In early 2020, PeduliLindungi became a very notable name in Indonesia. It was more than just an app. It served as a digital gatekeeper during the COVID-19 pandemic, helping the government to manage contact tracing, vaccination records, and mobility restrictions.

Fast forward to 2025, and the same domain, pedulilindungi.com, briefly redirected visitors to an online gambling site.

Understandably, this caused confusion and concern. Was the site hacked? Was personal data exposed? And more importantly, how could this happen to a platform that once held the health data of millions?

The answer is not as dramatic as a data breach, but it is equally alarming: the domain had simply expired and someone else purchased it.

The Transition from PeduliLindungi to SatuSehat

In 2023, Indonesia’s Ministry of Health officially migrated its digital health services from PeduliLindungi to a new platform called SatuSehat. After the transition, the domain pedulilindungi.com was no longer maintained under government control.

“From March 2023, PeduliLindungi became SatuSehat. All management, including the website, is no longer handled by the Ministry,” said Aji Muhawarman, Head of the Public Communication Bureau at the Ministry of Health (Tempo, 2025).

Telkom Indonesia, which had managed the technical infrastructure, also confirmed that ownership of the domain was relinquished on 28 March 2024, returning it to the domain registrar (Detik.com, 2025).

This allowed the domain to be publicly available for anyone to purchase, which is likely how it ended up being used by an online gambling site.

What Happens When a Domain Expires?

Website domains, like rental properties, operate on a fixed timeline. When you register a domain, it’s yours for a set period (typically one to two years). But if that registration isn't renewed by the time it expires, the domain doesn't just vanish. Instead, it enters a multi-stage process before being released back to the open market.

Here's how that process typically unfolds:

1. Renewal Grace Period

This is the initial phase after the domain expires. During this window, the original owner can still renew the domain at the regular cost, usually lasting 30 to 40 days depending on the domain registrar. During this time, the domain may be temporarily disabled or redirected to a generic holding page.

2. Redemption Period

If the domain isn’t renewed during the grace period, it moves into what’s known as the redemption phase. At this stage, the domain is no longer active, and recovering it becomes more complicated and expensive. The original owner can still reclaim the domain, but typically must pay a significantly higher redemption fee, sometimes 10 times the original cost.

3. Pending Deletion

Once the redemption period ends and the domain still hasn’t been renewed, it enters the final pre-deletion phase. This lasts about 5 to 7 days, during which the domain is locked from any further changes or recovery attempts. After this, it’s deleted from the registry.

4. Available for Registration

Once deleted, the domain becomes available for anyone to purchase, first come, first served. For well-known domains or those with high traffic potential, domain hunters, scammers, or opportunistic businesses are often quick to snatch them up.

That’s likely what happened in the PeduliLindungi case. After the domain was officially retired and no longer renewed, it was picked up by a third party who redirected it to an online gambling website. It wasn’t a system hack or data breach, it was the result of an expired asset falling into the wrong hands.

This event sparked public backlash and confusion, prompting government intervention. The Ministry of Communication and Digital swiftly responded by blocking access to the site after confirming that it had been hijacked and was hosting illegal content.

“This clearly violates national digital safety regulations,” said Alexander Sabar, Director General of Digital Space Monitoring (Kompas, 2025).

This scenario is a vivid reminder of how critical digital asset management is, especially for domains with established trust and visibility. Letting a domain expire can be the digital equivalent of leaving the front door wide open, inviting misuse, brand damage, and public risk.

What About the Data? Understanding the Real Risk

Technically speaking, a domain name is just an address while the actual data lives on the servers connected to it. When a domain expires and is acquired by someone else, they don’t automatically gain access to the old server or the personal data stored there, especially if those systems have been properly shut down, wiped, or migrated, as was the case when PeduliLindungi transitioned to SatuSehat.

So if data doesn’t come with the domain, what’s the big deal?

