Identity, DevOps, Supply chain, Email security

PyPI unverifies 1,800 emails with expired domains to prevent attacks

Starting in early June 2025, the Python Package Index (PyPI) has unverified 1,800 email addresses with expired domains in an effort to prevent account takeovers, PyPI admins announced Monday.

PyPI warned that attackers could potentially register expired domains, create mail servers and email addresses matching those used by the previous owners, and leverage these email addresses to request passwords resets, leading to account takeovers.

This type of attack previously affected PyPI in 2022, when an attacker registered the expired domain of the maintainer of the ctx package, successfully reset the maintainer’s account password, and replaced the package with a malicious version that harvested AWS credentials and other secrets.

To prevent further account compromises and potential supply chain threats, PyPI began unverifying email addresses with expired domains in early June 2025. The affected accounts are not deleted but will not be able to perform password resets or receive other important account information through the expired email address unless a further account recovery is performed to re-verify the user.

The verification purge specifically affects accounts with domains that have not been renewed 30 days after expiration, as prior to this, ICANN’s Expired Registration Recovery Policy places domains in a “Renewal Grace Period” or “Redemption Period” during which an expired domain could still be recovered by the owner.

PyPI uses the Status API of Domainr, a service provided by Fastly, to check for email domain status changes daily and take action on emails with expired domains that have passed this 30-day period.

Users are recommended to add a second verified email address from a service such as Gmail to their account if they currently only have one verified email address from a custom domain. They also warned that the unverification process is “not foolproof” for preventing account takeovers if an attacker is able to complete the full account recovery process.

“During a PyPI account recovery, PyPI may ask for other proofs, often via other services under the user’s control. If the same email address is used on those other services, the recovery could appear legitimate,” PyPI Admin, Safety & Security Engineer Mike Fiedler wrote.

Therefore, users are recommended to enable two-factor authentication (2FA) on all of their accounts to help prevent account takeovers across services.

PyPI noted that users with any activity after January 1, 2024, have already been required to enable 2FA on their PyPI accounts, providing further protection from account takeover.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBring Your Own Device (BYOD)Certificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Digest AuthenticationDigital CertificateDiscretionary Access Control (DAC)Email SpoofingPost Office Protocol, Version 3 (POP3)Spam

You can skip this ad in 5 seconds