Preventing domain-resurrection attacks (PyPI blog)

The Python Package Index (PyPI) has announced that it is nowchecking for expired domains to try to prevent domain-resurrectionattacks. In this type of attack, a malicious user buys an expireddomain and uses it to take over an account by resetting the passwordassociated with the email used with PyPI. Since June, PyPI hasunverified more than 1,800 email addresses after their associateddomains entered expiration phases.

After an initial bulk check period that took place in April 2025,PyPI will check daily for any domains in use for status changes, andupdate its internal database with the most recent status.

If a domain registration enters the redemption period, that's anindicator to PyPI that the previously verified email destinations maynot be trusted, and will un-verify a previously-verified emailaddress. PyPI will not issue a password reset request to addressesthat have become unverified.

PyPI recommends that users add a second verified email address"from another notable domain (e.g. Gmail)" to their account, ifthey do not have one already.