In one of our previous blog posts, we looked at a few useful tips on how to protect your domain name. As much as you may rely on the domain provider to keep your domain safe from unauthorized third parties, you should put some effort into that on your end as well.
A few of the good practices are to use a unique email address, to set up a strong account password, and to keep the domain active. Unfortunately, somebody may hijack your domain name nonetheless. Although this is not a very likely scenario, you should be prepared should it happen.
There are different reasons how this can happen – the registrar may suffer a data leak, you may open a phishing site and somebody may steal your login credentials, etc. In this article, we will have a look at the steps you can take to get your domain back and minimize the damage.
- Check if your domain name was really hijacked
- Make sure your domain did not expire
- Check if your website got hacked, not the domain
- Somebody really hijacked my domain!
- Scan your computer for malware and update your login credentials
- Contact your registrar company
- Regain access to your domain account
- If the domain is there, but its DNS records are changed
- If the domain has been transferred away
- Contact ICANN
- Check popular marketplaces and domain forums
- Contact a dispute resolution provider
- Keep complete documentation for your domain name
- In conclusion
Check if your domain name was really hijacked
If you open your domain name in a browser and it does not open your website anymore, it is natural to think that somebody stole it. This may not be the case, though. Before you panic, you should double-check what may have happened. If you have any doubts, you can always contact your registrar company and check whether your website does not open due to some trivial reason and not due to a domain theft.
Make sure your domain did not expire
When a domain name expires, its name servers (DNS records) are changed automatically by the registrar company. As a result, the domain no longer points to the account where it is hosted and no longer opens the website it used to. Instead, it opens a page from the registrar’s system and it is up to the registrar if they will display ads or some other content. In most cases, you will see a note that the domain has expired, but sometimes such a note may not be that visible.
All it will take to get your website back online will be to renew your domain through the registrar company (or their reseller, depending on where you bought the domain from). Once the original DNS records propagate, everything will be back to normal.
If you fail to renew the domain for more than a couple of months, though, it will be deleted from the public space. Once this happens, anybody can register the domain name and no matter how long you may have used it for, it will no longer be “your” domain. Unless you have some legal right over that domain, there won't be much you can do to get it back. You can give it a try, though, and you can check our article on how to acquire an already registered domain for a few hints on how you can proceed.
Check if your website got hacked, not the domain
If you use any outdated themes or plugins, or you have not updated your website for a while, there is a chance that the site can get hacked. Sometimes hacked websites are left intact and malicious content is added to them, other times their content is replaced entirely.
If such a thing happens, you should contact your web hosting provider right away and you should restore your website if you have a clean backup. As the hosting and the domain are different services, one may get compromised, but the other one may not be affected. Thus, if you notice that your domain name no longer opens your website, this does not necessarily mean that somebody hijacked your domain.
If you have any doubts about your domain name, the best course of action will be to check the account you have with the registrar company and see if your domain is still listed there. You will clearly see whether the domain has expired, or whether its name servers still point to your web hosting service or to some third-party server.
Of course, there are some edge cases – if you have a .DE domain, for example, and you let it expire, the top-level registry DENIC will pull the domain from the registrar company the day the domain expires, so you will not see it in your domain account. If you have any doubts regarding your domain name, you should contact your registrar company for more information.
Somebody really hijacked my domain!
Unfortunately, it is possible that somebody really stole your domain name. If this is the case, you should act fast. We have prepared a list of steps you can take to get the domain back.
Scan your computer for malware and update your login credentials
This is something you should do immediately after you find out about the security breach. If your domain name was hijacked, at least one of your accounts has been compromised. Whether it was your email address or the domain account, it would be better to update all of your passwords. If possible, you should do this from a computer you do not usually use.
You should scan your own computer for malware as this is the most likely reason why an unauthorized party gained access to your account. Use long and complex passwords. Enable two-factor authentication for your email and domain accounts, if available.
https://haveibeenpwned.com is a popular website that allows you to check if your email address has been compromised. You can also check if any of your passwords is among half a billion leaked passwords if you go to https://haveibeenpwned.com/Passwords.
Contact your registrar company
You should contact the registrar company for assistance and for guidance on how to proceed depending on the specific case. If you are not sure whether you bought the domain directly from a registrar or from a reseller, you can do a WHOIS lookup using https://tickets.suresupport.com/whois or https://whois.com, for example. You will see the top-level registrar company for your domain name.
Whether somebody gained access to your account and is now in control of the domain, or they transferred the domain to a new registrar, the only company that can help you is the registrar that you pay to for the domain registration. Many registrar companies have a dedicated transfer dispute department that handles cases of unauthorized domain transfers.
Regain access to your domain account
Once you have established what registrar company you should contact, you should regain access to your account. No matter if your domain has been transferred to another provider or not, you should be able to access your account. This way, you can communicate more effectively with your registrar, you will protect any other domains you may have, and you will prevent anybody else from accessing your account.
You may have to send a copy of your ID to the registrar to prove your identity. As long as you had valid contact information in the account, they will be able to validate who you are so you can log in and take back the control of your domain. Once you are able to log in, you can confirm whether your domain name is there or not and whether its DNS records have been changed. You can also ask your registrar if they have some logs when the breach may have happened and where the unauthorized person accessed your account from.
If the domain is there, but its DNS records are changed
The lesser of two evils will be for an unauthorized third party to access your domain account and to point your domain name to some hosting provider without transferring it. The reason why somebody would do that is to use your domain for malicious purposes. They may not be able to transfer the domain for various reasons, or they may simply not want to raise suspicion as a transfer often involves notifying the domain owner.
