Sadly in all these stories that end successfully there is an inside help from someone that has contacts in Google. I don't even want to think about what would happen to people that don't know anyone inside Google.
I tried the gmail password retrieval system repeatedly, but could not get it to recognize me even though I had an archive of much of my email, so I thought I could be confident in answering questions about who I emailed and such.
So, I switched to a new email account. Luckily, I had a tablet that (to this day) is still logged into my lost gmail account, so I can tell that nobody I care about is still sending to the old address.
All in all, the consequences weren't that bad, although among them were the loss of my ability to have my straightforward email@example.com address...unfortunately using just my first initial and last name is not unique.
The concept of being able to reach a human being at Google is tantalizing but the fact is, I have such resentment and bile built up for the way things were designed that I'm not sure I want to reach out. And it doesn't matter a great deal anyway. I suspect in the long run it's lucky I learned not to trust them too much.
According to the cable company, the account does not exist. Somehow between the multiple mergers, it keeps getting migrated but is orphaned from their identity system.
(Although note that if you do this via Gmail it will leak your sending email address in the headers.)
Also, I think you might be able to retrieve the rest of your emails too. You might not have IMAP access, but at worst, you can write Google Scripts and have then upload your emails to another account. It will be rather slow but you should be able to copy all your emails this way. I don't think it should prompt you for a password when giving permission but I'm not sure; again, test this on your new account before trying. Make sure to wait like half an hour to make sure any internal password prompt timers expire.
At work I can almost every day hear someone yelling at his health insurance company because something has been f...ed up. Once they start hiding even more behind automation how can you resolve anything?
Turns out he uses the spam button in his email client as a temporary deletion / archive for emails he wants to read later...
TLDR; Many users create their own issues by just not giving af. It reminds me of antibacterial hand wash.
Senders who bought, stole, or brute-forced your email address are a different story. For them it's just a numbers game. They are, by definition, spammers and should be treated as such.
There is a final group of senders who you did once interact with but who show these behaviors:
1. They are too incompetent to keep the unsubscribe server running;
2. They broke the the mail template so it doesn't point to a valid URL;
3. They fail to control subscription preferences within their own company so that the marketing department keeps using the same old list even though months of unsubscription requests have accrued since then;
4. (My pet peeve) They take you to a blank form that asks for personally identifying information in order to unsubscribe, rather than embedding an identifying token in the email's unsubscribe link. Out of principle, I will not enter PII into any form on the other side of an email link, even if it comes from someone in my family. It's too easy to fall victim to phishing, and I resent any sender that puts me in that situation. If a business asks for any PII to unsubscribe, I close the tab and mark the email as spam.
Any of those get marked as spam. Their intent was not to spam me, but I can't do business with incompetent senders.
In general I try to hit unsubscribe if I know I've had business with the company. But if they are clearly just trying to sell more, it goes to spam.
And no I don't have any "techbro" friends who work for Google.
Do not use Google unless you are OK with losing your account if they one day decide to hold your identity and data hostage.
Even if you PAY Google ("Google Apps" or whatever the fuck they are calling it these days), you are still at risk.
Set up mail forwarding in Gmail and migrate to a service not run by an advertising monopolist.
And save the backup codes!
Multiple physical copies.
If you use TOR you should be taking your operational security serious. Passwords are useless.
The same is happening with Amazon right now; sellers getting kicked out by default and there is no way to get hold of a real person, just talking to some machine learning bot. Real people simple don't matter anymore.
Luckily I'm still logged into gmail on the iPhone so there's a (slim) chance I might be able to get back in on the laptop.
Maybe last time was a fluke but I managed to get signed in, weird.
Sorry to doubt you google.
Use them. They are lovely. 1-800-BUILD-A-BEAR lovely.
They also happen to love to smash into faces of smug dumb entities. Like Google. Or Apple. Most often because they have their own horse to ride. But who cares. Just. Use. Them.
“That same day I opened a second GMail account so I could have access to services like an email account if need be, [...]”
So, this journalist is in the middle of a horrible experience with Gmail and responds by ... opening another Gmail account, because basically realistically imagining email as something other than Gmail is far too much of a stretch in most people’s minds.
A group of acquaintances had a Facebook group where they shared research and documents. It got deleted and they lost everything. Thrice. I suggested they used something else for document storage each time, but was just ignored or shooed off.