The real danger lies in phishing and social engineering, not direct data leaks. For example:

1. Residual Trust and Brand Familiarity

People recognize pedulilindungi.com. They used it regularly during the pandemic, sometimes multiple times a day. That kind of brand memory doesn’t fade easily. If users see an email, a pop-up, or a link from that domain, there's a high chance they’ll assume it’s still legitimate, especially if they’re unaware of the domain’s expiration or transition.

A cybercriminal or scammer can easily exploit this residual trust to:

• Send fake vaccination updates
• Request “account reactivation”
• Prompt password resets or data verification
• Deliver malicious links masked as health reminders

Even if the site doesn’t host actual malicious software, the psychological trick is often enough to fool users into voluntarily handing over sensitive information.

2. Spear Phishing Potential

Imagine a scammer sends personalized emails pretending to be from PeduliLindungi using the same domain. Because the sender address still shows pedulilindungi.com, the average person may believe it’s legitimate, especially older users or those less digitally literate.

Also read: Think Before You Click! How to Spot Phishing Scams and Protect Your Data

3. Credential Harvesting and Account Takeovers

If users attempt to log in using old credentials (perhaps reused across platforms), attackers could collect those inputs for use in credential stuffing attacks. This is especially dangerous in countries where people often reuse the same email-password combinations across services, including financial and work-related accounts.

Also read: Stop Making These Common Password Mistakes

4. Fake Services

The hijacked domain could also be made to look like an official portal again, complete with health-related forms, downloads, or payment requests. These spoofed services can collect personal data, credit card information, or even distribute malware through fake “health certificates” or “app updates.”

Also read: Tips to Avoid Scam Websites

These are just some example risks that might be able to happen, amongst others. In short, the biggest risk isn’t what’s left in the domain. It’s how much trust the public still places in it, and how that trust can be weaponized by cyber criminals.

A Broader Lesson in Digital Asset Management

The PeduliLindungi case highlights more than a forgotten domain. It underscores the importance of cyber hygiene and responsible asset management, especially for high-profile platforms with large user bases.

Organizations of all sizes should take these actions seriously:

• Maintain control over key domains, even after rebranding or migration
• Monitor domain expiry dates and renewal cycles
• Establish clear offboarding strategies for decommissioned digital platforms
• Proactively educate users about new official websites or channels

Neglecting digital assets can lead to confusion, reputational damage, or worse, exploitation by bad actors.

Conclusion

PeduliLindungi served an important role during the pandemic, helping safeguard public health during a critical time. Even after its lifecycle ended, its digital identity retained meaning and trust.

This incident shows that expired domains are more than technical leftovers. They represent a lingering trust that can be easily exploited if not properly managed. And this lesson does not apply only to governments. Businesses, nonprofits, and other organizations must also consider domain lifecycle management as part of their cybersecurity posture.

If you're managing any digital service (especially those with public-facing websites or high user traffic) securing your domain is not optional. 

With NEO Domain by our strategic partner, Biznet Gio, you can easily register or transfer a wide range of domain extensions with added security features like Registrar Lock, ensuring your domain stays protected from unauthorized changes. Officially registered under the Internet Corporation for Assigned Names and Numbers (ICANN) and Pengelola Nama Domain Internet Indonesia (PANDI), Biznet Gio provides a seamless interface that integrates with their other services for efficient domain and cloud management.

Don’t wait until your domain becomes someone else’s asset, check out NEO Domain and take control of your digital identity today.

At Cisometric, we believe digital safety starts with awareness. Follow us for more updates on cybersecurity incidents, tips to protect your digital assets, and practical insights to strengthen your organization’s online defenses.

Follow us on:

LinkedIn: Cisometric

Instagram: @cisometric

Youtube: Cisometric

Reference:

Heboh PeduliLindungi Berubah Jadi Laman Judol 

Penjelasan Kemenkes soal Dugaan PeduliLindungi Berubah Jadi Situs Judi Online 

Terindikasi Judol, Kementerian Komdigi Blokir Situs PeduliLindungi 

Masa Aktif Domain Expired, Inilah 4 Siklus Yang Wajib Kamu Ketahui.

Neo Domain