You can easily see if this is the case if you open your domain name and you don’t see your site or a default page from your registrar (this excludes the aforementioned case of your website being hacked). If this happens, you can log in to your domain account and restore the previous DNS settings.
If the domain has been transferred away
In case that your domain has been transferred away, you should take steps to get it back. It is important to know that you should still contact the original registrar and you should not waste time contacting the new one. As far as the new company is concerned, whoever stole your domain is a legitimate customer who owns the name, while you can be the one trying to trick them. They will not have any record of you owning the domain, so you should not waste precious time trying to convince them that their customer stole your domain.
Your registrar, on the other hand, can verify who you are. They will have records when the domain was transferred away, whether its contact information was modified, who was listed as the owner before the transfer took place, etc. They can also initiate a process of transferring your domain back from the new registrar in case that they have enough evidence that the initial transfer was fraudulent. This can happen at any time, no matter when the fraudulent transfer took place, as long as the domain has not been transferred to a third registrar meanwhile. In the general case, a domain can be transferred only if 60 days have passed after a previous transfer. This policy will guarantee that whoever stole your domain, won’t be able to move it to a third company for a couple of months. It will also give you enough time to work with your registrar to get the domain back.
The process of getting the domain back involves a formal complaint by the former registrar in accordance with ICANN’s Transfer Dispute Resolution Policy. You, being the registrant/owner, will not be involved in this process, but if you are interested, you can see the policy at https://www.icann.org/resources/pages/tdrp-2012-02-25-en.
Contact ICANN
Another option is to contact the Internet Company of Assigned Names and Numbers (ICANN). They accept, adopt, and enforce the policies as to how the domain name system works, and supervise the top-level domain registries and registrars.
If your registrar company is not helpful in giving you access to your domain or in transferring the domain back from another company, you can contact ICANN directly using https://forms.icann.org/en/resources/compliance/complaints/transfer/form. They will in turn contact the registrar and ask them to investigate the case and take the necessary measures to resolve it.
Check popular marketplaces and domain forums
Whoever stole your domain name may try to make some quick money by selling it. They cannot make money by using it themselves in the long term as you will most likely get it back soon.
If they transferred the domain away from your registrar, you will have the aforementioned 60 days to act before another transfer can take place. While you work with your registrar and possibly a lawyer and the authorities, you can check popular marketplaces and forums where domain names are being sold. It is likely that the person who stole your domain will try to sell it there, so if you notice it, inform the site operators right away.
You may also publish a post on domain discussion boards so as to make the hijacking public. The more people are aware of the theft, the less likely it will be for an unsuspecting third party to buy the domain from the thief.
Contact a dispute resolution provider
If your domain name includes a trademark, you can file a complaint to a dispute resolution provider such as the Arbitration and Mediation Center of the World Intellectual Property Organization (WIPO). These organizations offer services under ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP), which applies to all generic top-level domains.
You will have to pay a fee for the complaint to be reviewed, but this can save you a lot of time and efforts as you may not have to seek legal advice or to contact the local authorities. The latter is important as online matters are regulated in different ways worldwide, so it is very likely that the authorities in your country will not have jurisdiction to deal with your case.
Once you file a complaint, an independent and impartial domain name panelist will be assigned to handle your case. They will contact the current registrar to request information about the domain, including the current WHOIS information and the contact details the domain was registered with.
During this formal proceeding, the registrar will lock the domain name, so the thief will not be able to use it, sell it, or transfer it to a different company. If the panel finds out that the domain is being used in bad faith, the registrar company will have to grant you access to manage the domain or to transfer it to another registrar of your choice.
You can see the full list of the ICANN-approved dispute resolution service providers at https://www.icann.org/resources/pages/providers-6d-2012-02-25-en.
Keep complete documentation for your domain name
No matter if you contact your registrar, ICANN, or a dispute resolution provider, having complete documentation is very important to prove your rights over the domain. You can present any communication you may have had with the registrar or with other providers, invoices and payment confirmations, renewal reminders, and other domain-related service emails. The more documents you have, the easier it will be to prove that you are the rightful owner of the domain. If you do not have such documents at the moment, it may be time to start collecting them just to be on the safe side.
There are some useful tools that can also help you to prove your ownership over a given domain name. If you were listed as the registrant/owner, you can use a WHOIS history record to prove it. Most such tools ask for a small fee to provide the complete record, which is something insignificant compared to the usefulness of the information you can get. As we do not want to promote one paid service over another, you can look up “WHOIS history” in your favorite search engine and pick a provider.
It can also help if you can prove that the domain was opening your personal or business website. For this purpose, you can use the Wayback Machine at http://web.archive.org/ . This is a non-profit digital library that keeps snapshots of billions of websites. You can find and present a few snapshots of your site from different points in time.
In this light, you can also use https://whoisrequest.com/history/ to see how the DNS records of your domain have changed through the years. This tool is useful if you want to prove that the domain was pointed to your hosting provider before it was hijacked.
In conclusion
Losing your domain name can have a detrimental effect on your online presence. This is why preemptive measures are of utmost importance. Should something happen, though, you should know what to do in order to get your domain name back as soon as possible.
The two most important things are to change your passwords and to contact your registrar. This will prevent further damage, and you can start working with the registrar on getting your account and your domain back.
The more vocal you are on forums and marketplaces in the meantime, the less likely it will be for the hijacker to sell your domain. Of course, you should always follow the good practices on how to keep your domain name safe so as to make sure you never lose it in the first place.
