
Google hacked account - hmoghnie
Despite Google boasting of hiring the best engineers. Their system give us mortals hope that our applications are not so bad after all.
Let me explain the pain I am going through to recover my hacked gmail account.
First, there is no way to talk to someone, their responses are canned, and to top it off, they send you to a link to submit a password request.<p>So far not a problem, but the email you get back after sending the password reset request contains a link to a page that allows you to cancel the request (not sure the genius who had this idea).
Now that the email is hacked, the hacker can read the emails and click to cancel the recovery process. And the vicious cycle continues.<p>What to do?
======
andybak
Try posting to Hacker News in the hope someone with some authority deigns to
intervene. It helps if you a high-profile blogger or known industry luminary.

The prospects for the rest of us are fairly bleak.

~~~
fixermark
> The prospects for the rest of us are fairly bleak

Mostly because if changing ownership of a Gmail account were as simple as
"Post to Hacker News and complain," it'd be an obvious and exploitable
security gap.

~~~
JacobEdelman
That idea, if extended, could be rather entertaining.

"White House Gov Account Hacked, Please Help"

------
sombremesa
If they are automatically clicking these links you may be able to spoof an
E-mail that looks similar to the password reset request but have the cancel
link actually log them out.

Going to this URL logs you out on Gmail:
[https://accounts.google.com/Logout?service=mail&continue=htt...](https://accounts.google.com/Logout?service=mail&continue=https://mail.google.com/mail&hl=en)

This might not work, but it's probably worth a try.

~~~
umurkontaci
It did work for me a when I clicked from here on HN!

~~~
Aissen
Yes, and this can be done in a CSRF attack on a web page like superlogout.com
(don't go there if you don't want to be logged out of 20+ websites).

~~~
anilgulecha
This is nice :) Certainly helpful when using a public machine. Heck .. make
that the homepage on browser-launch on public machines and guest accounts.

------
w8rbt
If your account is part of Google Apps for Education, or some other managed
Google Apps account, you should contact your Google Apps admin. If it's just a
normal Google account, I'm not sure there's much more that you can do.

Email is the most sought after account. All the password reset requests to
your Bank, Twitter, Facebook, etc. are delivered to your email account. So
when someone steals your email account, they've stolen all the others too. Go
change those accounts to use your new email (if you can).

~~~
hmoghnie
you are absolutely right.

------
jmilloy
I agree that Google's help services are lacking. I never got my account back
years ago. But this sounds fishy to me.

It's equally likely that you are trying to _hack_ someone else's account as
trying to recover your own. There's nothing wrong with the password reset
process.

However, isn't there a process for when you suspect your account has been
compromised? Have you even tried that? Are you even sure that your account has
been compromised, or you just can't remember your password?

I like that us hackers are happy to help, and happy to commiserate with the
failings of big corporations, but I think it's worthwhile to be a bit
sceptical.

Edit: I'll add that the claim that the reset requests are going to the
original account and being cancelled is fishy. We have verification in this
thread that this in fact does _not_ happen, and presumably the OP can't access
the account to make a truthful counter claim.

------
finnjohnsen2
You had two step verification, or not?

I'm hoping you'll say no, because my feeling of security comes from the fact
I've enabled TSV.

~~~
larrys
"You had two step verification, or not?"

Upvoted you but...

A company offers a free service. "Your aunt" does know know or understand the
need for "two step verification" nor do almost certainly a large percentage of
people using gmail.

This idea that companies resolve themselves of all responsibility to provide
reasonable customer support for a free product with such wide adoption is
ridiculous. _Google derives benefit from the relationship_ regardless of the
fact that the service is free.

~~~
27182818284
>"Your aunt" does know know or understand the need for "two step verification"

I wonder more and more if we need to make it mandatory in some form, but maybe
more formal. Like you can use your phone, but also here is a plastic,
officially-sealed set of codes we'll mail to you at a verified address just in
case.

~~~
nmridul
>>> officially-sealed set of codes we'll mail to you at a verified address
just in case.

And then people would start crying ... "google now wants to know your home
address .... "

------
yandie
> So far not a problem, but the email you get back after sending the password
> reset request contains a link to a page that allows you to cancel the
> request (not sure the genius who had this idea)

Did you set the recovery email the same as the main email? Cause I only get
password reset to the recovery email.

If you used the same address for recovery email, then it defeats the whole
purpose

~~~
hmoghnie
no i set another email. but still both emails will get the link.

~~~
giarc
Is the person that hacked the account just sitting there waiting for emails to
come in and hopefully can click the "Cancel Request" before you can reset the
password?

