
How I lost access to my Google account today - ehsanakhgari
http://ehsanakhgari.org/blog/2012-04-14/how-i-lost-access-my-google-account-today
======
overgard
Somewhat of a sidenote, but this is why I refuse to use google+: my gmail
account is too important to me to risk of linking it to another google
service. Especially considering the stories of people's entire google accounts
getting shutdown randomly because of an "algorithm" or whatever.

I like the products google makes, but their complete refusal to have any sort
of customer service makes me hesitant to rely on them for anything beyond what
I trust them with now.

~~~
ajross
"The stories" are sort of an exaggeration. My memory is that Google did that
(disabling a gmail account while freezing a google+ account) once, apparently
by mistake, and corrected it within something like 48 hours. Are there other
examples I've forgotten?

~~~
bitcrunch
It is not an exaggeration.

It has happened to me - I lost everything, calendar, email, g+ (which I had
not ever updated and had no ToS violations on), absolutely everything.

In the next two days I googled (yes, I did) for answers while receiving
automated messages that seemed to indicate I was never getting my accounts
back (submitted the form they asked me to, but nothing came of it).

I lost my appointments, contacts, and had business people doubt my veracity,
as I'd just given my gmail to several new contacts and their initial emails
all bounced.

If I hadn't had multiple friends inside of google I might never have gotten my
accounts back, and I heard they weren't even sure what exactly happened other
than a confluence of events. I then learned how very very common it is to lose
a google account and never know why, and never be able get back anything on
them (family pictures, phone numbers stored in contact lists...)

I'm now mostly divested from google and the things I still have there I now
have backups and redundancies for.

~~~
GFischer
My mother had her account hacked.. she never got it back, despite trying
repeatedly.

And she had all of her digital life in there.

She made for herself another Gmail account which she has safeguarded a lot
more, but it's still chilling to know that you have no recourse.

Gmail is so convenient, that it's hard not to use it, but I'd pay for customer
service.

~~~
maratd
> but I'd pay for customer service.

So pay for it? I'm not saying that it's right for Google to do this, but they
do offer that option. With a Google Apps subscription, you get support.

~~~
ubernostrum
Many, many times we've heard these stories from even _paying customers of
Google_.

Generally, if it can't be implemented by an algorithm, Google's not going to
do it, ever.

~~~
aperrien
With paying customers? That will continue until they face their first
lawsuit...

~~~
ubernostrum
Lawsuit for what? Google's terms are set up such that "we algorithmically
decide to provide you with nothing whatsoever in exchange for your money" is
perfectly within their rights.

~~~
mattmanser
Not in many countries, there are consumer protection laws.

------
fauigerzigerk
What I don't get is why the very first step in Google's automated process is
to lock down the entire account. The debate is around the scalability of
support, but that doesn't explain why the automated first response is so
radical and so radically stupid.

The anger and rage Google provokes by not letting people log in and access
their own data is totally unnecessary. They could just as well let people log
in, view their data and receive email but prevent them from sending mail,
publishing content, uploading more stuff, etc.

This is not simply about automation or no automation. It's about smarter
automation and an intelligently staged response to any suspected issues. If
algorithms are to be accepted as decision makers, they have to be gentle and
not treat everyone like a criminal as soon as there is some suspicion.

~~~
shabble
I suspect it's for the same reason as they never reveal any details about
their search ranking techniques or why some SEO or suspected fraud got your
AS/AW account banned - it's an information leak which people will abuse.

The downside to running such a heavily automated ship is that without
countermeasures, a sophisticated attacker could map out the thresholds of your
fraud/misuse detection system, and then keep just below triggering point.

On top of that, there are actually situations in which you might want your
account to be suspending quickly - ideally before an intruder can cause too
much damage or access any valuable information.

Some sort of graduated response is clearly necessary, but the real issue is
the complete lack of timely dispute investigation/resolution. And it's
probably a hard enough problem to resist automation for quite a while yet.

Edit: This obviously only applies to situations where they might reasonably
expect you to be malicious, or someone else to be in control of your account.
Immediate irrevocable suspension over some tiny ToS violation is pure madness

~~~
fauigerzigerk
So we have two cases:

1) A suspected TOS violation by the legitimate owner of the account.

