Recent investigations reveal there is no verified critical vulnerability currently affecting 7.3 million Squarespace sites, despite claims suggesting otherwise. Current security research as of May 2026 shows no announced critical vulnerability matching this description in Squarespace’s official channels or security reports. However, this confusion likely stems from a significant 2024 incident that administrators should understand: Squarespace’s domain migration from Google Domains in July 2024 affected approximately 10 million domains and exposed a serious security gap when the platform disabled two-factor authentication and failed to require email validation during the transition.
The 2024 domain migration incident represents the most serious recent Squarespace vulnerability event on record. During this transition, attackers exploited the security gaps by guessing migrated email addresses and modifying DNS records for high-value cryptocurrency platforms like Celer Network, Compound Finance, and Pendle Finance, successfully hijacking domains and redirecting users to malicious sites. Understanding the facts behind this incident—and distinguishing them from unverified claims about current vulnerabilities—is essential for website administrators and development teams relying on Squarespace infrastructure.
Table of Contents
- What Actually Happened in the 2024 Squarespace Domain Migration?
- The Security Gap: Disabling 2FA During Migration
- Real-World Impact: Cryptocurrency Domain Attacks
- Distinguishing Current Claims from Historical Facts
- What Site Administrators Should Actually Do Today
- Lessons for Development Teams Deploying on Platform Services
- Forward-Looking Security Practices for Web Platforms
- Conclusion
- Frequently Asked Questions
What Actually Happened in the 2024 Squarespace Domain Migration?
When Squarespace assumed control of domain registrations from Google Domains in July 2024, the company implemented the transition without maintaining the security protections users had previously enabled. The most critical flaw was the blanket disabling of two-factor authentication (2FA) across all migrated accounts, meaning that even accounts with robust security settings suddenly became vulnerable to brute-force login attempts. Additionally, the platform did not require email validation when creating accounts during the migration window, allowing attackers to register accounts with migrated email addresses without confirming they owned those addresses. This combination of disabled 2FA and missing email validation created a perfect storm for domain hijacking.
Attackers were able to systematically target high-value domains by guessing common email patterns associated with migrated accounts, then using those compromised accounts to access domain management panels and alter DNS records. The attacks were not random—they specifically targeted cryptocurrency-related domains where the potential financial payoff justified the effort. This wasn’t a theoretical vulnerability; it resulted in real, documented domain takeovers that redirected legitimate users to attacker-controlled infrastructure. The scope of the 2024 incident affected approximately 10 million domains that were migrated during the transition period, making it significantly larger in scale than most web platform security incidents. For context, this exceeded the number of domains cited in more recent unverified claims about current vulnerabilities, highlighting how critical this historical incident was for the Squarespace ecosystem.
The Security Gap: Disabling 2FA During Migration
The decision to disable two-factor authentication across all migrated accounts represents a significant security oversight during a high-risk transition period. Two-factor authentication serves as a critical control that prevents unauthorized access even when passwords are compromised or guessed. Disabling this protection at the exact moment when accounts were undergoing a major system change—and when attackers might be actively targeting the transition—created a window of vulnerability that lasted longer than necessary. From a development perspective, maintaining 2FA during migration would have required more engineering effort.
The platform would need to preserve existing 2FA configurations, ensure authentication flows worked correctly during the transition, and provide users with continuity in their security settings. However, the security cost of bypassing this work proved far greater than the engineering complexity would have been. Administrators who had invested time in securing their accounts with 2FA discovered their security posture was silently downgraded without notification or easy re-enablement. The lesson here applies broadly to any major infrastructure transition: security-critical settings should be preserved or explicitly re-enabled with clear user communication, not disabled by default. For site managers using Squarespace, this incident underscores the importance of manually verifying your account security settings after any significant platform update or transition.
Real-World Impact: Cryptocurrency Domain Attacks
The documented attacks resulting from the 2024 migration vulnerability specifically targeted cryptocurrency platforms with millions of dollars in user assets at stake. Celer Network, a blockchain infrastructure platform, had its domain hijacked and redirected to an attacker-controlled site designed to steal user credentials. Similarly, Compound Finance and Pendle Finance—both significant decentralized finance (DeFi) platforms—experienced domain takeovers that threatened users’ direct access to their platforms and wallets. These weren’t attacks against random small businesses; they were sophisticated campaigns targeting platforms where domain control directly impacts user security and financial safety.
Users expecting to visit legitimate finance platforms instead landed on attacker-controlled copies, creating opportunities for credential theft and wallet compromise. The attacks demonstrate why domain security should be treated with the same rigor as application security—a compromised domain can undermine every other security measure a platform implements. For development teams and site administrators running on Squarespace, the real-world impact serves as a reminder that your domain security is only as strong as your registrar’s controls. A breach at the registrar level bypasses all application-level security measures you’ve implemented.
Distinguishing Current Claims from Historical Facts
The title referencing a “critical Squarespace vulnerability affecting 7.3 million sites” does not match any verified current security announcement as of May 2026. Squarespace’s official security reporting and third-party security research firms like UpGuard have not published information about a current vulnerability of this scope. This highlights an important pattern in security communications: unverified vulnerability claims often circulate across the internet without being tied to official vendor announcements or CVE (Common Vulnerabilities and Exposures) records. When evaluating security claims, the authoritative sources are: official vendor security advisories, CVE databases, established security research firms, and reputable cybersecurity news outlets.
