
Ask HN: Have you had any old Gmail addresses hijacked? - kapnobatairza
Recently, I tried to login to one of my older gmail accounts and discovered that the password had been changed very recently. Since these were old accounts I had not used in years, they did not have 2FA enabled. However, they did have very strong randomly generated 20+ char passwords with uppercase&#x2F;lowercase&#x2F;numbers&#x2F;symbols. These passwords were stored on a password bank that was not compromised, and I don&#x27;t even know these passwords by memory. I&#x27;m not the type to fall for phishing scams and I try to keep my systems secure, but I had not even used those passwords in over a year, so there is no possibility that I somehow exposed them sometime in the past month.<p>The recovery email for these accounts was NOT hijacked. He simply changed the passwords and recovery email and then he subsequently enabled 2FA himself.<p>However, these old emails were set to automatically forward to one of my new addresses and the hijacker forgot to disable that feature. What I&#x27;ve found is he started to use one of the emails for his own &quot;business&quot;. Apparently he makes a living procuring YouTube, Gmail and Twitter handles for people. Judging from these emails, he is quite successful at doing so for YouTube &#x2F; Gmail handles where 2FA is not enabled.<p>I realize that enabling 2FA is a must these days, but I find it troubling that this character seems to be able to hijack these accounts so easily. Especially when those accounts are inactive and without the use of phishing or a keylogger. Anyone have any clue how this is possible?<p>Also a PSA: If you haven&#x27;t enabled 2FA on any old accounts you might care about, go do that now.
======
rasx
One of my old Gmail addresses was hijacked by Google. They wouldn't let me in
and I have neither a phone number nor a recovery email associated with it. The
password is not changed, it's just the Google's notion of "security." And they
wouldn't let you opt out of it when creating a new account.