The root cause of the problem is kinda beyond me -- but it's clear that people are unwilling to learn from experience when it comes to these things, and that these free services will continue to behave as they do because there's no downside to doing so.
For about three years the router they sent her would kick off the fifth-oldest DHCP lease and the ISP kept refusing to replace it.
It's a truly fascinating psychological effect.
In the course of this transaction the user may be permitted to read the emails that belong to Alphabet.
Sadly, this seems like a system that can't really be self-hosted. It requires data.
It costs $5/month if you want to use your own domain. I've pretty much stopped using Gmail, etc. and switched totally to them.
Their login 2FA options are as good as Gmails, and I like their mail-rules better (though you have to drop into "power users" mode more than I'd like).
So I know what happens when you don't know someone on the inside: you are out of luck. You lose important emails, photos, notifications, bills. You have to change a lot of your other accounts. No fun at all.
Wait...you want to know the worst? That's the email I used for coinbase that I think still has a few Bitcoin in it. I can't log into coinbase because I don't have the same phone with the same phone number for Authy, and the recovery email is the hotmail email I am locked out of. Of course I have open support tickets with coinbase bu you can imagine that I'm not exactly real high in their priority queue. So being locked out of my email has cost me a lot of money in the long run.
Now, I'm trying to get back into the account so I can add some BTC to sell it, and I'm getting nowhere with the customer support. For an account with a 0 balance. And I still have access to the correct email, phone number, etc.
At this point it'd just be easier for me to sign up for a new account I guess, but I don't want to have to use a throw-away email for that. You'd think there'd be some kind of easy path to regain control of an account with zero balance, as there's no risk of theft. Nuke all attached bank accounts and the like as a safety measure.
Like I've said in the past here , if something is so important to you, you need to treat it as such. Continuing to use a service that offers no guarantees, availability or even continuing access to your account is a sign of ignorance, when you rely on that service so much.
Now ignorance is not the fault of the user. It's primarily the failure of education. There are multiple deficiencies at play here:
1. Lack of knowledge of general population about significance of terms of service, and literacy to read and understand them.
2. Lack of regulation to enforce service providers to provide concise and less technical terms of service.
3. Lack of clear options provided by the service provider for users, so that if a paid option with guarantees is available, it's easy to sign up for and use.
In case of Google, you can, for $60 a year, have an email account under your own domain (which by the way decouples you from Google if you wish to move to another provider in the future), a 24/7 phone support and other goodies. The issue is the number of hoops you need to jump through to set that up, making it inaccessible for the average user. This is Google's fault.
Being able to call someone means you can tie up a $20/hour resource until you can log back in to your account.
Any provider has the right to terminate your account for variety of reasons even if you're a paid customer.
But yeah, fastmail have a decent reputation.. and they are known for improper verification (which they've hopefully fixed).
Seriously though, 2FA and recovery codes is the way to protect important accounts!
Which is why you use a password manager and keep a copy of your Google account backup codes in the event you need them.
Many users used the password recovery flow essentially as their login mechanism.
Remove that pesky "password" from the entire "password reset" flow. Makes perfect sense (meaning: there's clearly users making use of it).
Getting it wrong has significant impact on how much the brand is trusted (and for some companies, that's all they have)... Lose it and it's time to shutter!
To be fair to Google, they do regularly prompt users to review the security of their account (e.g. with checklists like this: https://support.google.com/accounts/answer/46526?hl=en). Note that Step 3 is "Update your account recovery options"!!
One more time the "techbros" of Silicon Valey don't realize their actions are hurting people.
U2F is much harder to trick..
And TOTP on your phone is likely to get hacked. TOTP on a physical yubikey is a much harder target.
When service is this terrible, why stick with the bad provider? I generally find the whole article sort of depressing... “Google ignored my problems for a month. But now I have access again oh well yay!!”
What's an alternative to Gmail+Drive+Apps that has as much functionality, ease of use and convenience, and at a comparable price, but guarantees you won't get locked out?
I also exported all of my emails from Gmail. I recall accessing them once maybe a month or two after the move, but since then I haven’t touched them.
In general I think people attach much more significance to things like email addresses and phone numbers than is necessary. Frankly I’d much rather things like that change from time to time so they aren’t so easily used as semi-permanent identifiers.
