Email, besides being used for communication, is required for signing up for online services.
People often change jobs and end up with multiple user accounts on these services, with the old user accounts often abandoned. Online services usually rely on a single factor to reset passwords, that is, only an email address may be required to regain access if the password is forgotten.
So whoever has control over the domain and is able to set up a basic email service can capture password reset emails.
By taking full control over previously abandoned domain names formerly belonging to legal practices, the researcher claims to have accessed:
- confidential documents of the former clients
- confidential documents of the former practice
- confidential email correspondence
- personal information of former clients.
Further, he claims that the research showed it would be possible to:
- impersonate legal practitioners to defraud former clients and fellow practitioners;
- regain access to the former legal practices Office 365 and G Suite account, potentially gaining access to any email and documents not deleted on the platforms
- hijack personal user accounts, such as LinkedIn and Facebook, of the legal professionals practising in their new jobs.