You could probably just redirect all emails to @gmail.com, and most users would be none the wiser. Then you'd be able to trivially do password resets on any accounts that were created with the typo domain.
They were sent to you, you have a right to sell them (so long as you're in a one-party-consent state when it comes to recording). You're up to snuff law-wise.