Subdomain takeovers are one of the most overlooked — and most exploited — attack vectors on the web today. They're easy to find, easy to exploit, and small businesses and enterprises alike leave themselves wide open.
Here's the unsettling truth: when you register a domain, you're not just responsible for the main site. Every subdomain you create — api.yoursite.com, staging.yoursite.com, docs.yoursite.com — is your responsibility too. And attackers know it.
A subdomain takeover happens when a DNS record (usually a CNAME) points to a service you've abandoned — like a GitHub Pages site you deleted, a Heroku app you let expire, or an AWS S3 bucket you removed. An attacker notices the dangling DNS record, claims the target service, and now your subdomain points to their content.
The consequences range from phishing campaigns that abuse your brand reputation to full cookie-based session hijacking. Here's what this attack looks like in practice.
A CNAME record points to yoursite.github.io, but the GitHub Pages site was deleted. Attacker creates a new GitHub Pages site at that same URL and serves malicious content under your subdomain. Your users see secure.yoursite.com — but it's not your server.
Real example: A financial services firm had portal.yoursite.com pointing to a GitHub Pages site that hadn't been maintained in 2 years. Security researchers found it, claimed the GitHub Pages, and demonstrated full credential capture.
Dev teams spin up Heroku apps for testing, then forget to take them down or remove the DNS entry. The CNAME still points to yourapp.herokuapp.com. Attacker deploys a fake login portal there. Your subdomain — which users trust — becomes a credential harvesting tool.
DNS points assets.yoursite.com → yoursite-assets.s3.amazonaws.com. You deleted the bucket. Attacker creates a new bucket with that exact name and hosts phishing content. Your users get served malicious files from what appears to be your domain.
A CNAME like store.yoursite.com points to your Shopify store. You cancel Shopify. The subdomain still resolves — but now points to a default Shopify placeholder. Attackers have claimed abandoned Shopify store subdomains and used them for phishing campaigns.
If you used WordPress.com's custom domain feature and then let the site expire, your CNAME still points there. Claiming the subdomain is as simple as creating a new free WordPress.com account and claiming the URL.
CloudFront distributions get deleted but the DNS record remains. Attacker creates a distribution with the same domain — or uses a different domain that CloudFront accepts — and your subdomain now serves their content through AWS's infrastructure.
Enterprise environments often have dozens of Azure App Service instances that get decommissioned without cleaning DNS. Azure's default domain (yourapp.azurewebsites.net) is claimable after the service is deleted.
Pantheon hosts Drupal and WordPress sites with a predictable domain structure. When sites are migrated or deleted, the subdomain remains pointing to a no-longer-owned Pantheon domain.
Custom domain pointed to a Tumblr blog that's been deleted. Attacker creates a Tumblr account and reassigns that custom domain. Lower risk, but used in targeted phishing campaigns.
DNS CNAMEs that were set up for A/B testing tools, analytics platforms, or CDN validations that are no longer in use. They linger indefinitely because no one knows who owns them. Each one is a potential takeover.
Here's the scary part: finding vulnerable subdomains takes less than 10 minutes with free tools. The process:
yoursite.com in seconds.Run a Certificate Transparency scan of your domain every month. Any subdomain pointing to an abandoned or decommissioned service is a risk. Tools like EdgeIQ's Subdomain Hunter make this fast — free tier covers most small business needs.
This sounds obvious, but it's almost never done. DNS cleanup is a release step — it should happen every time you take down a service. Document your DNS records and assign ownership.
A Certificate Authority Authorization (CAA) record limits which CAs can issue certificates for your domain. This reduces the CT log exposure problem somewhat — but doesn't eliminate it entirely.
Set up alerts for new subdomains appearing in CT logs for your domain. New subdomains = new attack surface. If you didn't create it, investigate immediately.
HSTS (HTTP Strict Transport Security) with preloading tells browsers to only connect to your domain over HTTPS — and tells them to reject invalid certificates. It doesn't prevent takeover, but it limits what an attacker can do after a successful takeover.
EdgeIQ's Subdomain Hunter checks your domains via Certificate Transparency logs and flags potential takeover vulnerabilities — free, no signup required.
Try the free scanner →Subdomain takeovers aren't theoretical. They've been used in real breaches at major companies and are actively exploited in the wild. For small businesses, the reputational damage from being associated with a phishing campaign — even one launched from an "abandoned" subdomain you forgot about — can be devastating.
The fix is simple: know your DNS, audit regularly, and close the gaps before someone else finds them.