After reading this title, most of you will think that it is just another sensational claim. Sorry, but you are wrong. This is a fully functional and recreable method from the comfort of your homes. It won't make you rich, but maybe will help DISCLAIMER: Blackhat involved. PHASE ONE: 1. We need a Moz Pro account. They are always offering trial periods, so this doesn’t cost us a penny. Remember, a debit / credit card will be used to verify the account. 2. Once the account is created in Moz Pro, sign up into FollowerWonk, the Moz application that we’ll enjoy for free aswell. 3. Once we have access to the tool, let's start with the magic. To do this, we will use the search profiles function for our first phase: Is better to initialize (give a value) some of these parameters, because for some reason, they are not properly filtered. We’ll use Following: 100, Followers: 50000, Tweets: 100 And in the URL search box, we’ll type “com”. 4. Get the report and wait about 30 minutes or so. Then you’ll be able to download the full XLS into your desktop. 5. Depending on your computer age, working with the resulting Excel (xls) file can be a nuisance, so I'll use Google Docs to work with the data (don’t worry, we are not giving more tracks tan usual to Google). 6. Create a new spreadsheet and import the file. We'll proceed by sorting by number of followers, and we’ll delete those rows that do not interest us (if any) -sometimes the generated file is a bit messy- 7. Proceed to sort by the "Last Tweet" column the resulting sheet. Immediately afterwards we’ll filter or delete all those rows whose latest tweet was published in the previous three months from today. 8. Now we have a list of potential Twitter users who had left their own account. The interesting part begins. 9. Copy all the rows in the URL column and clean them. I use Scrapebox, but you can use any text manipulation tool. A tool serving for this purpose is this: textmechanic .co a. The procedure is simple: we will remove all URLs containing "Facebook", "Twitter", "Tumblr", "Blogger," "Blogspot". (Not essential, but it helps) b. In the next step we would leave only the domain itself (trim to root), remove duplicates, and remove the prefix “http: //” and/or “https: //”. PHASE TWO: Right now we have a list of domains that we know fulfill two conditions: 1. They have been used in Twitter profiles with a lot of followers. Maybe some of these domains have interesting profiles to be used with a PBN. 2. The domains were linked into Twitter accounts that people stopped using months ago. What does this mean? That for whatever reason, there are people who have been forced to stop their business, their promotion, their fan club or whatever. It is likely that those who have been forced to stop their social activity, have done the same with the domain renewal. It's time to see if our theory is true. To do this, we’ll use the Bulk Domain Search from GoDaddy. We can check a maximum of 500 domains at once, so you’ll need to Split the list. After passing through the GoDaddy tool we'll find some available. Now comes the social engineering part. We could check one by one these domains, but in my experience, usually we are only interested in one type: Belongs to a business name and / or a product. Why? Because it's not uncommon at all that a company use a corporate domain based account to manage their social networks. It’s the best way to preserve the property against possible withdrawals of workers, layoffs, etc. And we will take advantage of it. We have a few candidates for our next step, for obvious reasons the exact domain will not be published, but say it was without doubt an investments related domain. Then we will take advantage of the big culprit that makes this process possible: the Twitter password recovery system. I would have loved to send it to their bug hunter program, but years ago I reported several bugs and they didn’t even reply. Shame on them Now we must work energetically using our great divination skills. When you try to recover a password in Twitter, the system gives you clues about what kind of mail was used. This is revealing, as it’s very easy to see if there are big possibilities that the Twitter account was created with the domain we are testing. Twitter allows you to "try" with about 5 different usernames in the same session. So maybe you'll need either proxies or VPN to make checks with ease. In this particular case (remember this is a transcription from my blog, no images here ), there is no place to doubt, it shows an email like: *** at W ********* but with the added twist that the number of asterisks correspond with real characters. That is, we have a domain of 10 letters starting with 'W' and Twitter offers us a email recovery with 10 letters ('W' plus 9 asterisks). White and in a bottle. At this point, we’ll play the little bird lottery. We’ll proceed to register the domain on GoDaddy. Use any coupons that circulate on the Internet. (right now, less than a dollar) And now the real magic begins: once we registered our domain, we’ll go to “My Account” section to set up a new email account in forwarding mode. What does this mean? Any mail arriving at the info at domainwehavejustregistered address, we’ll forward it to the address we want (our particular Gmail for example) If someone has come this far, maybe you're thinking, but how do I know what the prefix of the email address was? Because guessing the domain was not complicated, but what about the name? This is where the magic of the Catch-All appears. It collects all e-mails without a proper destination. That is, imagine that someone makes a mistake and write an email to infp at domain instead of info at domain The catch-all is used to avoid emails getting lost in the digital limbo, and that is our master stroke here. Thanks to this, we don’t need to know the exact email being used. Create a ‘info’ at newdomain email account and make it catch-all to redirect every single email. Then we’ll wait a few minutes and will check that everything is in order by sending an email to our new address. If it arrives, we are ready for our final step. This is when we cross fingers and press the "Continue" button. If all goes as expected, we will receive in our mail a link with the information to change the password. And not only that, now we can also see the exact original address that was used. Why do we want this? Well, use your imagination, maybe they used that email with other providers That was a long post! I hope I didn't leave anything out, the antispam system hates me... lol I have been out of business for a few years, I got an stupid accident and now I'm trying to get back into the game again. But maybe this will help someone here Btw, English is not my mother tongue, please be merciful PD: The original (spanish) version is at franjuice dot com. With screenshots and stuff, if someone needs them. Happy hunting!