There's very little information about subdomain hijacking targeted towards SEOs, so here's my experience and how I've integrated subdomain checks into my technical SEO audits.

The Story

A couple of days into being promoted into a purely technical SEO role, I received this email: “Your site is being affected by a manual action – hacked content detected.”

I rushed over to the Manual Action section on Search Console and it was saying that christmas.client.co.uk was under attack! A Christmas subdomain? I asked my manager and he had no idea what the notice meant, so it was up to me to sort.

Luckily, the client was responsive, and we had the issue resolved in a couple of hours. But as SEOs we're not always this lucky. What could I do to prevent this happening again?

What actually happened

Subdomain takeovers happen when a subdomain is pointing to an external service like GitHub Pages or Heroku, but the service is no longer active. This creates a “dangling” DNS entry. If someone else sets up a project on that service and claims your subdomain, they now control it.

Our client had set up an “advent calendar” campaign seven years ago. It was forgotten, shut down, and left vulnerable. A hacker found it and decided to make a quick buck utilising the free promotion and backlinks for their new casino site.

What SEOs need to know

Ultimately, nobody is expecting you to be a cybersecurity expert, but taken-over subdomains can cause manual actions and hurt all your hard work. A large proportion of security issues are legacy—set up by "someone, sometime ago."

How does Google treat subdomains?

Technically, Google sees subdomains as separate websites with separate crawl budgets and authority. However, associations provide signals. If your main website is linking back to a hijacked, spammy subdomain, you are essentially legitimising it in Google's eyes.

Investigation

How to find subdomains

As part of my audits I use ViewDNS or DNSDumpster. If your client has a huge amount of subdomains, it is likely that many are expired or legacy assets that need auditing.

How to find what subdomains are hosted on

I use WhatCMS and Google's public DNS tool DIG on the affected subdomain. (Note: Do not visit the hacked link directly in your browser).

How to check if subdomains are vulnerable

I recommend checking your subdomains against the list maintained by security researchers on GitHub. Platforms to be particularly wary of include AWS (S3/Beanstalk), GitHub Pages, Heroku, Shopify, and Azure.

Case Studies

EY / Ernst and Young - 17/07/2025

A hijacked EY.com subdomain confirmed that the asset was hosted on Microsoft Azure. The company created a subdomain, pointed it to an Azure service, and later deleted the service but forgot to remove the DNS record. A hacker simply registered a new Azure app using the same name and "inherited" control of the trusted domain name.