~~~
mark-r
If you make a habit of hacking Gmail accounts, it's probably not hard to make
a bot that does it for you.

------
heavymark
Would be interested in knowing how they bypassed 2 factor authentication,
assuming you had that enabled.

Unfortunately, it's a tough situation since for all Google or we know you
could be the hacker trying to get into the account and hard for them to verify
who you are, since if the hacker was able to steal person's phone to bypass 2
factor authentication, they may also have access to a copy of your drivers
license or ID to send to google in an attempt to verify they are you.

While far from ideal, assuming you don't have a close friend to contact google
for you via their google apps admin account, you could create a new trial
google admin account and then contact google through that mentioning your
situation of your other account. While they will still have to find a way to
verify who you are at least you'll reach a real person.

~~~
hmoghnie
My mistake was that I didn't enable 2 factor authentication. I contacted them
and offered to supply a copy of my password and driver license, they said the
only way is to go through the dysfunctional online method to recover the
password.

I did create another account, they still send the link to cancel the request
to the original account!!!

~~~
mikegioia
If you didn't enable 2FA, how on earth is Google or anyone for that matter
able to verify it's you that owns the email address? Anyone at any time could
claim they were hacked, and it's not like they require a drivers license ID
when you register.

Honestly I'm not sure what Google can do here that (a) doesn't require them to
now individually support users ($$$) or (b) doesn't open them up to thousands
of erroneous claims.

~~~
danielweber
I would prefer a system where I can pay $100 to Google to get a competent
human to look at the case versus now where I can hope I have a friend of a
friend to make enough noise to get someone's attention.

~~~
mikegioia
I think we all would, but the OP knew this when he registered! This is not a
new revelation about Google support.

------
FredericJ
The issue is that you're not Google's client. Maybe buy something from them (a
large amount of ads), then try to get support?

~~~
cainoniac
Remember: We're not Google's clients, we're Google's products

~~~
benihana
Please stop repeating this intellectually lazy and false meme. Or go to
reddit; platitudes that don't require critical thinking tend to do better
there.

~~~
16bytes
What is false or lazy about this? The service is free; Google makes money
selling ads to users. Is this in dispute?

Pointing out that Google has little incentive to support it's users in a post
about getting little support from Google seems very on-topic (but perhaps
unoriginal) to me.

~~~
icebraining
A loss of a user represents a loss of income for Google in both cases. The
reason they have little incentive is because they don't get much per user, but
that has nothing to do with where the money comes from.

------
itsbits
Someone hacked and deleted my gmail account back in 2008. And I wasn't able to
create another with same name. It was like my life that time coz I had all my
personal backups as mails in that one. Since then I keep a copy in my
harddrive as well even when I have cloud account.

------
y0ghur7_xxx
Unfortunately (because their services are quite good) google has no support
staff. This is well known, and you should take it into account when using the
services they offer.

It is not difficult to do without them.

Asking for help on HN or Reddit works sometimes, but if your business (or
personal life for that matter) relies on their services you should really work
towards being able to do without them.

~~~
coldpie
Genuinely asking: is there a paid email provider roughly on par with Google's
offerings in terms of usability and uptime? I'd consider switching.

~~~
farski
If you need all the features of Gmail or Inbox, probably not. If you can get
by with what IMAP has to offer, FastMail has been very solid for me. I pay
about $50 a year for a single account, which can support lots (unlimited?)
domains and addresses (both sending and receiving). The web UI is nice, and
the iOS app is pretty good, too. They also blog a lot about what they are
doing on the technical side, and seem really invested in the future of IMAP
and open source. They have a serious focus on speed. Spam filtering I would
say is like a B-, there are some really obvious things that seem to get
through no matter how much I train it. Support staff has been helpful when
I've needed it, though.

edit: just remembered they have a referral system, should you be interested:
[http://www.fastmail.com/?STKI=13352501](http://www.fastmail.com/?STKI=13352501)

~~~
coldpie
Thanks for the suggestion, I like what they're offering. I hadn't considered
spam, probably because gmail is so good at it that I haven't thought about
spam in years. Anyway, seems worth a shot.

