How I Accidentally Deleted My Medium Account While Hacking Medium (Oops)

I’ve been a bug bounty hunter for a while, uncovering bugs for platforms like Facebook and Microsoft. With over 600 followers on Medium, I’ve written extensively about these findings. But this time, I found myself on the other side of things — discovering a bug in Medium itself, only to accidentally nuke my own account in the process. Yes, you read that right. Let me explain.

It started off with something I noticed one lazy evening. Like many of you, I love reading articles on Medium. But as a non-paying user, I quickly hit that infamous paywall. Now, Medium lets new users read one free article as a “welcome” gesture, so I thought, “Could there be a loophole here?” Turns out, there was.

Here’s the gist of the bug: Medium allows you to create an account, read one article, and if you delete your account, you can just repeat the process with the same email using Google OAuth. In theory, you shouldn’t be able to reuse the same email after deletion, but a sneaky loophole allows you to sidestep this by creating a new account after going through the OAuth flow. Same email, different username, and boom — more free articles.

Naturally, I wanted to automate this process (as any bug hunter would). So, I fired up Power Automate to handle the repetitive work: create account, read article, delete account, rinse, repeat. But this is where my tragicomedy of errors began.

In my haste to make this automation bulletproof, I made a tiny (huge) mistake. I mixed up the credentials for my test accounts with my real one, and the automation did its thing — except this time, instead of deleting a fake account, it deleted my real Medium account. That’s right. Goodbye 600+ followers, bug bounty articles, and everything I had worked so hard to build.

I’ll admit, I sat there in stunned silence for a good minute, followed by a few choice words I won’t repeat here.

In the end, this story serves as both a bug report and a cautionary tale: always double-check your scripts before running them on real accounts. Oh, and Medium — you might want to fix that little bug.