Incident

Real Subdomain Takeover Cases — and How to Find Your Risk

Subdomain takeovers have affected companies of all sizes — including major brands. Here are documented cases showing how dangling CNAMEs get exploited and what the attackers actually do with them.

Published March 19, 2026

Attackers don't need your API keys — they need a forgotten CNAME pointing at a cloud hostname you no longer control. When the service is gone but DNS stays, the next person who claims that name owns your subdomain.

Why this happens so often

Development teams spin up subdomains constantly — for staging, testing, feature branches, marketing campaigns. When the service is deprovisioned, the DNS record stays. Over time, every company accumulates dangling CNAMEs. Most don't know they have them until someone reports a problem.

Documented takeover patterns

GitHub Pages: A subdomain points to username.github.io — the user deletes the repo or account. An attacker creates a GitHub account with the same username and publishes a page. Your subdomain now serves their content.

AWS S3: A subdomain points to bucket.s3.amazonaws.com. The bucket is deleted. An attacker creates a bucket with the same name in the same region. Your subdomain serves their files.

Heroku: A subdomain points to appname.herokuapp.com. The Heroku app is deleted. An attacker creates an app with the same name. Your subdomain shows their app.

What attackers do with taken subdomains

• Host phishing pages under your domain
• Serve malware downloads under your trusted domain
• Harvest credentials from users who trust your brand
• Send email from the subdomain (bypasses some filters)

What to do

Run DomainPreflight Dangling Records — it discovers your subdomains via certificate logs and checks each CNAME against known takeover fingerprints. The fix is always the same: delete the DNS record if the service is gone.