Squarespace-Hosted Websites Hijack Impacts Several Cryptocurrency Companies

• Hackers were able to gain access to Squarespace websites via a faulty authentication setup.
• Several cryptocurrency businesses that haven’t yet set up their accounts have been affected by the security incident.
• Some of the hijacked domains were redirecting to crypto-stealing phishing websites.

Cybercriminals hijacked several websites at domain registrar Squarespace last week, between July 9 and July 12, a report from investigative journalist Brian Krebs says. The attacks impacted at least a dozen organizations, most of them cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains.

New York City-based Squarespace bought all the assets of Google Domains in June 2023, gradually migrating its service. Yet, many clients still haven’t set up their new accounts, and malicious actors discovered they could take control of Squarespace accounts that had yet to be registered and redirect them to phishing sites crafted to steal cryptocurrency funds of visitors.

All they had to do was enter an email address tied to an existing domain. Security experts at Metamask and Paradigm believe Squarespace assumed all users migrating from Google Domains would select the API login options and not the email login. 

Squarespace did not require email verification for new accounts created with a password, so a threat actor could sign up for an account before the legitimate owner did.

Since these were recently migrated, entering the user's email would ask the hacker to create a password for the new account and offer access to the domain. Squarespace doesn’t support any access control, logs, or notifications for some actions, making it hard for legitimate owners even to acknowledge these malicious accounts exist.

Security experts warn anyone with access to a Squarespace account also offers a backdoor into its Google Workspace unless the owner explicitly disables this since Squarespace is the authorized reseller for Google Workspace bought via Google Domains.