Trying to prevent this via obscurity is crazy and counter-productive as people
cannot learn from honest mistakes. It also antagonizes people who become
victims of bad algorithms. There is no reason why the kind of staged response
I outlined couldn't work in this case.

2) A suspected security breach that puts ownership in doubt.

This should be handled by resetting the password and contacting the legitimate
owner using contact information on file before the breach. It's really simple.

~~~
andreasvc
I imagine it goes like this:

1) attacker guesses your password or obtains it via phising.

2) attacker changes password, starts sending spam

3) google locks account

When you have arrived at 2), you have already lost the account for good, and
3) is only for damage control.

You should know that Google has no way to verify whether your account has been
hacked, or whether you yourself are a spammer; therefore the best thing for
them to do is just to lock the account.

~~~
fauigerzigerk
That's not the best thing to do, that's the most unimaginative thing to do.

I would do it this way:

1) Make sure that only the legitimate owner has access to the account by using
previously entered contact data to ask him/her change the password.

2) Check if the suspicious behavior stops, which it will in most cases.

3) If it doesn't stop, put the account in read-only mode. If the kind of
behavior may be an honest mistake, explain to the user what happened. Just
take that risk, it's going to be worth it.

4) If it's a statistically active user with lots of regular looking data, let
a human sort things out.

5) If the issue remains unclear, tell the user to download any data he wants
to keep and notify him/her that the account will be closed.

~~~
andreasvc
Yes, that would be better for the user, but this is a free service, and Google
has not much too gain from making the process more complicated (imaginative)
and thus more error-prone. As a user you have the responsibility of keeping
your password absolutely safe, if you do that (and better yet use 2-factor
auth), nothing should go wrong.

Your option 1) boils down to adding more "passwords" by which the user can
authenticate itself, so it's not a fundamentally better protection as they can
be guessed by an attacker as well. Requiring a text message confirmation for
password changes might be a better idea.

~~~
fauigerzigerk
All steps on my list are either fully automated or optional, so it doesn't
cost them more.

Google has a lot to gain from people entrusting them with their data, that's
why they provide a free email service in the first place.

It would be a mistake to think that trust is linear. You can't just treat a
few people very badly without risking a major backlash against your business
model.

------
credo
OP says >> _We've all (yours truly included) heard about the importance of
owning your digital data, the downsides of vendor lock-in, and how if you're
being provided a free service, you're the product, not the customer. But I
honestly never understood how deep this problem is, and how severe the
consequences can be ("surely this cannot happen to me", right?!)._

Excellent point.

Btw one easy way to maintain a local copy of all your gmail-emails is to use a
mail client (like Outlook or Apple Mail) with gmail. With Outlook, for
example, you can easily download and move emails into a PST/OST file on your
PC.

~~~
wvenable
Backing up is fine, but the problem is you still don't own your identity. If
your email address is xxx@gmail.com you've lost that forever and that could be
a big problem.

~~~
drucken
Set up your own domain name for $5/year or less and use the free email
aliasing that comes with it,

e.g. paul@wvenable.me would be aliased to paulharris@gmail.com at your DNS
provider.

Then you only ever pass around wvenable.me addresses. If you get a good
provider, they will give you unlimited free aliasing (though they may not
allow catch-all address for free, which redirect anything@ to some default
address, due to spam potential).

Combined with monthly backups via IMAP or export from your actual email
providers, you will never be dependent in either identity, contacts or content
with any single provider.

Needless to say, all of the above is trivial to setup for a typical HN'er.

