A vulnerability in Google OAuth allows attackers to access accounts of defunct organizations through abandoned domains.