The following was posted by u/eVal64 to Reddit’s r/sysadmin here and for some reason was removed by moderators, why, I do not know (from what’s left of the comment thread, perhaps because they think it was written with AI, although the OP admits he used AI for translation).
In any case, this is a highly on point cautionary tale on the vagaries of domain expirations – whether they’re intentional or not.
I caught the entire post in my email before the mods nuked it. Read it. Internalize everything it says:
Bought an expired startup domain. A few days later, I inherited their AWS Root account.
Hey, I buy expired domains fairly regularly, mostly for SEO projects and occasionally for rebuilding legitimate websites.
A few weeks ago, I picked up a recently expired, high-authority domain that used to belong to a venture-backed startup in the live streaming and interactive video space.
The website had only disappeared a few months ago, but in its prime it had TechCrunch coverage, Product Hunt launches, thousands of backlinks, and a pretty serious online presence.
Like I always do before using an expired domain, I configured a catch-all mailbox to monitor any leftover email traffic.
Usually, it is just forgotten newsletters, random SaaS notifications, API webhooks, or the occasional spam.
This time was different.
The Emails Started Coming In
A few days later, my inbox started filling with AWS Billing notifications.
Then CloudWatch alerts.
Then more AWS emails.
Curiosity got the better of me. I opened the AWS login page, entered what I assumed had been the company’s Root email address, used the account recovery flow, and waited.
The password reset email landed directly in my catch-all mailbox.
A few minutes later, I was logged into the AWS Root account of a company that no longer owned its domain.
It Was Not an Abandoned Account
I honestly expected to find an abandoned account.
Instead, I found an actively running production environment.
The company is still paying for it.
- Last month’s AWS bill: $420.74
- Current month’s forecast: $417.80
That is over $5,000 per year being charged automatically to the same corporate payment method for infrastructure belonging to a company that lost control of its primary domain.
The infrastructure was not just a forgotten EC2 instance either.
It looked exactly like a mid-sized startup production environment that someone simply forgot.
What Was Still Running
The AWS account included:
- Internet-facing Application Load Balancers
- Multiple running EC2 instances
- CloudWatch alarms
- Production networking
- Multiple Security Groups configured for isolated database and bastion access
- Legacy EMR clusters
- Various supporting AWS services still configured
The Real Weak Link Was the Domain
The scary realization was not that AWS had failed.
AWS behaved exactly as designed.
The weak link was the domain.
Once ownership of the domain changed, ownership of the AWS Root account effectively changed with it.
For obvious reasons, I stopped exploring almost immediately.
What I Did Not Do
I did not:
- Access customer data
- Browse S3 buckets
- Mount or inspect EBS volumes
- Modify infrastructure
- Launch resources
- Terminate anything
- Rotate credentials
I gathered only enough information to identify the legal entity responsible for the account.
Responsible Disclosure
Before posting this, I contacted the company using the contact information I was able to identify and offered to securely transfer the AWS account back to them.
I also recommended that they immediately:
- Migrate the Root account to an email address they control
- Rotate credentials
- Review IAM users, roles, and access keys
- Audit all active cloud assets
- Shut down any infrastructure they no longer need
I am currently waiting for their response.
Lessons Learned
If your company is shutting down, being acquired, or even rebranding, do not treat your domain as an afterthought.
Before letting a domain expire, make sure you:
- Move critical accounts away from your primary domain
- Change the AWS Root email before the domain expires
- Rotate credentials
- Audit your cloud assets
- Close accounts you no longer use
- Only then let the domain expire
Final Thought
Your AWS Root account is only as secure as the domain attached to it.
Lose the domain, and you may end up handing the keys to your entire cloud infrastructure to whoever registers it next.