~~~
cmsj
I have heard it said that putting MailRoute in front of your Fastmail account,
clears up the spam problem to the same degree that Google does.

------
philbo
This actually happened to me a few years back and, eventually, they were very
helpful.

The key for me was providing sufficient proof that the account really was mine
and really had been hacked. I gave them as much information as I could
remember/check:

* some contact names

* some tag names

* some recent thread subjects/recipients

* name of the person who first invited me to GMail back in the day

* details of any labs settings, theme etc

* mailing list subscriptions

I wish I could remember the email address I used to get in touch with them
but, as I said, this was years ago now. I definitely found it somewhere
publicly available, albeit buried somewhat.

HTH

------
topynate
Hm, I'd try timing the request so that it's the middle of the night wherever
the thief lives. Try once assuming that he lives in America, once assuming
Eastern Europe.

~~~
deadmik3
This may not be the quickest result, but the basic idea of just trying &
trying & trying... until you eventually beat the hacker sounds almost like a
game.

~~~
toxicFork
What if the hacker tells google that OP's other non-hacked email "has been
hacked" and to please unlink it from the hacked account? :D

~~~
leopoldo
Game over :/

------
creyer
I guess is all about: how can you prove you're not the hacker?

~~~
raverbashing
Location of past IPs used to access GMail

Knowledge about items on the inbox/address book

Location of devices used to access the account

Knowledge of past passwords

Not sending password reset emails to secondary emails that have just been
added

------
EGreg
The right way for these companies to restore your account would be several of
the contacts you've added long ago to verify that it is indeed you, in some
way a machine can use, such as you signing in with your OLD credentials (which
are kept around), filling out a form with their contact details (which were in
the addressbook on the service and to which you have sent at least a few
emails long ago) and them forwarding you the generated keys to your email by
some method they choose to reach you -- only by collecting 4 or 5 of these
keys could anyone unlock the account. Presumably you choose the people to whom
you've reached out another way and explained how to tell you the code to
activate your email.

This is like an alternative to two-factor communication. It can only be
defeated by someone actually hacking your account and then convincing 3-4 of
your close friends to send him the keys to your account when you start the
dispute.

I'm a big fan of using information obtained easily and casually in the course
of doing something productive (like often emailing someone) for good purposes.

PS: I have disclosed it publicly on this date so no patenting! :-)

------
mark_l_watson
Google provides some great services, but support is lacking.

I suggest, for the future: 1) use two factor authorization 2) use a separate
email service because email is so important that you need the best support,
etc. that you can get (I use Fastmail) 3) periodically download your Google
data so if you ever need to set up a new Google account, you have some of your
old context

I do still use GMail, but as a backup email.

I am going to start teaching free Internet security and privacy classes at my
local library so I have been thinking a lot about these issues. Google,
Facebook, Twitter, etc. provide really nice services, but it is important to
consider privacy issues and have a plan for using these "free" services.

