Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've been considering the historical aspect of social networks and "personal pages" as an attack vector for a while (with respect to bad practice for removal). What happens when person "xyz" registers a domain, builds a personal site, and begins to signup for "whatever.com" under that email and then the domain lapses?

Re-registering the domain would be easy and capturing/selling the credentials would be easy. Once you get an email running a "forgot password" on the "to" address across the top 500 domains might yield something fun. Also catching these specific type domains in drop would be easy with firstname/lastname scan. Cheap as well. Basically fraud based domain squatting.



Similar concerns were raised a couple of years ago when Yahoo thought (foolishly) that it would be a good idea to "recycle" email addresses:

http://www.cnn.com/2013/06/20/tech/web/yahoo-recycled-email/


Do they still do it? That's horrific


Hotmail/Outlook used to(?) do this as well.

I had an account expire ~10 years ago. Somebody else registered the address and used it for several years, then eventually let it expire as well. Last year, I re-registered it, and used it to recover access to an account I created a long long time ago.


I'm still trying to recover my neopets account from 15 years ago, I used a bad birthdate


Actually, this is not a new idea. Entire block of IP adresses are known to have been highjacked this way and are now used for spam purposes. Squatters reclaim the block with various ploys including registering an abandoned domain name to accept email to the point-of-contact domain contact. [0]

[0] https://www.spamhaus.org/faq/section/DROP%20FAQ#258


I know it's kinda a life commitment, but if I ever used a domain as an identity representation of me... I'm going to keep it forever.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: