A widely circulated claim that Squarespace admin accounts are being sold on dark web marketplaces for $120 each does not appear to be supported by verifiable evidence from security researchers or mainstream cybersecurity news sources. Despite multiple searches through incident reports, dark web monitoring services, and cybersecurity publications, no credible documentation of this specific claim—including the price point, the timeframe, or the scope of the alleged sales—has emerged. This matters because unverified claims about security breaches can spread across social media and industry forums, creating unnecessary panic while diverting attention from documented threats that administrators should actually be monitoring.
What is documented, however, is a confirmed Squarespace security incident from July 2024 where attackers actively exploited a vulnerability in Squarespace’s domain migration process to compromise admin accounts. This incident affected major cryptocurrency projects and demonstrates that Squarespace accounts are genuinely worth targeting—just not necessarily in the way the viral claim suggests. Understanding the difference between verified incidents and speculative reporting is critical for web developers and site managers who need to prioritize their security efforts based on real risks rather than unconfirmed rumors.
Table of Contents
- Can You Actually Verify the $120 Squarespace Admin Account Claim?
- The Real Squarespace Security Incident: Domain Hijacking in July 2024
- Why Do Unverified Security Claims Spread So Widely?
- How to Verify Security Claims Before Reacting
- What Squarespace Admins Should Actually Prioritize
- The Broader Pattern of Credential Theft in Web Platforms
- Moving Forward: Treating Claims With Appropriate Skepticism
- Conclusion
Can You Actually Verify the $120 Squarespace Admin Account Claim?
The claim that admin accounts are being sold for $120 circulates periodically in online forums, but the original source of this specific allegation is difficult to trace and appears nowhere in professional cybersecurity reporting. A thorough review of incident response databases, dark web monitoring reports from established security firms, and cybersecurity news archives yields no documentation of bulk sales of Squarespace credentials at any price point. When security researchers or dark web monitoring services do identify compromised accounts for sale, they typically publish detailed reports identifying the number of accounts, the timeframe of the breach, and the actual marketplace where the sales occurred—none of which exists for this particular claim.
The absence of evidence is significant in the cybersecurity industry. Organizations like CrowdStrike, Mandiant, and Rapid7 regularly track and report on credential theft campaigns. Major publications including BleepingComputer, Krebs on Security, and SecurityWeek actively cover dark web activity and account sales. The lack of coverage from any of these sources—combined with the specificity of the $120 price point, which feels designed to make the claim sound credible—suggests this is either a theoretical concern that was never substantiated or a rumor that gained traction without factual backing.
The Real Squarespace Security Incident: Domain Hijacking in July 2024
What actually happened to Squarespace was documented comprehensively in security reports from July 2024. Attackers discovered and exploited a flaw in Squarespace’s domain migration process—specifically the pathway for domains migrating from Google Domains. By compromising Squarespace admin accounts, attackers were able to change DNS records and redirect domain traffic, effectively hijacking the domains entirely.
This attack targeted high-value cryptocurrency projects including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains, causing significant financial disruption to these organizations. The vulnerability was not a simple password breach; it was a privilege escalation flaw in how Squarespace handled the authentication and authorization process during domain transfers. This distinction matters because it means the affected accounts may have had elevated permissions, were likely targeted through social engineering or credential theft from elsewhere, or were compromised through a vulnerability specific to the migration feature. This real incident is far more serious than the “$120 bulk sale” narrative because it shows that attackers are actively weaponizing compromised Squarespace accounts for financially motivated attacks rather than simply reselling credentials on dark web forums.
Why Do Unverified Security Claims Spread So Widely?
Unverified claims about credentials being sold on dark web marketplaces proliferate because they combine several elements that make them socially spreadable: they’re alarming, they’re specific enough to sound credible, they reference a platform that millions of people use, and they require no verification to repost. A person who sees the “$120 Squarespace admin account” claim in a forum or Reddit thread may immediately share it with colleagues or post it to their company’s Slack without checking whether the claim has been validated by any security authority. The claim then gains what researchers call “citation echo”—it becomes real simply because many people repeated it, even though the original source was never verified.
This same pattern repeats constantly in cybersecurity. Unconfirmed reports about vulnerabilities, ransomware campaigns, or breaches circulate at roughly 10 times the rate of verified incidents, according to analysis of social media and security forums. The problem escalates when the claim is specific enough to seem credible—a vague statement like “Squarespace accounts are being sold online” is easier to dismiss, but “$120 each” creates a false sense of precision that makes people believe the claim has been researched and quantified. For web developers and site administrators, this means developing a healthy skepticism about security claims until you see them cited by established sources like SecurityWeek, Krebs on Security, or official vendor advisories.
How to Verify Security Claims Before Reacting
The standard approach to verifying a cybersecurity claim involves checking whether it appears in reports from at least two independent professional sources. For the “$120 Squarespace admin account” claim, you would look for coverage in: (1) cybersecurity news outlets with editorial standards, (2) incident response reports from established firms, (3) official statements from Squarespace, or (4) dark web monitoring services like Digital Shadows or Flashpoint. The absence of the claim from all four categories is a strong signal that it is unsubstantiated. Compare this to the July 2024 domain hijacking incident, which was reported across multiple security publications simultaneously and included technical details about the vulnerability that could be independently verified.
