How Expired Domains Exposed Sensitive Citizen Data

In an investigation led by ethical hacker and cybercrime investigator Inti De Ceukelaire, uncovers a critical vulnerability in the management of expired domains has been uncovered, revealing the potential risks to sensitive citizen data. Inti’s meticulous research highlights the dangers posed by expired domain names previously associated with social welfare and justice institutions in Belgium.

The Issue of Expired Domains

Cybersecurity is a constantly evolving field where the security measures of today might be ineffective tomorrow. Domain names, integral to web and email addresses, are leased for specific periods and must be renewed. Failure to renew these domains results in their expiration and subsequent availability for purchase by anyone. This investigation aimed to explore the consequences of these expired domains and their attached cloud accounts.

The Investigation’s Approach

Inti De Ceukelaire’s investigation focused on acquiring domain names that had previously belonged to various institutions, including social welfare and justice organizations. He targeted domains that had expired due to reasons like bankruptcy, mergers, or rebranding. This included domains from Belgian municipalities that had merged and changed names, as well as bankrupt publicly listed companies.

Findings and Patterns

Upon purchasing over 100 expired domains for approximately €850, Inti discovered several alarming patterns:

OCMW: 44 expired domains. These domains were once linked to institutions providing social services.
CAW: 12 expired domains. These domains were tied to institutions offering psychosocial support.
CLB: 12 expired domains. These domains were associated with student support services.

Additionally, domains from psychiatric hospitals, police zones, and local courts were also found to be expired and repurposed.

Accessing Sensitive Data

Inti’s ownership of these domains allowed him to receive emails intended for these addresses, including those linked to active cloud accounts. By using the ‘Forgot password’ functionality on popular cloud services, he was able to confirm that many accounts were still active. He received password reset links for numerous Dropbox, Google Drive, OneDrive, and other cloud accounts, demonstrating the potential for unauthorized access to sensitive data.

The Scope of Sensitive Information

The emails received by Inti included extremely sensitive information:

Confidential justice information
Payment reminders for individuals in debt
Health and social situation reports
Official documents and meeting invites

This influx of sensitive data underscores the significant risk posed by expired domains, particularly those associated with vulnerable populations.

Preventative Measures and Recommendations

To mitigate the risks, Inti disabled incoming emails for these domains post-investigation and informed the Centre for Cybersecurity Belgium (CCB), which subsequently notified the previous owners.

This investigation highlights the need for structural changes in how expired domains are managed:

Implementing multifactor authentication (MFA) for cloud accounts
Ensuring secure decommissioning of expired domains
Establishing policies for the lifecycle management of domain names, especially those linked to sensitive services

Conclusion

Inti De Ceukelaire’s investigation reveals a crucial vulnerability in domain management practices, emphasizing the need for enhanced security measures to protect sensitive citizen data. By raising awareness and advocating for better practices, we can safeguard against unauthorized access and potential data breaches, ensuring the security of digital identities and sensitive information managed by institutions.