Lapsed or expired domains pose a serious security issue for your organisation. The larger and more visible your organisation is, the greater the risk.
When an organisation changes it’s name, people from the outside will see the website and email addresses change from oldcorp.com to newcorp.com.
So now that you no longer need the oldcorp.com domain name, what should you do with it?
If it’s a premium domain, and parting with it doesn’t cause any confusion for your new org, one option might be to have it valued and sold through a domain broker.
From a security standpoint though, my overwhelming recommendation is to hold onto it and not let it lapse.
In around 2018, we supported a client through a rebrand with a name change.
There were several months of crossover where both domains were active, and involved things like replying to laggard emails sent to @oldcorp.com addresses to direct everyone to the @newcorp.com ones.
The “oldcorp.com” domain was not premium and of no further use, so once the email volume dropped, they switched off auto-renewal with their domain host, and at the next billing cycle the oldcorp.com domain simply lapsed.
The analytics team still had the old domain on one of their monitoring systems though, and only weeks later it blinked back to life.
Someone had reregistered it - which wasn't completely unexpected, but some digging revealed that all the previous email addresses had also been reinstated, which was suspicious.
Sending a few emails to those addresses revealed that the new owner was not a legitimate business - they were using the domain to mimic our client.
The first concern was that they might start intercepting emails which wasn’t ideal but had mostly already been dealt with... but we pretty quickly realised that wasn't the real problem.
Any digital account previously opened with an oldcorp email address was now under threat.
All the hijacker had to do was visit any website, enter the @oldcorp.com email address, hit the “reset password” link and if an account existed, boom - they were in.
Now the rebranding process was thorough - digital accounts on systems such as Xero accounting and Google were already updated to newcorp, but it highlighted a major security concern with lapsed domain names.
It might not be obvious, but one concern is that access to digital accounts can allow a hijacker to view private company or employee data, from home addresses to credit card details - that's just one example.
Of course, certain domains are harder to register (for example, anyone can register a .com domain but a .com.au domain requires a valid ABN - but shady types will find ways around this).
Most domain names are an extremely minimal expense, often less that $30 per year.
The scenario above might be unlikely, but for the sake of security, avoiding the pain of a massive fallout, and a few bucks - in most cases I'd suggest holding on to your old domains and never letting them lapse.
Jargon free, designed specifically for Aussie organisations.
Feel free to sign up »
We'll never sell your data, unsubscribe anytime.