While claims of a “new zero-day vulnerability” affecting Squarespace have circulated online, there is no verified evidence of such a vulnerability currently active in the wild. However, Squarespace users have faced significant security threats, most notably the July 2024 domain hijacking incident that exposed critical weaknesses in how the platform handled the Google Domains acquisition. This incident affected at least a dozen organizations, including cryptocurrency platforms and financial protocols, demonstrating that website takeovers on Squarespace are not theoretical—they have already happened, and the vulnerabilities that enabled them warrant serious attention from site owners.
The most documented attack vector was not a code-based zero-day, but rather a configuration failure: Squarespace disabled two-factor authentication (2FA) for all accounts migrated from Google Domains during the acquisition in 2023. This meant that even if an attacker obtained login credentials, they could access accounts without additional verification. Combined with the ability to exploit the domain migration process itself, hackers were able to hijack domains, redirect DNS records, and create malicious versions of legitimate websites—effectively taking control of entire online properties in what felt like seconds to victims.
Table of Contents
- What Actually Happened with Squarespace Domain Security?
- Why Migration Processes Are High-Risk Security Events
- Recent Zero-Day Activity and Broader Web Platform Threats
- Protecting Your Squarespace Domain and Site Infrastructure
- DNS Hijacking as a Website Takeover Vector
- The Role of Email Security in Domain Protection
- Future Outlook: Platform Security in an Era of Acquisitions and Migrations
- Conclusion
What Actually Happened with Squarespace Domain Security?
The July 2024 domain hijacking campaign targeting squarespace revealed how migration processes can become security vulnerabilities. When Squarespace acquired Google Domains, the platform needed to migrate hundreds of thousands of domain registrations and their associated accounts. During this process, security controls that were standard on Google Domains—including two-factor authentication—were unexpectedly disabled for migrated accounts. This was not a sophisticated exploit; it was a configuration oversight with massive consequences. The attack exploited the gap between account compromise and domain access. Attackers leveraged the domain migration process to register email addresses associated with domains during the transition period.
By gaining control of these email addresses and accessing accounts without 2FA, they could change DNS records, delete existing email aliases, and essentially redirect all traffic for a domain. Victims like Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains discovered their domains pointing to attacker-controlled servers—a takeover that required no complicated exploit code, just access to credentials and a disabled security layer. The speed of these takeovers was shocking. Once attackers had email access, changing DNS records happened in minutes. A website owner could wake up to find their domain controlled by someone else, with malicious decentralized applications (dApps) created in their name to redirect users and steal funds. For web professionals and digital marketers, this incident underscored a critical lesson: infrastructure security is as important as code security.
Why Migration Processes Are High-Risk Security Events
Domain migrations are among the highest-risk activities in web operations because they require temporarily opening access to critical infrastructure. When a platform migrates domains from one registrar to another, it must update DNS records, update account associations, and manage the transition of authentication systems. Each of these steps presents an opportunity for security failures if not carefully managed. The Squarespace case showed how migrating away from a more security-conscious platform (Google Domains) could actually introduce new risks. Google had enforced 2FA on its domain accounts, making them harder to compromise. Squarespace’s decision to disable this protection for migrated users removed a security layer without notifying customers.
This is a critical limitation: not all platforms maintain the same security standards post-acquisition. When choosing a domain registrar or web hosting provider, site owners should investigate whether migrations will reduce their security posture, not just improve convenience. Another risk during migrations is the temporary availability of legacy access methods. During the Google Domains transition, there were multiple ways attackers could attempt to gain access—both old Google accounts that hadn’t fully migrated and new Squarespace accounts that weren’t fully secured. This window of multiple access vectors is dangerous. For enterprises managing multiple domains, it’s essential to audit access methods during any migration and ensure legacy credentials are disabled as soon as possible.
Recent Zero-Day Activity and Broader Web Platform Threats
While a specific Squarespace zero-day has not materialized, cybersecurity researchers did report in May 2026 that hackers used AI models to develop and exploit a zero-day vulnerability in an open-source web administration platform. This incident, documented by Google Threat Intelligence, demonstrates that AI-assisted vulnerability development is becoming a reality. However, the vulnerability was not in Squarespace—it was in a different platform—highlighting that the web development landscape faces evolving threats from multiple directions. The distinction matters for risk assessment.
A zero-day in website builder platforms like Squarespace would affect thousands or millions of sites simultaneously because all users rely on the same underlying code. The 2024 domain hijacking, by contrast, was an operational and configuration failure that affected those who migrated from Google Domains during the specific transition window. Both types of attacks are serious, but they require different defensive strategies. For site owners, this means monitoring multiple threat vectors: the code and platforms you use, the security practices of any infrastructure provider you depend on, and the operational security during any migration or transition. A zero-day might make headlines, but the configuration failures that silently disable security protections can be equally devastating.
Protecting Your Squarespace Domain and Site Infrastructure
If you operate a Squarespace site or use Squarespace for domain registration, immediate action is necessary to verify your account security. First, enable two-factor authentication on your Squarespace account if you haven’t already—this is the single most important step to prevent the type of attack that succeeded in July 2024. Second, verify your DNS records are pointing to the correct servers. An attacker with account access will change DNS before you notice anything else is wrong. Additionally, use a strong, unique password for your Squarespace account and store it in a password manager rather than reusing it across platforms. The 2024 attacks were often enabled by password reuse: if an attacker compromised your password on another platform, they could use it to access Squarespace accounts.
Implement account recovery options carefully—ensure your email address is secure, as it’s often the key to resetting passwords and gaining account access. If you use a generic email for domain registration (like a company domain), ensure that mailbox is monitored by multiple people. Compare this protective approach to the default assumption many site owners have: that platforms will handle security automatically. They won’t. Platforms like Squarespace maintain baseline security, but protecting your specific domains requires active participation. You must enable available protections, monitor your accounts, and stay aware of any platform changes that might affect your security.
DNS Hijacking as a Website Takeover Vector
DNS hijacking is the method attackers used in the Squarespace incident, and it’s a critical vulnerability for any web professional to understand. DNS is the system that translates domain names into IP addresses—when someone types your domain into a browser, DNS records tell their computer where to find your actual website. If an attacker can change your DNS records, they control where your domain points, regardless of what’s on your actual hosting server. The limitation of relying solely on platform security is that once DNS is compromised, it doesn’t matter if your hosting provider has strong security—traffic never reaches your real server. In the Squarespace case, attackers redirected domains to their own servers, where they hosted fraudulent sites designed to steal credentials or funds.
A site owner might not realize the compromise for hours or days because users trying to access the site would successfully reach a web page—just not the correct one. To defend against DNS hijacking, enable domain lock features if your registrar offers them (most do, including Squarespace after this incident). Monitor your DNS records regularly using tools like DNSChecker or your registrar’s native monitoring. Set up email alerts if DNS records change without your authorization. If you discover a DNS hijacking, contact your registrar’s abuse team immediately to lock the account and verify that all changes are your own work.
The Role of Email Security in Domain Protection
Email access was the entry point for many of the 2024 Squarespace attacks. Attackers would compromise an email account, use it to reset the Squarespace domain account password, and then modify DNS records. This illustrates a critical dependency: your email security directly determines your domain security, because email is the recovery mechanism for almost all web accounts.
If you use a Gmail account, Yahoo account, or any third-party email service to manage your Squarespace domain, ensure that email account has its own strong authentication. Enable two-factor authentication on your email account. Use a recovery phone number or backup email address so that if your email is compromised, you can regain access. For high-value domains, consider using a dedicated email address managed exclusively for that purpose, and store credentials in a secure vault rather than a shared password manager.
Future Outlook: Platform Security in an Era of Acquisitions and Migrations
The Squarespace domain hijacking incident is likely to be the first of many security issues resulting from acquisitions and platform consolidations. As larger companies absorb smaller services, they often maintain different security standards or introduce new risks during the integration process. Site owners should anticipate that any major platform change—acquisition, merger, migration to new infrastructure—is a window of heightened risk.
Going forward, the industry may see increased scrutiny of registrar security practices, and platforms may become more transparent about security changes during migrations. However, this doesn’t eliminate the need for individual site owners to actively manage their security. The era of “set it and forget it” domain management is over. Web professionals and digital marketers should treat domain and infrastructure security with the same attention they give to content and SEO, because a compromised domain is worthless no matter how well-optimized it is.
Conclusion
While a new Squarespace zero-day vulnerability has not been verified in current reporting, the July 2024 domain hijacking incident proved that Squarespace sites can be compromised through configuration failures and disabled security controls. This is actionable information: site owners can prevent similar attacks by enabling two-factor authentication, monitoring DNS records, securing associated email accounts, and staying alert during any platform migrations or changes. The threat is real, but it’s also largely preventable through proper security hygiene.
If you manage Squarespace domains or sites, treat this as an urgent signal to audit your security. Check your account settings today, enable every available protection, and verify your DNS records are correct. The attackers who exploited Squarespace in 2024 have likely moved on to other targets, but the vulnerabilities they exposed—disabled authentication, risky migration processes, and email dependency—remain relevant to any web property. Your security is not guaranteed by your platform; it requires your active participation.
