SECURITY

DNS Breach: Contained in 24 Hours

A full DNS account compromise via leaked API credentials. We identified the scope through audit logs, restored 100+ domains, sealed the exposure vector, and maintained zero campaign downtime throughout.

100+ domains restored, zero revenue impact

Problem

During a routine infrastructure check, the team discovered unauthorized DNS modifications across the production domain portfolio. Investigation revealed a full account compromise — an attacker had gained access through an API key that had been left exposed in a decommissioned integration.

The scope was significant: 100+ production domains used for campaign landing pages, tracking redirects, and VSL hosting. Every domain was potentially affected. Campaigns were live, spending real money, and any extended downtime would mean direct revenue loss.

System

The response was technical and systematic, not reactive.

Audit log analysis identified the exact scope of the compromise — which domains were modified, when, and through which API endpoint. This prevented the team from guessing at scope and allowed prioritized restoration.

Bulk domain restoration was designed to restore DNS records without re-exposing the compromised API key. Rather than using the API (which the attacker had accessed), records were restored manually through a new account — slower but secure.

Credential audit traced the leaked key back to its source: a a third-party integration that had been decommissioned but whose API credentials were never rotated. The exposure vector was sealed, and a credential management protocol was implemented to prevent recurrence.

Zero-downtime maintenance of live campaigns throughout. Campaign tracking continued functioning while restoration proceeded domain by domain, prioritized by traffic volume.

Outcome

The breach was contained within 24 hours. Zero campaign revenue was lost. The credential management gap that allowed the breach was identified and sealed.

More importantly, the incident produced a reusable security audit playbook: how to scope a DNS compromise, how to restore at scale without re-exposure, and what credential hygiene practices prevent recurrence. Infrastructure security isn’t just about prevention — it’s about having the technical capability to respond when prevention fails.

Get case study breakdowns like this

One email when we publish. No spam, unsubscribe anytime. By subscribing you agree to our Privacy Policy.

Want a deep dive on your operation?

Tell us about the bottleneck — we'll respond from an engineer on our team.

Book a Strategy Call More case studies