Domain Hijacking
Incident Report for Squarespace
Postmortem

Summary

There were a limited number of Domains customers who had their member accounts compromised, leading to unauthorized changes to their domain settings and DNS records. Squarespace suspended the affected accounts, which caused a temporary lockout to those logins while remediation efforts were taken to restore access and control. We worked directly with the affected customers to authenticate their identity and ensure the security of their domains.

Timeline and Investigation 

The issue was detected on July 9, 2024 at 10:54 AM ET. We took immediate steps to suspend accounts where malicious behavior was observed and began to revert the nameserver and other changes the attackers made. The targeted domains, which were cryptocurrency-related domains and businesses, were affected through July 11th. 

On the morning of July 12th, our analysis revealed a weakness related to OAuth logins. We deployed a fix to this weakness on July 12, 2024 at 12:19 PM ET. Our security team immediately began Red Team Analysis and determined that our mitigation efforts were successful. Since that time, we have not detected additional account compromises related to this issue. 

Our Customer Support teams worked directly with the impacted customers to safely reestablish access to their accounts. Our team continues to thoroughly investigate any customer reports and rectify any anomalies. We also continue to actively monitor for anomalous behavior and remain committed to the security of our customers and our services.

Throughout this issue, our team received numerous reports from security researchers and from technical teams within our customer community. We are thankful for the support and investigated all reports thoroughly. Below are some clarifications related to these reports.

During this incident, all compromised accounts were using third-party OAuth. Neither Squarespace nor any third-party authentication provider made any changes to authentication as part of our migration of Google Domains to Squarespace. To be clear, the migration of domains involved no changes to multi-factor authentication before, during or after.

To date there is no evidence that Google Workspace accounts were or are at risk, and we have received no customer reports to this effect. As a reseller, Squarespace manages billing but customers access Workspace directly using their Google account.

Our analysis shows no evidence that Squarespace accounts using an email-based login with an unverified email address were involved with this attack.

Remediation and Prevention

Due to the sensitive nature of this security threat and since compromised accounts in this event involved changes to MX records, Squarespace quickly suspended accounts when suspicious activity was detected. Account access was restored for each customer after making secure contact and properly validating their identity using our standard protocol.

A Final Word

Security and reliability are core parts of our service offering. We take the care of our customer’s assets and incidents like this very seriously and have learned from it. We have since strengthened our detection capabilities, further hardened our authentication flows, and will continue to add security features to our platform. We strive to improve our systems every day and appreciate your patience as we took the time to investigate, resolve, and provide an update on this issue.

Posted Jul 18, 2024 - 18:19 EDT

Resolved
After discovering suspicious activity impacting a limited number of our Domains customers beginning July 9, 2024, Squarespace took immediate action to investigate and remediate the issue.

As of July 12, 2024 at 12:19 PM ET, there have been no additional issues related to this incident brought to our attention.

A postmortem will follow.
Posted Jul 09, 2024 - 11:00 EDT