------
jrockway
Just out of curiosity, did you use two factor authentication on the account? I
understand that a common reason for accounts becoming disabled is because
someone guessed the password, logged in, and then sent a bunch of spam (or
something similarly evil). Two-step authentication makes this attack
significantly more difficult. (But, of course, it makes your email harder to
use. And malware can still steal your "remember this computer for 30 days"
cookie.)

~~~
ehsanakhgari
No, I was not using the two factor authentication feature. I still don't know
what caused this, but yeah, my account might have been hacked.

------
motti_s
This happened to me once and it took a while until they reinstated my account.
To date I have no idea why it happened. I thought about moving to another
service, but unless you setup your own SMTP server (probably not a good idea),
you never really have full control.

Here is what I recommend you do (before getting locked out):

1\. Use your own domain for email and host it on gmail (free) - do not use
yourname@gmail.com, but yourname@yourdomain.com.

2\. Create a secondary email account and have your primary account forward all
emails to it.

If you get locked out, your account still accepts emails. I believe that
forwarding still works as well, though I haven't been able to verify it (need
to get locked out again...).

Then either respond from your secondary account, or change your mx records to
point to another service, or even to your own temporary SMTP server.

It's not a complete / ideal solution. You still don't have access to emails
you sent (could be done using IMAP, but I didn't bother) and to other Google
services. But it might be OK as a temporary solution until you get your
account back.

~~~
ajross
Why is setting up your own mail server a bad idea? I've been running my own
for 13 years now (plain old postfix and dovecot on whatever linux distro I
favor at the time). It works great.

~~~
runako
1) Spam filtering. The Google spam filters are likely going to be orders of
magnitude better than anything you run in-house.

2) You value your time. Some people don't, it's not really worth arguing this
point. But it is a reason running a mail server is a bad idea for most people.

~~~
ajross
Orders of magnitude is an exaggeration. My account is very visible and very
old, and gets 6-700 spam deliveries a day. Plain vanilla spamassassin catches
93% of those, and a little perl filter I wrote gets me to 98-99%. I get a
handful of unwanted messages each day. That's just one order of magnitude from
perfect; and I know for a fact gmail isn't perfect.

And #2 is just wrong, sorry. I spend minutes a week doing anything at all
related to maintenance on that box (I use it far more regularly for productive
purposes, though). If you can handle running a linux box from a console, you
can learn to do it too. Or don't, it's up to you. But telling me I don't value
my time is just out of line.

~~~
runako
Re #2: Sorry, I wan't directing that at you and meant no offense. Per your
post:

>> I've been running my own for 13 years now (plain old postfix and dovecot on
whatever linux distro I favor at the time).

For those of us without the experience of 13 years running postfix and dovecot
(and spamassassin and writing perl filters), there will certainly be at least
some time investment. That's what I was talking about: the price in hours to
go from zero to competent. You may be too competent by now at email hosting to
realize that it would not be a minutes per week affair for most people to do
well.

Obviously if it works for you, great. Interesting to note that you started
running your own long before GMail; the calculus of starting to self-host is
different now.

Re #1, you should lend your spam filtering tools to Yahoo! In all seriousness,
a handful of unwanted messages per day would be a dramatic improvement to my
Yahoo! inbox. Whatever they are doing over there is not as good as what you're
running.

------
macspoofing
I had my google account suspended for a few hours a few months back. Why?
Because, I was sending myself a set of icons, and I carelessly dragged the
folder in, which caused each one to upload separately (30 altogether). I
noticed it quickly enough, and closed the tab. When I went back in, my account
was suspended. No recourse. Nobody to talk to. Nobody to complain to.

Honestly, I'd rather just pay a monthly fee for the damn thing if it meant a
unilateral action such as an account suspension wouldn't happen without prior
warning. I'm serious Google. It's a good service. Take my money.

~~~
crazygringo
Forgive my ignorance, what would uploading 30 icons have to do with being
suspended?

~~~
ajross
Ditto. I find it hard to believe that receiving 30 attachments in quick
succession would trigger an IDS. People do that sort of thing all the time
(try playing with "git send-email" sometime).

My guess is that it was more like 300, and cc'd to a bunch of external
addresses such that it looked like spam.

So macspoofing: what did you have to do to get the account reenabled?

~~~
macspoofing
>I find it hard to believe that receiving 30 attachments in quick succession
would trigger an IDS.

Believe it. It happened.

>what did you have to do to get the account reenabled?

Waited a few hours, and it was reenabled automagically.

------
RexRollman
This is one of the things that makes me worry about using Google for email.
When it works, which is almost all of the time, it works great, but when there
are problems, it is difficult to get assistance.

~~~
thezilch
Shouldn't this worry you about ANY email service; even those that you are 100%
in control? Backup important data to separate services; have separate services
to read this data; do it often, including the read -- make sure your backups
work.

