Startup necromancy: Dead Google Apps domains can be compromised by new owners

A researcher demonstrated that buying expired startup domains that still have active Google Workspace/OAuth configurations can allow an attacker to re-create Google accounts for former employees and access linked third-party services (Slack, ChatGPT, Zoom, HR systems), exposing sensitive documents and communications; the root cause is poor account and domain lifecycle management by startups.