They can’t access old account data, but they can impersonate the accounts.

The ActivityPub spec does not tell you how to deal with “domain changes owner” situations. I believe Mastodon caches an actor’s key in perpetuity (and thus only allow the very first owner of a domain to set up an ActivityPub service), but there’s no guarantee other servers do the same.

If the new owners set up a server, complete with valid TLS certificate, they can host their own Mastodon with a list of account names that they can scrape from cached toots elsewhere, and start using those for propaganda. Some services will refuse the new messages because of theily cached the old keys, but undoubtably others will accept them. Things become extra fun when those servers start boosting/replying to the toots with embedded content.

The users aren’t in danger, but there’s a risk other servers will be spammed in the their old names.

What doesn’t help is that Mastodon’s migration feature only implements a redirect, so if they take over the domain before the server has updated all the other servers (i.e. due to high load or downtime on another server), the account ends up unredirectable.

This doesn’t need to be malicious, either; admin@example.com can simply let their domain expire, and if the new owner decides to also create an admin@example.com then all kinds of ActivityPub hell will break loose.

We need better standards for this, so domain takeovers can’t result in account impersonation, but domains can also be transferred to someone else without locking them out of ActivityPub forever.