An ethical hacker was able to buy expired domain names from the police and the OCMW, among others, for just eight euros each, thereby gaining unhindered access to citizens’ sensitive information.

According to an article in Gazet van Antwerpen, ethical hacker Inti De Ceukelaire gained access to citizens’ sensitive information for just a few euros. He was able to view citizens’ email addresses and personal data undisturbed via expired domain names. The ethical hacker calls this a “problem of unprecedented magnitude” and recommends that companies renew their domain names for at least ten years and apply two-step verification to work accounts.

Expired domain name

The security of our personal data has been questioned for some time. Inti De Ceukelaire is an ethical hacker and has already conducted various studies to test the security of this data, often with disappointing results. For this experiment, he was able to purchase former domain names of 44 OCMWs, 32 police zones, 12 CAWs (Centre for General Welfare Work), 12 CLBs, 4 hospitals and 3 legal institutions for just eight euros each.

“You can never completely own a domain name,” De Ceukelaire explains to Gazet van Antwerpen. “Website owners have to rent it from a domain registration company for x years. If you want to keep him after that, you will have to extend this contract. But in recent years, many domain names have been discontinued as institutions set up new websites. As a result, all of these domain names were up for sale again,” says De Ceukelaire.

Sensitive information

In this way, De Ceukelaire was able to view emails undisturbed and take over the previous identities of 107 social institutions. What’s more, it turned out that these domains were also linked to 848 professional email addresses that were still circulating somewhere online.

“I opened these email addresses for a week and soon it became clear that people were still emailing them,” says De Ceukelaire. He received hundreds of emails about claims, administrative files and payment reminders. As if that wasn’t alarming enough, he also appeared to have access to multiple cloud accounts that stored even more personal information.

Worrying

For reasons of confidentiality, De Ceukelaire deliberately did not see the data, but people with malicious intentions have a lot to do with this information. For example, you can easily impersonate a representative of a specific institution and have people perform specific actions.

De Ceukelaire recommends that companies renew their domain name for at least ten years, even if it is no longer in use. “I think the real solution lies in further introducing two-step verification for work accounts,” says De Ceukelaire. You still need a code via SMS to log in to an account.