London-based entrepreneur, developer and hacker Ben Reyes recently wrote a warning to not let your domain expire with Google Apps, in which he accidentally takes control of a complete stranger’s email. The exact loophole seems mostly closed now, but it’s still a good demonstration of the importance of not letting domains expire if you’ve been using them as a means to confirm your identity.
Wait, What’s Google Apps?
It’s easy to confuse Google Apps among its many offerings. Let’s clarify. Apps is all of Google’s services on your domain. You can use Gmail, Google Docs and much more, using your own website’s name. So instead of your email address being @gmail.com it will be @yourdomain.com.
We at MakeUseOf use Google Apps for our email accounts, so it’s a service we’re familiar with. Be sure to read the MakeUseOf Guide to Google Apps to find out more about how you can make use of Google Apps.
Let a domain with Google Apps expire though, and you’ve lost access to any and all accounts you have at that domain. Email, calendar, docs – all gone.
When a normal Gmail account (any email address @gmail.com or googlemail.com) expires, it is retired. That is to say, no one (not even you) can ever use that account name again. From a security standpoint this is ideal. That’s not the case however, with domain accounts. Due to the way the Internet works, if you let your domain expire, someone else could buy it, and if that domain is in their hands they have the right to use Google Apps on that domain.
If they decide to use that right they could end up with access to your email accounts, your Google documents and more. Or, at least, they could have before Ben wrote the above-linked piece. It seems that Google’s policies have somewhat changed regarding what happens to existing accounts and their user data. With or without such access however, it’s still possible to do what isn’t possible with a normal Gmail account: use an email address which you were using before.
If you’ve been using that email address for, say, Dropbox, the new owner of the domain needs only click the “Forgot Your Password?” button to get into your account and access your Dropbox files.
You get the idea. Someone with access to an old domain of yours could get access to more and more layers of your identity, given enough time. The same principle could be used to access almost any online account.
Keep Your Domain
The easiest solution to this problem is don’t let your domain expire. It typically only costs $10 a year to renew a domain, meaning $100 could keep you secure for ten years. Even if you don’t plan on using a particular domain for much longer the risk of letting it expire once you’ve used it for various services might outweigh the cost of renewing.
Don’t Keep Your Domain
Do you, even after reading this, have no interest at all in renewing a domain you don’t really use anymore? You can still protect yourself.
- Delete all Google Apps user accounts on your domain, exporting your data first if you want to keep it. This will prevent future owners of the domain from accessing your email, documents and other Google Apps under any circumstances.
- Make sure no services containing personal information, be they PayPal, Dropbox or even Facebook, remain tied to an email address on a domain ready to expire. Change your email address in a given service’s settings or delete the account altogether. Don’t leave a door open for any would-be identity thief.
Of course, this applies just as much to any domain on which you have email accounts as it does to Google Apps. Losing access to a domain you’ve been using for email is a problem unless you prepare for it, so don’t be caught unaware – either keep the domain in your hands or delete any user accounts tied to it.