------
q3k
It's a free service. You get what you pay for.

~~~
GnarfGnarf
I think it's more accurate to say that you don't get what you don't pay for.
Did the folks who bought Worldcom stock get what they paid for? Enron? Bre-X?

------
brightball
If they're going to have cancel password change requests they also have to
have cancel change of alternative email requests. That's the first thing a
hacker changes.

Additionally, you have to track every change with a timestamp so that you can
invalid everything that came AFTER the change you just reset. That will
prevent a hacker from being able to screw with the account because the
original email address will also be able to cancel future changes, no matter
how many times the perpetrator did it.

------
aseemraj
Google sends the recovery information related emails on the recovery email
address. So they won't be going to the account that is not accessible to you
(I prefer to say that instead of hacked). And the link to cancel the request
is indeed a good idea, because if someone else submits a password reset
request, then you must be able to cancel it because you did not initiate it.
Otherwise, you will end up losing your account to the real initiator of the
request.

------
ruanmartinelli
Adding to discussion: once I tried changing a corworker's gmail password just
for fun (he was right beside me and doubted that I could) by just providing
few ordinary information I knew about him (e-mail lists we were both
subscribed to, e-mail from our boss, other coworkers, etc). Well, I was able
to change his password to a completely new one. Very concerning, not sure if
it still remains that easy.

------
hellbanner
A while back, I was chatting with someone on gTalk who I had pissed off in a
forum. The next time I tried to sign in, my password has changed. I had to do
the reset.. when I signed back in, no signs of foreign IP access was there.

My best guess: malware on the forum OR they exploited a vuln on Gmail.com
similar to how hotmail.com & yahoo.com used to be very very vulnerable..

------
frosttt
You can try here.
[https://productforums.google.com/forum/#!forum/gmail](https://productforums.google.com/forum/#!forum/gmail)

------
hiou
I would see if you can upgrade your gmail to a paid account and then contact
their support. Free accounts get very little attention but paid accounts will
get you to a real person eventually.

~~~
rogeryu
Great - but that only works if you have access to the account. Otherwise I
could take over any account by simply paying? I guess Google is smarter than
that.

------
rghose
I guess you just need to be faster than the person who hacked your account.
Just before the cancel link is clicked you gotta make your move.

Yeah, and the cancel request was a total stroke of genius!

~~~
pbhjpbhj
I imagine that Google would allow the "cancel request" to override recent
password alterations to avoid accounts being taken over simply because the
cracker moved faster than the owner once it was realised the Google account
was cracked/accessed.

It may not be enough to run a password update before they act on the email. It
also may not be physically possible if they have a script watching for such
emails from Google and cancelling the request immediately, you'd then need to
set up a faster method and/or receive the email before they did.

------
BtM909
I'm assuming you've tried this:
[https://support.google.com/mail/answer/50270?hl=en&ref_topic...](https://support.google.com/mail/answer/50270?hl=en&ref_topic=3406179).

On the other hand, it is a free service. If you'd have the business
subscription, they do have a helpdesk you can contact by phone:
[https://www.google.com/work/apps/business/support/](https://www.google.com/work/apps/business/support/)

~~~
hmoghnie
Tried that, It will send me a link to the original hacked email with a link to
cancel the request !!!!

------
black-perl
And, the loop continues. Can't they reset your gmail account. Yes they can !
Ask them explaining the problem.

------
resulemniyet
[https://www.emniyetevdenevenakliyat.com](https://www.emniyetevdenevenakliyat.com)
[https://www.kayserievdeneve-nakliyat.com](https://www.kayserievdeneve-
nakliyat.com)
[https://www.kayserievdenevenakliyeciler.net](https://www.kayserievdenevenakliyeciler.net)
[https://www.kayseri-evdenevenakliyat.net](https://www.kayseri-
evdenevenakliyat.net) Eşyalarınızın büyük olması asansörlü taşınma için engel
teşkil etmez.Binanız pimapen pencere olduğu müddetçe eşya büyüklüğü önemsiz
kalır.Çünkü pimapen pencereleri tamamen söküyoruz. Bir şehirden öteki bir
şehre nakliyat işleriniz olduğunda size nakliyat için bir zaman veririz ve bu
süre içinde nakliyat işleriniz tamamlanmış olur. şehirler arası taşımacılıkta
kayseri evden eve Nakliyat kalitesini yaşamak için çok sayıda seçeneğiniz var.
Taşınacak eşyanın cinsi büyüklüğü ne olursa olsun Türkiye’nin bütün illerine
hizmet vermekteyiz… Eşya taşıttırmak isteyen müşterilerimize sunduğumuz
hizmetler arasında asansörlü eşya taşımacılığı yanı sıra anahtar teslim evden
eve taşımada sunuyoruz. Firmamız kayseri melikgazi de ofisimiz kayseri ve tum
turkiye evden eve nakliyat bizim işimiz Asansörlü kayseri evden eve nakliyat
hizmeti şimdilerde moda olup en iyi ve kaliteli taşınma için mükemmel
çözüm.Kayseri evden eve nakliyat firma elemanları olarak hizmet veren
arkadaşlarımız asansör ile yapılan işlerin daha kaliteli ve güvenilir olduğunu
bizimle paylaştıktan sonra artık işlerimi bu kalitede olacaktır.
[https://www.nevsehirevdenevenakliye.com](https://www.nevsehirevdenevenakliye.com)
[https://www.aksarayevdenevenakliyat.biz](https://www.aksarayevdenevenakliyat.biz)
[https://www.evdenevenakliyatc.net](https://www.evdenevenakliyatc.net)
[https://www.kayserievdenevenakliyat.biz](https://www.kayserievdenevenakliyat.biz)
[https://www.hizmetevdeneve.com](https://www.hizmetevdeneve.com)
[https://www.kayserievdenevenakliye.net](https://www.kayserievdenevenakliye.net)
[http://nigdeevdeneve-nakliyat.com/](http://nigdeevdeneve-nakliyat.com/)
[https://www.sivasevdenevenakliyat.biz](https://www.sivasevdenevenakliyat.biz)
[https://www.yozgatevdeneve-nakliyat.com](https://www.yozgatevdeneve-
nakliyat.com)
[http://www.evdenevenakliyatciler.net/](http://www.evdenevenakliyatciler.net/)

