Lapsed or expired domains pose a serious security issue for your organisation. The larger and more visible your organisation is, the greater the risk.
(I’ve shared this story before – it came up again today in conversation so worth a reshare…)
When an organisation changes it’s name, external folks (customers etc) will see the website and email addresses change from oldcorp.com to newcorp.com.
So what to do with the oldcorp.com domain name?
If it’s a premium domain, and parting with it doesn’t cause any confusion for your new org, one option might be to have it valued and sold through a domain broker like Dan.
From a security standpoint though, the overwhelming recommendation is to hold onto it and not let it lapse.
In 2018, we supported a client through a rebrand with a name change.
There were several months of crossover where both domains were active, and involved things like replying to laggard emails sent to @oldcorp.com addresses to direct everyone to the @newcorp.com ones.
The “oldcorp.com” domain was not premium and of no further use, so once the email volume dropped, they switched off auto-renewal with their domain host, and at the next billing cycle the oldcorp.com domain simply lapsed.
The tech team still had the old domain on one of their monitoring systems though, and only weeks later it blinked back to life.
Someone had reregistered the domain – not completely unexpected, but some digging revealed that all the previous email addresses had also been reinstated. That was suspicious.
Sending a few emails to those addresses revealed that the new owner was not a legitimate business – they were using the domain to mimic our client.
The first concern was that they might start intercepting emails which wasn’t ideal but had mostly already been dealt with… but we pretty quickly realised that wasn’t the real problem.
Any digital account previously opened with an oldcorp email address was now under threat.
All the hijacker had to do was visit any website, enter the @oldcorp.com email address, hit the “reset password” link and if an account existed, boom – they were in.
The rebranding process itself was thorough – digital accounts on systems such as Xero and Google were already updated to newcorp, but it highlighted a major security concern with lapsed domain names.
It might not be obvious, but one concern is that access to digital accounts can allow a hijacker to view private company or employee data, from home addresses to credit card details, and that’s just one example.
Of course, certain domains are harder to register (for example, anyone can register a .com domain but a .com.au domain requires a valid ABN – of course shady types will find ways around this).
Most domain names are an extremely minimal expense, often less that $30 per year.
The scenario above might be unlikely, but for the sake of security, avoiding the pain of a massive fallout, and a few bucks, it might be worth holding on to your old domains rather than letting them lapse.
For self-employed creatives, normal business traps are easy to fall into and overcomplicate things - but they’re totally avoidable when flying solo.
Learn how to keep things simple, enjoyable, and climate-smart in around 2 minutes a day by joining The Climate Soloist.