DEV Community

Cover image for From €1.99 to Direct Contact With Montenegro’s Ex-President: a Security Story
Alexander Nadrilyanski
Alexander Nadrilyanski

Posted on

From €1.99 to Direct Contact With Montenegro’s Ex-President: a Security Story

#security #privacy #email #awareness

The old email service that marked the internet in Montenegro.

The email domain @t-com.me is one of the oldest email services used by internet users in Montenegro. The service was launched by Montenegrin Telekom (part of the Deutsche Telekom Group) in the early years of internet development in the region, when ISP providers often assigned their users an email address along with their internet connection.

During the 2000s and early 2010s, addresses with the @t-com.me domain were widely used – both among private users and among business and public figures. In practice, this domain represented one of the first widespread email platforms in Montenegro, similar to the services offered by national telecom operators in other countries in the region.

At the end of 2025 and the beginning of 2026, Montenegrin Telekom informed users that it was planning a major change to the WebMax email service, through the transition to a new, commercial version of the system.

The notification received by users states that the new WebMax service will bring:

  • more space for storing email messages
  • improved data protection
  • additional email management functionalities

However, one of the key changes was that email would no longer be free like before.

Users have been informed that they must activate one of the new email packages by March 20, 2026, in order to retain their existing address and access to messages. Otherwise, as stated in the FAQ section on the official Telekom website, their account would be deactivated and no longer accessible.

Telekom also recommended that users, if they do not plan to continue using the service, download their email data in a timely manner using clients such as Microsoft Outlook or Mozilla Thunderbird.

This transition marked the end of a long period in which @t-com.me was the standard email address for a large number of users in Montenegro.

It was this system change in early 2026 that raised the question of what happens to old email addresses that users no longer use — and whether they could pose a potential security risk.

Getting started — checking email address availability.

On February 23, 2026, while browsing the web page about the new WebMax email system on the Montenegrin Telekom’s website, I came across a page where users can activate a package for an existing @t-com.me address or register a new one.

On that page, there is a simple input to check the availability of a username. The user enters the desired username, and the system immediately reports whether the email address is available.

Given that the @t-com.me domain has been one of the most used email services in Montenegro for years, out of pure curiosity I started checking out different usernames.

First I tested generic names like:

  • finansije (finances)
  • director (director)

The system responded to all of them with the message:

Email address not available.

A screenshot showing on the first step that the desired email address is not available.

A screenshot showing on the first step that the desired email address is not available.

One thing immediately caught my eye — there was no limit to the number of checks. There was no CAPTCHA protection or rate-limit mechanism to prevent automated checking of a large number of email addresses.

Idea: what if I try the “president”?

At one point, it occurred to me to try the username predsjednik(president).

Such a username is very attractive, and an address of this type could previously be found in various public documents, institutional websites, or old contact pages.

I entered: “predsjednik”(president).

Clicked on check availability.

The system responded:

Email address is available.

A screenshot showing on the first step that the desired email address is available.

A screenshot showing on the first step that the desired email address is available.

That surprised me.

Email account registration.

After that, I continued with the registration.

The system guided me through the standard steps:

  • choice of email subscription plan
  • entering personal data
  • creating a password
  • choice of payment method

Since I already use Montenegrin Telekom's internet service, I chose the option to have the email subscription plan charged through my existing monthly bill.

The process was completed without problems.

Step 2: Choosing the right plan for my email.

Step 2: Choosing the right plan for my email.

In the end, I received a message that the registration was successful and that I needed to wait approximately 24 hours for the system to activate the account.

Issues: email doesn't work, but I am getting charged.

After 24 hours had passed, I tried to log in to the new email account.

I was getting the message:

Wrong username or password.

I tried again the following days — same result.

I did not receive any registration confirmation or additional information from Telekom to my private email address that I left when registering.

I almost forgot about the whole thing.

Until 4th of March, when I received my monthly bill for home internet.

I noticed on my bill that I was charged €0.42 for the “Mailbox L Subscription” service, prorated for several days of use.

Details from my monthly home broadband bill showing the charge for the ‘Mailbox L’ subscription plan.

Details from my monthly home broadband bill showing the charge for the ‘Mailbox L’ subscription plan.

In other words — I was charged for the service, even though I couldn't log in to the email.

Getting in touch with the support.

