Don’t abandon that domain name

Email holds the keys to the kingdom. All your password resets go through email, and abandoning an old domain name makes it easy for attackers to re-register the old domain and get your stuff.

The problem is especially grave for law firms where partnerships form, dissolve, and merge often, security researcher Gabor Szathmari points out. A merger or acquisition typically involves either new branding for the new firm, with a new domain name to match, or the acquired firm dropping their old branding and domain name. Letting those old domains expire is dangerous.

“In the US, 2017 was a record year for top-tier law firm mergers with 102 mergers or acquisitions in the year,” Szathmari writes, “At the small legal practice level, the number is likely to be in the thousands.”

To test just how bad the problem is, Szathmari re-registered old domain names for several law firms that had merged, set up an email server, and without hacking anything, he says he received a steady stream of confidential information, including bank correspondence, invoices from other law firms, sensitive legal documents from clients, and updates from LinkedIn. (Szathmari is working to return the affected domain names to their original owners.)