------
bingobob
if you get your account back i would look at setting up 2-Step Verification
[https://support.google.com/accounts/answer/180744?hl=en](https://support.google.com/accounts/answer/180744?hl=en)

------
frosttt
Have you tried the forums? If so, could you point me to the post, please?

------
cbaleanu
You can also receive a pin code via sms on your phone...

~~~
hmoghnie
The hacker has modified that number too

------
cmdrfred
Hacker != Guy who phished your password

~~~
pooooooop90900
Hi I'm a secret agent of sleepy town

------
timruffles
For next time: pay for google apps.

------
frosttt
Did you post on the gmail forums?

~~~
ceejayoz
I'm a little baffled at the idea that the forums would be able to resolve this
sort of thing.

------
9931323781
MY AIM IS ALL INDIA RANK 1st in IIT JEE AND IChallange 95%MARKS IN BIHAR BOARD
EXAMINTION IN 2016

------
chintan
edge case - scheduled for sprint # 5642

------
pooooooop90900
Cool

------
kazinator
> _What to do?_

The first step would be to edit the title of your submission to begin with
"Ask HN: hacked Google account, what to do?", since you're asking a question.

"Google hacked account" means, to an English speaker, that Google perpetrated
hacking against some account somewhere (subject-verb-object, right?) E.g.
Google people gained access to your bank account. I.e. your current submission
title is clickbait.

~~~
jokr004
Your nitpicking isn't helping anyone.

~~~
smtddr
Nitpicking? I had no idea what this submission was even about. I thought maybe
Google, the company, was hacked by outsiders. That was my best guess. Or even
"Google hacked" could imply "Hacked by Google", I don't even know.

The current title is ambiguous at best; just plain misleading/sensational at
worse - especially now reading that this is really about just one person
losing access to their Gmail.

_____

EDIT: In case the title does get changed, the original title that I'm looking
at right now is _" Google hacked account"_. This is what I woke up to this
morning --- [http://i.imgur.com/vWJ41ck.png](http://i.imgur.com/vWJ41ck.png)

~~~
jokr004
It's just so not important.. from the content of the guys submission it
strikes me that English may not be his first language.. he's here asking for
help with a problem and the top response he gets is some ass berating him over
the wording of his title.

But oh right, you woke up this morning and the sky was falling, all because
you had to take an extra 30 seconds to actually read the fucking post

~~~
Burritamos
It didn't really sound like kazinator was berating in their reply. It actually
sounded rather helpful. Please be more mindful when replying to people here.
Less tendency to jump to vitriol would be helpful.

------
9931323781
I WANT TO CHAIRMAN OF GOOGLE

------
Adiminstrator
Hello,

I believe i can help.

~~~
Tepix
Now that's just cruel.

------
praalka
they went full microsoft

~~~
JupiterMoon
Strangly hotmail does a better job here...

