Outdated Code and Forgotten Domains: A Hacker’s Playground

Most companies obsess over phishing emails, firewalls, and endpoint protection but miss a quieter, equally dangerous threat. Do companies know how their web applications behave in the browser of their users? Outdated third-party scripts aren’t just a lapse in IT hygiene. They’re an open invitation to data theft, fraud, and regulatory fallout.

When a forgotten domain becomes an attack vector

In the infamous British Airways breach, attackers registered a lookalike domain (baways dot com) and exploited a third-party script on the airline’s legitimate site to siphon off customer credit card data. For 16 days, the attacker quietly rerouted personal information from britishairways.com (real site) to the fake site. By the time anyone noticed, up to half a million customers had been compromised. The airline faced record-breaking fines and reputational damage.

Even more remarkable: our company was recently able to purchase baways.com again. It had been abandoned. We’ve since secured it and now host a history of the breach to raise awareness. Had modern browser supply chain security tools been in place (capable of flagging that baways.com was hosted in Romania by a discount Lithuanian provider, not in the UK) the breach might have been prevented.

This isn’t ancient history. The same basic attack vector is still available to cybercriminals. Many organizations simply don’t know which domains they’ve let expire, or what those domains are still connected to.

Abandoned domains don’t stay quiet

A few months ago, Belgian cybersecurity researcher Inti De Ceukelaire conducted a bold experiment. He purchased more than 100 expired domains that once belonged to hospitals, courts, and police agencies. Within days, he had access to 848 email inboxes. Password reset links flowed in for everything from Google Drive to Dropbox to OneDrive.

Even more alarming, those dormant inboxes began receiving new messages with folks’ personal health data, court records, and internal police communications. Years after these domains were decommissioned, they were still wired into critical systems and handing over sensitive information for less than €10 per domain.

This is what happens when organizations fail to fully sever old connections. Expired doesn’t mean erased, it just means vulnerable.

Domain confusion undermines brand trust and security

Even active domains can create security problems when managed poorly. Take the UK’s Royal Mail, which sends users package tracking links using the domain ryml.me followed by randomized strings. With scam texts mimicking this exact format, users can’t reliably tell what’s legitimate. In some cases, Royal Mail’s own support staff have misidentified their own links as fraudulent. That kind of confusion chips away at customer trust and makes phishing easier.

Or consider HubSpot, which uses a wide range of domain names (hubspot.com, hs-scripts.com, hsforms.com, hubapi.com, and others) for different services. If a business allows a script to connect to a domain like hs-hubapi dot net (not an actual known domain, but plausible enough), it might inadvertently run malicious code. Conversely, a legitimate script might be flagged as risky if the security team isn’t sure what domains are sanctioned. When domain management lacks clarity, both the security team and the end users are left guessing.

The Polyfill breach shows what happens when forgotten code strikes back

The recent Polyfill incident drove this issue home. Attackers bought the domain Polyfill dot io, previously linked to an open source library used across thousands of websites. The project had fallen out of maintenance, but the script was still actively referenced by over 380,000 hosts, including Warner Bros and Mercedes-Benz. Once compromised, Polyfill dot io began injecting malicious code into every page that called it. The breach didn’t stem from a flashy new exploit. It came from a forgotten link buried in a script tag.

What organizations must do now

Domain and browser script management are often treated as peripheral concerns. They’re not. The risks are real, active, and growing; regulators are taking notice. PCI DSS 4.0, for instance, now requires (as of March 2025) all organizations handling payment data to implement browser script monitoring.

To stay ahead of both attackers and auditors, organizations need to rethink how they manage domain and script risk. That all starts with retaining ownership of all domains tied to internal systems, user accounts, or hosted data (including long after a rebrand or business shift). It also means proactively acquiring lookalike domains to prevent impersonation and typo-squatting attacks before they can begin. Most critically, companies should put in place browser-based supply chain security strategies that can monitor, validate, and block suspicious third-party scripts in real time as pages load.

The modern browser is one of the most targeted surfaces in cybersecurity. With so much depending on a few invisible lines of JavaScript or a forgotten domain, security teams can’t afford to look away.

This article was originally published by Simon Wijckmans on HackerNoon.