A founder lets the domain of a former venture expire. The domain is bought by a stranger. The recovery emails for accounts set up in the founding years still point to that domain. The stranger now receives every password reset link the founder triggers in error, and can trigger their own.
The pattern is more common than it should be. People register a recovery address that suits the moment, then move on. Years later the account is still in active use; the recovery address is in the hands of a third party. The vulnerability is silent until exploited.
The risk is not limited to obviously high-value accounts. The recovery chain often runs through more than one address. A reset link delivered to a defunct address can in turn be used to reset another address that controls a current account. The chain is only as strong as the address at the end of it.
An audit of recovery routes on every account of consequence, including the simple act of checking that the address still belongs to the holder, is the modest form this work takes. It is rarely done; it is rarely difficult.
More from the desk
The quiet leak from a personal assistant
AI voice cloning and the phone call from a relative
Domain spoofing and the near-perfect email
The old recovery question that was once true
The second passport and its quiet footprint
Executive impersonation and the wire transfer