My domain got abused on GitHub Pages

This story hit the internet like a slow-motion tech horror clip: one developer came back from traveling with weak internet to discover that random scam pages had apparently moved into part of his website address while he was away. The site owner thought he was just sending his whole address over to GitHub Pages, a free service for hosting simple websites. Instead, because he had set things up too broadly, strangers were able to claim sub-pages under his domain and use them for shady junk like slot-machine scams. The real gut punch? He only found out because Google emailed him about a “new owner.”<br><br>But the comments absolutely stole the show. One camp was sympathetic but blunt: GitHub should make people prove they own a web address before letting them use it. As one commenter basically put it, “why not just require a TXT record,” which is internet-speak for a simple ownership check. The other camp came in with full tough-love energy: this is on you, boss. Several commenters roasted the setup, saying that sending every sub-page to a platform you don’t control and assuming it would “probably check” was practically an engraved invitation for abuse.<br><br>The mood was half cautionary tale, half comment-section pile-on. One person claimed this kind of weakness has been known for around a decade, which made the whole thing feel less like a shocking new exploit and more like the internet equivalent of leaving your front door wide open. Brutal? Yes. Useful? Also yes.