Scammers hijack hundreds of university subdomains to serve porn
TL;DR
Scammers hijacked hundreds of subdomains from dozens of universities due to poor maintenance. Vibe builders and SMBs: audit your subdomains to avoid similar domain risks.
Scammers have successfully hijacked hundreds of subdomains belonging to prestigious universities to host illicit content. This breach occurred because these institutions left abandoned subdomains pointing to expired third party services or forgotten cloud storage buckets. When a domain points to a service that no longer exists, attackers can claim that space to host their own content under the trusted reputation of the original domain. This tactic exploits the inherent trust search engines and users place in established educational websites.
For small business owners and builders, this serves as a wake up call regarding digital hygiene. You likely have old marketing landing pages or forgotten project subdomains that are no longer actively managed. If these records still point to legacy hosting providers or expired SaaS tools, you are effectively leaving your digital front door unlocked. Attackers use automated tools to scan for these dangling records, and once they gain control, they can damage your search engine rankings or distribute malicious software.
Take immediate action by auditing your DNS records today. Identify every subdomain you own and verify that it points to an active, secure destination. If you find a record that is no longer in use, delete it from your DNS provider immediately. Do not assume that a forgotten project is harmless, as your domain reputation is a valuable asset that requires constant maintenance.
Who this matters for
- Developers: Audit your DNS records today to remove any subdomains pointing to expired SaaS tools.
What to watch next
This is a classic case of digital laziness biting back. Most founders are obsessed with shipping new features but ignore the boring infrastructure that keeps their brand safe. If you have a graveyard of old subdomains from past experiments, you are sitting on a security liability. Attackers do not care about your mission; they care about your domain authority.
Stop treating your DNS settings like a set it and forget it task. If you are not using a subdomain, delete the DNS record. It takes thirty seconds to clean up, but it could save you weeks of reputation repair if your site starts serving spam or malware. If you cannot manage your own infrastructure, you have no business building on the web.
by Harsh Desai