Incident Response

Your Domain is Compromised: Emergency Response Guide

Immediate steps to take if you suspect your Shopify domain has been hijacked or compromised.

incident response domain recovery emergency security breach
Last updated

Signs Your Domain Is Compromised

Act immediately if you notice:

  • Your website displays different content than expected
  • You can’t log into your domain registrar account
  • Customers report being redirected to strange sites
  • You receive domain transfer notifications you didn’t initiate
  • Email to your domain bounces or disappears
  • Your DNS records have changed without your action
  • SSL certificate warnings appear on your site
  • Shopify admin shows domain connection errors

Don’t wait to investigate—start response immediately.

Immediate Steps (First 15 Minutes)

1. Document Everything

Before making changes, capture evidence:

  • Screenshot the compromised site
  • Save any suspicious emails
  • Note the exact time you noticed the issue
  • Record what your DNS records currently show

2. Contact Your Registrar

Call (don’t just email) your domain registrar’s emergency line:

  • Report the suspected compromise
  • Request an immediate account freeze
  • Ask them to reverse any recent unauthorized changes
  • Request a registry lock if available

3. Secure Your Email

If attackers have your email, they control password resets:

  • Change your email password immediately
  • Enable 2FA if not already active
  • Check for forwarding rules you didn’t create
  • Review recent login activity

4. Change Critical Passwords

Update passwords for:

  • Domain registrar account
  • Shopify admin
  • Email accounts associated with the domain
  • Any connected services (payment processors, apps)

Contacting Your Registrar

What to Have Ready

  • Domain name(s) affected
  • Account email address
  • Account username
  • Recent account activity you authorized
  • Proof of identity (may be requested)

What to Request

  • Immediate account freeze
  • Reversal of unauthorized transfers
  • Restoration of original DNS records
  • Enhanced security (registry lock)
  • Investigation report

Major Registrar Emergency Contacts

Most registrars have phone support for emergencies. Find your registrar’s number before you need it. Log into your account and save their emergency contact information now.

Preserving Evidence

For potential legal action or UDRP:

Technical Evidence

  • Full DNS record history (request from registrar)
  • WHOIS history (use archive services)
  • Screenshots of the compromised site
  • Email headers of suspicious messages
  • Server logs if accessible

Business Impact Evidence

  • Lost revenue calculations
  • Customer complaints received
  • Support tickets about the issue
  • Marketing campaigns affected

Store Evidence Securely

Use cloud storage with good version history. You may need this months later for legal proceedings.

Communicating with Customers

Timing

Communicate quickly but accurately. A brief acknowledgment is better than a long delay.

What to Say

  • Acknowledge the issue without speculation
  • Explain what you’re doing to resolve it
  • Warn about any phishing risk
  • Provide alternate contact methods
  • Promise updates as the situation develops

Channels to Use

  • Social media (fastest reach)
  • Alternative email domain if available
  • Text/SMS for high-value customers
  • Temporary landing page if possible

What Not to Say

  • Don’t blame specific parties without evidence
  • Don’t promise exact resolution timelines
  • Don’t speculate about data exposure

Recovery Timeline Expectations

Simple Unauthorized Access

  • Registrar freeze: 1-4 hours
  • DNS restoration: 24-48 hours
  • Full recovery: 2-5 days

Unauthorized Transfer Initiated

  • Transfer cancellation: 24-72 hours (if caught in progress)
  • Domain recovery: 1-4 weeks
  • UDRP if needed: 2-3 months

Domain Held by Attacker

  • Negotiation: Days to weeks
  • UDRP process: 45-60 days
  • Legal action: Months to years

Act fast—the sooner you respond, the easier recovery becomes.

How Recon Helps

Recon helps prevent and respond to domain compromise by:

  • Monitoring for unauthorized DNS changes
  • Alerting you immediately when anomalies are detected
  • Tracking domain registration status
  • Providing documentation useful for recovery

FAQ

Q: Should I pay ransom if attackers demand money?

A: Generally, no. Payment doesn’t guarantee recovery and encourages future attacks. Focus on registrar recovery processes and legal options. Consult law enforcement for guidance on your specific situation.

Q: How long do I have to recover a transferred domain?

A: Most registrars have a 5-day window where transfers can be reversed. After that, recovery becomes much harder. Speed is essential.

Q: Will my SEO be permanently damaged?

A: Temporary downtime causes temporary SEO impact. Once your site is restored with the same content, rankings typically recover within weeks to months. Extended hijacking or malicious content causes more lasting damage.

Want us to monitor this for you?

Run a free brand security audit with Recon and see your vulnerabilities in minutes.

Run Free Audit

Related Articles

Reporting Brand Abuse: Taking Down Fake Shopify Stores

A complete guide to reporting and removing websites, domains, and social accounts impersonating your Shopify brand.

Back to Knowledge Base