Yahoo!'s plans to offer email addresses that have not been used for a while to new owners is a potential security disaster. That's because anyone who gets hold of a 'second hand' email address could receive sensitive information intended for the previous owner, including password reminders and other confidential information.
Your business could face the same security disaster if you decide to give up one or more of the domain names (opens in new tab) it have been using. That's because anyone who subsequently buys the domain name will receive those emails.
The real security risk arises if you used an email address from your old domain as a username for a business cloud service - anything from cloud data and document storage to online CRM or accounting applications. You may have forgotten which email address you used when you signed up if your browser logs you on to the service automatically.
The risk stems from the fact that many services allow you to reset your password if you forget it by sending a message with a reset link to your email address. If the new owner of your domain now receives those emails, they can request a password reset and gain access to the account and any confidential information it contains, while locking you out of it.
If the person who buys your old domain is really malicious, they could even impersonate you and steal your businesses' other domain names. That's because when you register a domain name you provide a contact email address, and if the new owner controls that email address they could reset your registrar account password, change the ownership and contact details of your domains and move them to a new domain name registrar. Even if you are clearly entitled to those domain names (because it is your brand or company name) it could then be a lengthy and expensive process to regain ownership of it.
Aside from the security argument, dropping a domain name can lead to lost business. That's because if some customers previously accessed your website using that domain name, then if you give up the domain name they might not be able to find you. Worse, anyone who buys the domain name after you give it up could redirect your customers to their own or a competitor's site. There may also be other sites that have links to your old domain name - anyone clicking on those links will no longer be directed to your website.
There are many reasons why you might be tempted to give up domains: a better domain might become available, your business's name may have changed following a merger or acquisition, or you may have registered your company name and brands with many different suffixes (such as .co.uk, .com, .biz, .tv) in the past and now decide to rationalise this down to just one or two. "The most common reason is that companies want to cut down their domain names to save some money," says Christopher Hofman, founder of registrar European Domain Name Centre
But if you have already registered multiple domains then Hofman believes you should resign yourself to the fact that you are stuck with them forever. "Because of the email security problem you should retain them. The cost of keeping them is nothing compared to the potential cost of a security breach," he says.
For that reason, he believes you should think twice before registering domains you don't really need. "As a UK company you would want to register .com and .co.uk. But I don't really see any value in going out and registering .biz, for example," he says.
Even if you are prepared to keep on any domains you own forever, all the security risks discussed above apply if for any reason you fail to renew a domain when it comes due.
To help prevent the accidental loss of one of your domain names:
- Set up a regular renewal procedure Set your own repeating reminders for domain names (for example in Outlook) in case reminder emails from your registrar are overlooked.
- Register your domains for no longer than two years It's best to renew your domains for short periods of time (one or two years) rather than five or 10 to ensure you don't lose track and forget about domains and their renewal processes. Horror stories abound about startups that register their domain names for ten years, and ten years later the founder is no longer around and the domain name can't be renewed.
- Synchronise your domain names If all your domain names are registered with the same registrar it is often possible to have them synchronized so they all fall due for renewal at the same time. This makes them easier to administer - but there is the risk that you could lose all of your domains if you fail to renew them and they all expire at the same time.
- Update the contact details held by your registrar regularly If the person responsible for domain name registration in your organization leaves, it's important to update this information to ensure that renewal reminders are received by whoever takes over this role. It's also not sensible to use a named employee's email address as a contact address in case they leave - it's better to use a generic email address like domains@[yourcompany.co.uk]
- Use two factor authentication If your registrar offers it, use a security token or one time code delivered by text message as well as a password to secure the account with your registrar. This can help avoid multiple domain names being hijacked if someone manages to get a password reset message sent to an email account they gain control over.
- Don't use free email addresses as contact details As Yahoo! users have discovered, some free services give away email addresses of they are not used regularly. That makes it very unwise to use a free email address as a contact or password reminder address for your domain names.
Now why not read Why responsive website design matters