This is when I contacted the Live Chat support on the Montenegrin Telekom’s website.

I explained the situation:

  • email was registered on 23rd of February
  • the service has been charged
  • but I can't log in to my account

The support agent asked me what email it was.

I replied: predsjednik@t-com.me

After a brief check, I received information that the order was active in the system and that the payment had been made proportionally.

However, the login still didn't work.

After about twenty minutes of communication, the agent suggested that I should try again — but the problem remained the same.

At one point, the agent asked me to send my password so they could check the problem.

This is, to put it mildly, an unusual practice from a security perspective, as serious services never ask users to share their password.

I sent the password, though.

After checking, the agent told me that the password was invalid and asked me to send a new one that must contain:

  • capital letter
  • small letter
  • number
  • exclamation mark

I simply replied that they should generate the password for me.

The agent then sent me a new password — which didn't even contain the exclamation mark they had previously listed as a requirement.

With that password I finally managed to log in.

Something is clearly wrong.

After logging in, I noticed something strange.

The 1000 MB mailbox was already 39.29% full. Please note that the plan I chose “Mailbox L” should have 10 GB* of space.

At first I thought it was spam messages.

But when I looked at the dates, I saw emails dating back to April 2021.

Upon reviewing the content, it became clear that these were not random messages.

Email communication was conducted between various institutions, individuals and the address predsjednik@t-com.me.

From the content of the messages, it was obvious that this was an email account used by the former President of Montenegro – Filip Vujanović.

The inbox contained various types of communication, including:

  • correspondence with institutions
  • official communication
  • financial documents

It was clear that this was a real and previously used email account.

A sneak peek at one of the emails related to the monthly bank account statement of the former President of Montenegro.

Why this is a serious security flaw?

This situation is a classic example of a problem known in cybersecurity as a “recycled email address” — when an old email address is reassigned to a new user, while the previous digital traces remain active.

In practice, this can have serious consequences.

Many internet services use email as a primary user identifier, but also as a password reset mechanism. If a new person gains access to an old email address, they could potentially:

  • receive reset links for social networks
  • access cloud services
  • receive banking information
  • read private or business communications

In my case, an additional problem was that the old inbox content had apparently not been deleted, so after logging in I could see emails that were more than two years old.

This means that the new owner could not only receive new messages — they also had access to old communications.

From a security perspective, this is a serious flaw in the way the transition of the old WebMax’s Telekom system was implemented.

What can happen in practice?

If this type of system continues to be used without additional safeguards, the potential scenarios could be serious.

For example:

  • a person can register the email address of a former public official
  • gain access to new communication that continues to arrive at that address
  • try resetting passwords for related services

An even bigger problem is that many users may not even be aware that their email has been deactivated, especially if they only use it occasionally.

This means that someone might only realize months later that they no longer have access to their old account — while in the meantime someone else has already registered the same address.

Conclusion.

Changing the business model of an email service is not unusual in itself. However, the way existing email addresses and their content are managed must be implemented with strict security standards.

In this case, the process allowed for just a few euros to register an email address that previously belonged to the former President of Montenegro, Filip Vujanović — with access to the existing inbox content.

This example shows how important it is for companies to pay attention to: when migrating or commercializing email services.

  • user privacy protection
  • proper deletion of old data
  • preventing reassignment of sensitive email addresses

Because in the digital world, even a small technical error can have major consequences.

Finally, all of this shows that, although Telekom has its own expert team, sometimes a dose of basic logic in the system design could be useful. Switching to paid subscription model is a self-explanatory business move, but the way they set up availability checks and migration of old accounts gives the impression that someone overlooked obvious problems — such as old inboxes remaining full and addresses being reassigned without adequate protection. I hope this story will be a small reminder that IT expertise is not only about knowing the technology, but also using common sense.

Unexpected Outcome: A Response from the Former President.

After realizing the recycled email address I registered had previously been used by former Montenegrin president Filip Vujanović, I decided to contact him directly and explain the situation.

I outlined how the account was created, the security implications of recycled email addresses, and made it clear that no data was accessed beyond confirming the issue.

He replied shortly after, confirming that he had contacted Montenegrin Telekom’s and requested the old email be permanently disabled to prevent any potential misuse.

Not a bad ending for a €1.99 security test — a confirmed systemic flaw, a public write‑up, and a direct response from a former president.

Top comments (0)