~~~
machrider
Yes, but the specific problem with Google is they have practically zero
customer support. There is no one you can call to get help, and they
apparently feel no obligation to respond to problems in a timely fashion.

~~~
Drbble
If a 100K people, an insanely huge number, experienced crippling Gmail
failure, that is roughly a 0.1% chance that it would affect you on your
lifetime. Avoiding Gmail for this is like avoiding planes and cars and houses
because you saw on the news that one blew up somewhere.

------
nextstep
For a post titled "How I Lost Access to my Google Account today" this article
does a terrible job explaining _how_ he lost access to his account. Was it
just a totally random alorithmic error? The guy doesn't even have a theory
about what he might of done?

~~~
ehsanakhgari
This is the main thing which sucks about all this. I still don't have any clue
on why this happened. The "how" is exactly how I explained it: I woke up this
morning, and my account was disabled.

~~~
jedc
Here's a link that might be helpful:

[http://support.google.com/accounts/bin/answer.py?hl=en&a...](http://support.google.com/accounts/bin/answer.py?hl=en&answer=1752770)

------
troymc
Some thoughts:

\- If you pay $50/year for Google Apps, you can use your own domain name, so
you can change your mail server without changing your email address, and you
also get access to customer service from Google. I have Google Apps and the
one time I contacted them, they got back to me right away.

\- Just like it's a good idea to backup your local computer, it's a good idea
to backup the data in your cloud services. There are numerous options.
Backupify, CloudPull, and ThinkUp (thinkupapp.com) are some which come to
mind.

~~~
Tichy
You don't even have to pay to use gmail with your own domain. I find it
difficult to find the relevant links, though.

~~~
fauigerzigerk
It's here: <http://www.google.com/apps/intl/en/group/index.html>

I use Apple Mail for backup. The only issue is the TTL setting for the DNS MX
record. Some domain hosts set this to 24 hours, which means it may take up to
48 hours for all mails to get through after you switch to a different mail
server.

------
kappaknight
You never said "how" you lost your account...

On a side note, it's sh*t like this that make law makers create crazy laws
that would stop poor support like this.

I for one would almost want government intervention to make sure when cloud
services cut you off, they don't take hostage of your data and history too. I
recognize it's a terrible/horrible solution, but if the companies themselves
can't do the right thing, government mandate would have to be next. Cause in
this case, it's not like we can vote with our wallets to make it go away when
the stuff is free.

Also, imagine the number of jobs Google could create if they hired and trained
a support staff for all their products? There's a lot of stuff that would
still benefit from a human touch.

~~~
mjwalshe
Yes that's the danger for Google all it takes for one case to go very high
profile and they will be living with the court/government sanctioned remedy -
that is why banks and other organizations have independent ombudsman - they
want to avoid the government stepping in.

------
kzrdude
> I have been a Gmail user probably since 2004, and I have tens of thousands
> of work-related and personal emails stored in my account, some of which
> being extremely important to me.

We tell people they need backups. With a TOS like "we can shut you down at any
time for any reason", you definitely need backups for Gmail too if it's
important.

------
frankydp
<https://www.backupify.com/>

GApps backup 36 bucks a user a year.

------
teknover
Isn't the question of why the account was locked just as pertinent as how?

What would be racing through my mind was my account hacked, as if so maybe
other services I use be hacked.

Or did I possibly break the terms of service? If so, what may have been the
justified reasons for me doing so, or Google's reason for preventing me so?

That's where full communication with Google would be so essential to remove
the ambiguity and resolve what may be a bigger question at hand.

------
cnbeuiwx
Im glad this happened, because while painful, it makes people think about
their total dependence on a corporation being nice to them.

You can take back your power by using smaller corporations for essential
services such as email, making sure they are NOT located in the USA (should be
obvious, but I feel I should reinforce that you cant get privacy in the USA).

Then again, if you use Google, perhaps you dont care about privacy in the
first place.

------
bbwharris
This is a little scary, a lot of people rely on Gmail. Im sensing a
fundamental shift from "Free" to "Pay for it" for exactly this reason. When
you are a free customer, no one has to care about you. When you are a paying
customer, you suddenly have a voice.

