Occasionally unique subdomains are built for special business and technology needs. When alternative techniques or a discontinuation of services occur, these sites may still remain open and active at the hosted ISP site.  As a best practice, companies should also ensure they are discontinuing the subdomain at the same time special support needs change 

http://www.computerworld.com/article/2838218/abandoned-subdomains-pose-a-security-risk-for-businesses.html

Many companies set up subdomains for use with external services, but then forget to disable them when they stop using those services, creating a loophole for attackers to exploit. Because many service providers don’t properly validate the ownership of subdomains pointed at their servers, attackers can set up new accounts and abuse subdomains forgotten by companies by claiming them as their own.

Removing or updating DNS entries for subdomains that are no longer actively used sounds like something that should be common procedure, but according to researchers from Detectify, a Stockholm-based provider of website security scanning services, this type of oversight is actually quite widespread among companies. “We’ve also identified at least 200 organizations which are currently affected,” the researchers said. “In many cases, we are talking NASDAQ-listed, top 100 Alexa rank domains that basically allowed us to set up a Hello World on their domains.”

The risk to website owners depends on what can be done on a third-party service once a domain is pointed to it. If the service allows users to set up Web pages or Web redirects, attackers could exploit the situation to launch credible phishing attacks by creating rogue copies of the main website.