Problem statement
Some of our users have been verified with “@gmai.com” (not “@gmail.com”) email address.
We suspect “@gmai.com” is typo for “@gmail.com” and the users don’t own that email addresses.
However, based on the fact that the users are verified, we think that the owner of “gmai.com” domain have received verification emails and accessed the verification URL in them.
We are concerned about the situation since the “gmai.com” owner could take over the users.
Our users are signing up with the good-old email/password scheme.
No “Sign up with Google,” no SSO.
Solution
Delete the users with the incorrect domain (E.g. gmai.com).
Also, you can set a pre-registration Action using the “event.user” object (Actions Triggers: pre-user-registration - Event Object ) to set a conditional to avoid creating users with the incorrect domain.