And no, having ads does not mean that you are paying. Someone else is paying
for those ads, if anything they are sponsoring your ability to enjoy a free
service devoid of customer support.

~~~
seles
Except he was paying, and still got no voice.

------
michaelfeathers
I wonder why gmail can't suspend people by giving them readonly access. It
could be time bounded, say 30 days, to allow people to migrate data off.

------
Shank
For the record, if you just read this and you can't/won't switch off, make
sure you have recovery options set to recover your account. You can setup: \-
An alternate email \- A phone number \- Alternate email addresses \- A
recovery question

Note, however, that the latter will only work if your account hasn't been
accessed in 24 hours. If you have 2factor enabled, make sure you have backup
codes printed as well.

------
jbrayton414
Cloud-based services are great, but I think it is wise to store a local backup
of your data. I wrote an app called CloudPull
(<http://www.goldenhillsoftware.com/>) to do exactly that for your Google
account. Whether you use my app or an alternative, you need local backups.

------
kevinchen
The site went down. Cached:
[http://webcache.googleusercontent.com/search?client=safari&#...</a>

------
tferris
That sucks. Reading your tragedy I am about to set up a new main identity with
local mail storage:

\- getting a dedicated domain

\- getting either google apps or another web mailer

\- setting up new email address for 50+ services

\- finding some local client, doing backups and what ever

mail account migration is a lot of work ...

------
suyash
Thanks for such an eye opener!!

Good luck gettings yours back, I'm going to back up mine this weekend!

------
lucian1900
I mean no disrespect, but if you have no backups for something it's your fault
when it's gone.

Google's support sucks and they desperately need to improve it. But people
also need to back things up, dammit.

------
sl4yerr
Google's lack of customer service never ceases to amaze.

------
read_wharf
Don't put your stuff in there, because they are not going to treat it with the
same importance that you do.

------
lifeformed
Are there any good alternatives to gmail that include tools for migrating an
existing gmail account?

------
nickm12
I avoid using Google services, but for the ones I do use, I have a separate
account for each.

------
nextparadigms
So is there anything he did that caused this? Or did it just happen completely
random?

~~~
zxy
Considering the post is titled "How I lost access to my Google account today,"
there is a lack of how.

It's well known that your data should be redundant, this is one of those 'I
didn't make a backup' posts.

------
rollypolly
User since 2004. Wow. Is there a way to export tens of thousands of emails
from Gmail?

~~~
uptown
This guide show you how: <http://helpdeskgeek.com/how-to/export-all-email-
from-gmail/>

~~~
DarkShikari
I tried this, but Thunderbird simply locked up due to the sheer volume of
emails (I subscribe to LKML and other high-volume mailing lists). I haven't
been able to find any good backup solution anywhere, and articles like this
really scare me.

~~~
cfinke
Thunderbird 11 is much better than Thunderbird 3.x was at handling a GMail
backup. I've just finished backing up ~120,000 messages using Thunderbird 11
(archiving them into monthly folders about once an hour during the backup),
and it's doing fine. (I tried the same thing a year ago with Thunderbird and
gave up after 45 minutes.)

~~~
aDemoUzer
good to hear. I had tried THunderbird in the past but it would just crash.
Just started today for first time in a year and just upgraded from V7 to v11.
Working good so far.

------
telemekus
is there not a business opportunity here? to make something as reliable as
Gmail, but with better care and attention to Users, that a person could roll
their own mail service from it?

------
sunyc
if things are important, set up a google apps for domain, people.

------
robmay
www.backupify.com lets you backup your gmail to another location

------
loverobots
Congrats on making it to page one, your account will be restored within hours.

Many have their adsense and Adwords linked to suspended Gmail accounts too. It
can cripple their business.

~~~
rooshdi
Yea, unfortunately not everybody has the good fortune of making it to the top
of HN. I had a personal Gmail account wrongfully disabled over a year ago, and
after filling out every form I could find and not receiving any helpful
feedback for a year, I just gave up and decided to cut my losses. However,
after reading this article I checked to see if it was still disabled and, lo
and behold, I was _logged in_! I still don't know whether to be happy or
pissed, but at least it works for now.

------
loverobots
My advice for those that have other Google services tied to an email account:
do not use that account to send email. You minimize the odds of getting banned
and frozen out of a lot of things