For Squarespace, the official channels include their status page and security notices, which serve as the source of truth. UpGuard’s April 2026 security report on Squarespace, for example, does not reference any unresolved critical vulnerabilities currently affecting millions of sites. The comparison between verified historical incidents (like the 2024 domain migration issue) and current unverified claims helps establish what actions are actually necessary versus what might be unnecessary panic. Site administrators facing claims about vulnerabilities should verify the information through official channels before implementing emergency responses. This approach prevents wasting resources on non-issues while ensuring that genuine threats receive appropriate attention.
What Site Administrators Should Actually Do Today
For site managers using Squarespace in May 2026, the most practical security steps focus on account-level controls rather than responding to unverified claims. First, verify that two-factor authentication is enabled on your Squarespace account—navigate to account settings and confirm 2FA is active. This single control would have prevented most of the 2024 domain hijacking attacks had it been maintained during the migration. Second, review domain registration contact information to ensure your current email address is accurate and that you have access to that email account’s recovery options. Third, consider using Squarespace’s security features around domain transfers and administrative changes.
Most modern registrars offer transaction authorization codes (auth codes) required before domains can be transferred to other registrars, and access controls that notify you of administrative changes. Enabling all available security features in your account takes minimal time but significantly raises the barrier for attackers. Compare this to the response effort required if your domain is actually compromised—recovery could take weeks and potentially result in downtime for your site and loss of user trust. Fourth, subscribe to Squarespace’s official security notifications if available, so you receive announcements about any future incidents directly from the source. This ensures you’re not relying on secondhand information or unverified social media claims to learn about platform issues affecting your sites.
Lessons for Development Teams Deploying on Platform Services
The Squarespace domain migration incident provides broader lessons for development teams deploying on any platform-as-a-service or registrar service. When a platform you depend on undergoes major infrastructure changes or migrations, treat it as a security-relevant event and review your account configuration afterward. Platforms may implement migrations with reasonable engineering decisions that don’t prioritize preserving every security setting in the way you’d prefer.
Similarly, don’t assume that critical security features like 2FA will maintain their state across major system changes. Actively verify these settings post-migration and throughout the lifecycle of platform transitions. For teams managing multiple domains or subdomains through Squarespace, this means adding a post-maintenance verification checklist to your security procedures—checking 2FA status, contact information, and transfer locks should become standard practice after any significant platform update.
Forward-Looking Security Practices for Web Platforms
As web platforms continue to evolve and consolidate services, security during transitions becomes increasingly important. Squarespace’s experience with the 2024 domain migration illustrates a pattern that other platforms will likely encounter as they scale and modernize infrastructure. The industry has responded by developing better practices around migration security: preserving user security settings, requiring explicit re-enablement of critical controls rather than defaulting to disabled states, and providing clear communication about what changed and why.
Looking forward, site administrators should expect platforms to handle migrations with appropriate security considerations, but should also maintain healthy skepticism about unverified vulnerability claims. The difference between the documented 2024 incident and the current unverified claim about 7.3 million affected sites demonstrates how misinformation can spread in security discussions. Staying informed through official channels, maintaining strong account security practices like 2FA and secure contact information, and verifying extraordinary claims before taking emergency action remains the most effective security posture for teams depending on platform services.
Conclusion
There is no verified critical vulnerability currently affecting 7.3 million Squarespace sites as of May 2026. However, the 2024 domain migration incident affecting approximately 10 million domains—involving disabled two-factor authentication and missing email validation—represents a serious historical security event that site administrators should understand and learn from. The attacks that exploited this vulnerability successfully hijacked high-value domains by targeting cryptocurrency platforms, demonstrating the real-world consequences of registrar-level security gaps.
For site managers using Squarespace today, the appropriate response is not to panic over unverified claims, but to actively verify that your account security is properly configured, particularly two-factor authentication and domain protection features. Stay informed through official Squarespace security channels rather than unverified sources, and implement a post-maintenance security review process whenever the platform undergoes significant updates. This balanced approach addresses genuine risks while avoiding the distraction and resource waste that accompanies responding to unfounded vulnerability claims.
Frequently Asked Questions
Is there actually a critical Squarespace vulnerability affecting millions of sites right now?
No. As of May 2026, there is no verified critical vulnerability matching the “7.3 million sites” claim. The most significant recent Squarespace security incident was the 2024 domain migration issue affecting approximately 10 million domains.
What was the 2024 Squarespace domain migration vulnerability?
When Squarespace migrated domain registrations from Google Domains in July 2024, the platform disabled two-factor authentication across all accounts and failed to require email validation during account creation. This allowed attackers to hijack high-value domains, particularly cryptocurrency platforms like Celer Network, Compound Finance, and Pendle Finance.
What should I do to protect my Squarespace account?
Verify that two-factor authentication is enabled in your account settings, ensure your account recovery email is current and accessible, enable domain transfer protection features if available, and subscribe to official Squarespace security notifications for authentic announcements about future incidents.
Why would Squarespace disable 2FA during migration?
The platform likely disabled 2FA to simplify the migration process and reduce technical complexity. However, this prioritized engineering convenience over security at a critical moment when user accounts were most vulnerable. It’s a lesson in why security-critical settings should be preserved or explicitly re-enabled with clear communication.
How do I know if my Squarespace account was affected by the 2024 migration incident?
If you migrated domains to Squarespace from Google Domains in July 2024, your accounts would have been affected. Review your 2FA status in account settings and verify your contact information to ensure current security settings are properly configured.
Where should I check for real Squarespace security announcements?
Check Squarespace’s official status page, security notices, and account notifications. For independent verification, consult established security research firms and official CVE databases. Avoid relying on social media or unverified third-party sources for critical security information.
