Recently, I was developing a small project for one of my clients. I as well assisted him into the branding and found a good .com domain name. My client wanted to own associated social media profiles too. The problem was that Twitter username was already taken. I had no hopes of acquiring Twitter account and informed my client about it.

Usually, when I buy a new domain name, I setup a wildcard email forwarding not to miss any important information. This way every incoming message on *@domain.com is sent to my address. So, I did this forwarding setup for a project domain too.

In the following days, I noticed that some random and unexpected Twitter email notifications started to appear into my inbox. Initially, I ignored them, but after a week I began paying attention why I was receiving these emails. I had an only intention: unsubscribe from the notification emails that were flooding my inbox.

Holy grail! I discovered that Twitter was sending these notification emails to a specific email on a domain I recently bought. Here's a screen:

I quickly navigated to twitter.com and tried to reset an account by pointing the email address Twitter was sending email notifications to. Guess what... it worked.

I gained access to an active Twitter account I was thinking it wasn't possible to get:

I decided to keep this Twitter account. I was feeling some guilt for such unethical hijacking, but since I bought a domain name now I had a right to claim this Twitter account too. This claim is strengthened by the fact that this guy has not tweeted for 7 years, so I guess the project he was intending to develop didn't work out and he abandoned the domain name.

Moral of a Story: be careful with setting up accounts with the email address that uses a custom domain name. You may forget to renew it and that's where you might become a victim. Someone who bought a recently abandoned domain and iterated the popular Internet services and social media accounts with the hope to reset passwords them, may successfully hijack your account.