Comment by jeroenhd

> If you take over a domain, you automatically own every email address in that domain, and thus whatever external account relies on that email for login

Actually, if both sides implement OIDC+OAuth2 correctly, you don't. The subject claim (`sub`) of the attached Google account doesn't get reused when a new owner re-registers the domain with Google.

The article claims that the supposedly immutable `sub` field changes too often, though, and that would be a problem Google needs to fix. The source is an unnamed developer mentioned at https://youtu.be/yIutY_X2FcU?t=20617 who encounters issues with custom domain users, with the `sub` field changing weekly in some cases.

Sure, you can create new accounts when you take over a domain and even fake all the old accounts if you have a list somewhere, but you shouldn't be able to access all of the accounts authenticated with OIDC unless you break into the Google Workspace account.