Major Security Breach at Squarespace: A Threat to Domain Registrations

Recently, Squarespace disclosed a severe breach affecting multiple domain registrations following its acquisition of Google Domains’ customer base. The breach, discovered on or around July 10, 2024, has left numerous domains compromised by an unidentified threat actor, raising serious concerns about the security protocols during the transition.

The attackers are exploiting vulnerabilities in the domain transfer process to gain unauthorized access to Squarespace accounts. Once inside, they can modify DNS records, redirecting website traffic and email to servers under their control. The exact methodology used by the attackers remains unclear, but initial investigations suggest potential avenues such as compromised email accounts, reused passwords, or other vulnerabilities inherent to the migration process.

Once gaining administrative control, the attackers focused on DNS records manipulation. By altering nameservers or directly editing DNS records, they hijacked domain content (A records) and intercepted emails (MX records). This allowed them to reset passwords and further escalate their access.

In cases where Google Workspace was involved, attackers exploited the reseller service account to add new administrators, even creating new Google Workspace tenants if none existed. This escalation extended their control within the affected domains.

Squarespace has issued a series of urgent recommendations for affected users:

1. Enable Two-Factor Authentication (2FA): Users must log in to Squarespace, update their passwords, and enable 2FA to add an extra layer of security.
2. Remove Unnecessary Contributor Accounts: Auto-created accounts pose unnecessary risks. Users should audit their accounts and revoke access for any contributors who no longer need it.
3. Disable Reseller Access: To mitigate potential misuse, users should disable reseller access to their Google Workspace tenants following the provided guidelines.
4. Review and Revert DNS Changes: It is crucial to verify all DNS records, ensuring no unauthorized changes remain.
5. Audit Account Permissions: Users should remove any unnecessary administrators or owners, especially those with outdated or unmonitored email addresses.
6. Monitor Settings for Anomalies: Users need to check all account settings for any unexpected configurations and remove anything unfamiliar.
7. Consider Alternative Registrars: For enhanced security, users are advised to transfer their domains to alternative registrars such as Cloudflare Registrar, Amazon Route53, MarkMonitor, or CSC.