Mine is. And it's all 2FA'd up. That was a part of the "Take Responsibility for your Own Stuff: For Dummies" guide I followed.
I imagine it would be easier to socially engineer a cellphone store employee and get a SIM to do a SMS-based password reset for a Google/Microsoft/Apple email account than it would be to hijack my domain.
I imagine it would be easier to socially engineer a cellphone store employee and get a SIM to do a SMS-based password reset for a Google/Microsoft/Apple email account than it would be to hijack my domain.