Pinterest Stumbleupon Whatsapp

google apps domainDo you use Google Apps on your domain for email? Don’t let that domain expire or you could be at serious risk of identity theft. It’s possible that, should your domain expire, all of your old email and any accounts tied to your old email addresses could be easily accessed. This could, in turn, give any would-be hacker simple access to your PayPal, Dropbox or just about any other online account.

London-based entrepreneur, developer and hacker Ben Reyes recently wrote a warning to not let your domain expire with Google Apps, in which he accidentally takes control of a complete stranger’s email. The exact loophole seems mostly closed now, but it’s still a good demonstration of the importance of not letting domains expire if you’ve been using them as a means to confirm your identity.

Wait, What’s Google Apps?

It’s easy to confuse Google Apps among its many offerings. Let’s clarify. Apps is all of Google’s services on your domain. You can use Gmail, Google Docs and much more, using your own website’s name. So instead of your email address being it will be

google apps domain

We at MakeUseOf use Google Apps for our email accounts, so it’s a service we’re familiar with. Be sure to read the MakeUseOf Guide to Google Apps to find out more about how you can make use of Google Apps.

Let a domain with Google Apps expire though, and you’ve lost access to any and all accounts you have at that domain. Email, calendar, docs – all gone.


The Consequences

When a normal Gmail account (any email address or expires, it is retired. That is to say, no one (not even you) can ever use that account name again. From a security standpoint this is ideal. That’s not the case however, with domain accounts. Due to the way the Internet works, if you let your domain expire, someone else could buy it, and if that domain is in their hands they have the right to use Google Apps on that domain.

If they decide to use that right they could end up with access to your email accounts, your Google documents and more. Or, at least, they could have before Ben wrote the above-linked piece. It seems that Google’s policies have somewhat changed regarding what happens to existing accounts and their user data. With or without such access however, it’s still possible to do what isn’t possible with a normal Gmail account: use an email address which you were using before.

google apps domain registration

If you’ve been using that email address for, say, Dropbox, the new owner of the domain needs only click the “Forgot Your Password?” button to get into your account and access your Dropbox files.

You get the idea. Someone with access to an old domain of yours could get access to more and more layers of your identity, given enough time. The same principle could be used to access almost any online account.

Keep Your Domain

The easiest solution to this problem is don’t let your domain expire. It typically only costs $10 a year to renew a domain, meaning $100 could keep you secure for ten years. Even if you don’t plan on using a particular domain for much longer the risk of letting it expire once you’ve used it for various services might outweigh the cost of renewing.

Don’t Keep Your Domain

Do you, even after reading this, have no interest at all in renewing a domain you don’t really use anymore? You can still protect yourself.

google apps domain

  • Delete all Google Apps user accounts on your domain, exporting your data first if you want to keep it. This will prevent future owners of the domain from accessing your email, documents and other Google Apps under any circumstances.
  • Make sure no services containing personal information, be they PayPal, Dropbox or even Facebook, remain tied to an email address on a domain ready to expire. Change your email address in a given service’s settings or delete the account altogether. Don’t leave a door open for any would-be identity thief.


Of course, this applies just as much to any domain on which you have email accounts as it does to Google Apps. Losing access to a domain you’ve been using for email is a problem unless you prepare for it, so don’t be caught unaware – either keep the domain in your hands or delete any user accounts tied to it.

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ankur
    August 7, 2011 at 4:04 am

    That is serious flaw . there should be some check to determine whether the new owner is same as who registered it earlier and then only emails should be given back.

    • jhpot
      August 17, 2011 at 5:24 pm

      Google implemented a system like this since this hack got out, but it's still best practice to hang on to the domain or deactivate Google Apps before a domain expires.