It is not the kind of discovery that makes it into annual reports or institutional strategy documents. But when cybersecurity researchers began cataloguing a pattern of top-tier university websites serving explicit adult content to unsuspecting visitors — not through any breach of their core systems, but through a housekeeping failure so mundane it almost defies belief — the incident became one of the more instructive case studies in digital governance to emerge this year. The universities involved include institutions ranked among the top fifty globally. The content they were inadvertently hosting has nothing to do with academic research. And the root cause is a DNS record that someone forgot to clean up.
The mechanism is a well-documented but persistently underexploited attack known as subdomain takeover, sometimes referred to as CNAME hijacking. It works like this: a university IT department creates a subdomain — say, events.university.edu or alumni.university.edu — and points it via a CNAME DNS record to a third-party hosting platform, perhaps a cloud service, a website builder, or a student project hosting environment. Time passes. The project ends, the subscription lapses, or the platform account is closed. The university’s DNS record, however, remains in place, still pointing to the now-deregistered external resource. At that point, anyone can register the same resource on the external platform and immediately take control of a subdomain that carries the university’s trusted domain name and inherits its SSL certificate legitimacy.
Researchers at Dublin-based security consultancy Meridian Digital mapped the problem across the top 200 universities by global ranking, scanning for dangling CNAME records pointing to unclaimed resources on seventeen popular hosting platforms. They found 847 such records across 112 institutions. Of those, 64 had already been claimed by third parties — in most cases, operators of adult content platforms, grey-market pharmaceutical sites, or gambling operations who had systematically scanned for and registered the abandoned hosting resources. “This is not a sophisticated attack,” said Ciarán O’Brien, lead researcher at Meridian Digital. “It requires no hacking skill whatsoever. You are simply registering an account on a hosting platform and uploading content. The university’s own DNS system does the rest.”
The reputational implications are significant and immediate. A visitor who types a university URL into their browser, sees a valid SSL padlock, and is served inappropriate content experiences an association between that content and the institution that is difficult to undo. Search engines that index these subdomains may penalise the parent domain’s search rankings, particularly as Google’s quality systems have become more sophisticated in detecting and demoting domains associated with manipulative or low-quality content. Email security systems that evaluate sender reputation based on domain health may flag legitimate university communications. And in several of the cases identified by Meridian Digital, the adult content operators had configured the hijacked subdomains to display phishing forms collecting personal information, leveraging the institutional trust of the university’s domain to lower victims’ defences.
The universities’ response to notification has varied considerably. Some institutions acted within hours, removing the offending DNS records and auditing their broader DNS estate. Others took weeks, apparently hampered by internal bureaucracy, unclear ownership of DNS management responsibilities, or the challenge of locating staff with the authority and technical knowledge to make changes to production DNS zones. Several did not respond to researcher notifications at all, and their subdomains remained compromised at the time of publication. “DNS is one of those infrastructure layers that everyone relies on and almost nobody actively manages,” said Dr. Fatima Al-Rashid, who leads the digital governance programme at the Gulf University for Technology and Innovation. “Organisations accumulate DNS records over decades, across multiple departments, often with no centralised inventory. When someone leaves or a project ends, the records just… persist.”
The problem is by no means unique to universities. Any organisation that has operated a web presence for more than a few years and used multiple cloud services, third-party platforms, or project-specific subdomains is likely to have accumulated orphaned DNS records. The difference is that universities tend to operate unusually large and decentralised DNS estates, with departments, research groups, student organisations, and administrative units all potentially having created subdomains over the years. Some of the institutions affected had DNS records pointing to platforms that no longer exist as active businesses — a particularly troubling finding, as it suggests the records have been unclaimed and potentially exploitable for years.
The remediation process is straightforward in principle: conduct a complete audit of all DNS records, verify that every CNAME points to a currently active and organisation-controlled resource, and remove any records that cannot be verified. Tools exist to automate this scan, including open-source utilities and commercial DNS security platforms that continuously monitor for dangling records. Several cloud providers, including those most commonly implicated in subdomain takeovers, have implemented controls that prevent third parties from claiming resources that match the naming patterns of registered organisations — but these controls are imperfect and not universally implemented.
For technology and operations leaders, the episode is an argument for treating DNS management as an active security function rather than a set-and-forget infrastructure task. DNS records should be included in offboarding checklists when services are decommissioned, in vendor management processes when third-party platform relationships end, and in regular security audits alongside more headline-grabbing vulnerability assessments. The attack surface exposed by a forgotten CNAME record may seem trivial compared to a zero-day kernel vulnerability. The reputational and operational damage, as these universities are discovering, is anything but trivial.