement onchain systems similar to Verisign’s Registry Lock service, at much lower costs for all users. For example, today on UnstoppableDomains.com we require wallet signatures for DNS records updates as well as transfer out, which if implemented by other registrars like Squarespace would have entirely prevented the hack we saw today.

The message is clear, with onchain domains there’s an opportunity to build systems where users can directly custody their domain records mitigating the custodial problem for domain names. In contrast, traditional Web2 registrars store domains in company databases, relying on manual security practices that are susceptible to breaches like we experienced today.

The recent attack has reinforced the urgent need for the domain industry to evolve. Unstoppable Domains is committed to securing the industry by bringing domains onchain. By adopting onchain security, we can ensure that domains are safer, more functional, and better equipped to handle the growing threats of attacks, particularly as more consumers become comfortable with using cryptocurrency every day.