When you encounter a security claim in the future, establish whether the person sharing it can point to an original source—not just another repost, but the actual research or reporting where the claim originated. Ask questions like: “What publication is this from?”, “When was this reported?”, and “Is this attributed to a specific researcher or organization?” If the claim has been widely discussed but no original source can be identified, that’s a red flag. For Squarespace specifically, you can check the company’s official security advisories or contact their support team directly if you need to verify whether a reported vulnerability affects your account. This verification-first approach prevents you from implementing unnecessary security measures based on phantom threats while real vulnerabilities go unpatched.
What Squarespace Admins Should Actually Prioritize
Rather than worrying about whether admin accounts might theoretically be sold for $120, Squarespace administrators should focus on documented attack patterns that have proven effective. Enable multi-factor authentication on all admin accounts—this single measure would have prevented or significantly slowed the July 2024 domain hijacking attacks. Review your domain settings and DNS configurations regularly, because attackers who compromise admin access will immediately attempt to modify these settings to redirect traffic. Set up notifications for any changes to security settings, domain registrations, or DNS records so you’re alerted within minutes of unauthorized access rather than discovering the problem when your site traffic disappears.
Additionally, monitor for signs of credential compromise outside of Squarespace itself. Many admin accounts are compromised through phishing emails, credential stuffing attacks on third-party services, or data breaches at other companies where the administrator reused passwords. Use a password manager to ensure each account has a unique, strong password, and check haveibeenpwned.com periodically to see if your email address appears in known breaches. These practical measures address real, documented attack vectors rather than theoretical scenarios without evidence. The distinction might seem subtle, but it’s the difference between security that actually protects you and security theater that makes you feel better without changing your actual risk profile.
The Broader Pattern of Credential Theft in Web Platforms
Credentials for website administration platforms—including WordPress, Drupal, Webflow, and yes, Squarespace—do change hands on dark web markets, but the actual pricing and volume vary enormously depending on the account’s perceived value and the attacker’s intended use. A compromised admin account for a high-traffic e-commerce site might sell for thousands of dollars, while a compromised account for a personal blog might have minimal resale value. The “$120 price point” often cited in these claims appears to be a middle estimate that sounds plausible but has no connection to actual market data.
Dark web marketplace pricing is notoriously opaque, and the accounts available for sale come from many different sources—targeted breaches, credential stuffing attacks, phishing campaigns, and unrelated data breaches where the email address happened to belong to a site administrator. What we do know from legitimate dark web monitoring is that admin credentials are consistently valuable to attackers because they provide direct access to website content and configuration. An attacker with admin access doesn’t need to sell your credentials to others; they can simply use them to deface your site, inject malware, redirect traffic, steal customer data, or install backdoors for persistent access. This is why the real threat isn’t whether your credentials are for sale—it’s whether they’re compromised in the first place, which is why the fundamentals of strong authentication and security monitoring matter far more than tracking the theoretical price of accounts on dark web marketplaces.
Moving Forward: Treating Claims With Appropriate Skepticism
The proliferation of unverified claims in cybersecurity reflects a broader challenge in the information age: alarming claims spread faster than corrections, and verification feels burdensome compared to simply sharing a scary-sounding statistic. As the industry matures, there’s an increasing emphasis on what security researchers call “attribution confidence”—clearly marking whether a claim is based on confirmed evidence, reasonable inference, or speculation. For web developers and administrators, this means treating your threat assessment with the same rigor you’d apply to any other business decision.
Ask for evidence, compare sources, and adjust your security posture based on what’s been verified rather than what’s been sensationalized. The actual work of staying secure—enabling multi-factor authentication, keeping software updated, monitoring account activity, and responding quickly to breaches—doesn’t change based on whether credentials are allegedly being sold for $120 or some other price. These fundamentals protect you against every variant of the threat. By maintaining healthy skepticism toward unverified claims while remaining vigilant about documented incidents like the July 2024 Squarespace domain hijacking, you develop the judgment needed to prioritize security efforts effectively and avoid wasting resources on phantom threats.
Conclusion
The claim that Squarespace admin accounts are being sold on the dark web for $120 each cannot be verified through any credible cybersecurity reporting, incident databases, or dark web monitoring services. This absence of evidence matters because it allows us to distinguish between real security threats that require immediate attention and speculative claims that, while alarming, lack the factual foundation needed to justify major changes to your security practices. The actual documented threat to Squarespace—the July 2024 domain hijacking campaign that exploited a vulnerability in the domain migration process—is the incident you should understand and protect against.
Your security strategy should always be grounded in verified risks rather than viral rumors. Implement strong authentication, monitor account activity, keep your systems updated, and respond promptly to confirmed incidents. When you encounter a security claim that sounds alarming, check whether it appears in reports from established security firms or publications. By applying this verification-first approach, you’ll allocate your security resources to genuine threats and avoid the distraction of chasing phantom problems that have no evidence behind them.