It’s called paying for the services you use. You don’t even need to switch to a different product / provider, just pay $5/month and ~$10/year for a domain name. Then worst case scenario, you can move your domain off of Google Apps and not need to update your email address everywhere with everyone.
I also use GMail, it's incredibly useful. But it's my own domain, and if there's a problem, I point the MX records of my domain name to another email provider and forget about Google.
2) I did read the article, paying for Google Drive or Photos storage is not paying for Gmail.
2) The article isn't about Gmail, it's about an entire Google account where the author stated they ARE paying for extra storage for Gmail and Drive -- where you seemed to imply they're not paying. And buying your own domain does nothing for getting access back to your 10,000's of past e-mails or your 100's of GB's of files you're paying to store.
Now if only Google had a way to “take out” your data and made it trivial to have backups for emergencies.
The convenience is a serious trade off.
For calendaring, I rely on Apple; even if they were to somehow vanish, I'd still have 3 copies of my calendar lying around.
This is an absolute minimum of money (under $20/year), effort, and disruption to your current habits. Plus, you get to use whatever vanity email address you want.
Why not? It works for a lot of people. I don't understand why some people are so eager to hand their personal data out to 3rd parties. This is a very do-able solution.
Keeping your identity hidden from Google while using their services is a fools errand. Find some other email provider with less big data mining expertise.
My account was previously always used in Germany, and then fell into disuse once I migrated to another Google account (to change the primary email address).
Someone tried several passwords for the account from Russia, Google warned me by sending a warning to the backup email, and let the attacker in anyway.
Being in Germany, the reset flow asked me to either
(a) provide the phone number used, prove I control the backup email, and provide the exact account creation date (I was off by a few months, and it failed to allow me in),
(b) prove ownership of the backup SMS, backup email, and answer all security questions correctly (which I couldn't, because the phone number had long been reassigned).
I, desperately, called Google Nexus support (not possible to solve), and even asked people on the inside, who got the account team on it (more on that later). No can do.
In the end, I got the new owner of the phone number (ALDI Talk reassigns phone numbers after 6 months disuse) to help me by him sending me the SMS verification code, which I'd enter, to verify identity, and get the account back.
After I managed to log into the account, I obviously enabled 2FA, secured it, etc, but I also found a new message in the inbox, from Google's account recovery team, the usual 'thank you for contacting us, etc' one. They had contacted 'me', after I complained that the account was hijacked, by writing an email to the account, and talking with the attacker. Who obviously said there's no problem.
> That is correct, I had the same issue.
> the reset flow asked me to either (a) provide the phone number used [...] or (b) prove ownership of the backup SMS [...]
> (which I couldn't, because the phone number had long been reassigned)
But this means what I said earlier is not correct, since you are not answering all of their security questions correctly.
I later managed to successfully complete the (b) flow due to the SMS.
I believe Google isn't using a binary definition of success, but a confidence interval of how sure they are you are the actual owner - if they are reasonably sure you are the owner, less questions need to be solved, if they are reasonable sure you are not, they cancel the flow before you even have a chance, and if they're unsure, they ask you more questions.
On my first attempt, I got over a dozen questions to validate myself, later on, I got told "sorry, we don't believe you" after already one question.
That's exactly what I mean though. You didn't answer their questions correctly. It wasn't just due to your location/IP; you put in the wrong date. (It's quite funny/ironic that you are also answering my questions incorrectly and yet insisting otherwise. While I sympathize with you for the actual problem, it doesn't help anyone sympathize when they see facts being twisted!)
There is no "wrong" or "right" date for Google. Google's support says to input whatever date you remember, Google will judge it as neither "true" or "false", but based on how close you are, and (this part is now speculation) combine that with other factors.
I'm sorry but you're not going to win over anybody like this. They asked you for a date, they potentially gave you some leeway for error (or not), and you gave the wrong date. Evidently your error was too high for them to overlook. You could argue they asked a bad question or should have given more leeway, and people might actually sympathize with you there, but relying instead on pedantry like this does not help.
You should probably do U2F with yubikeys, if you care.
If you care about it, then lock it down.
In many ways there is no good way to verify you, if you don't invest in 2FA.
Would you rather be locked out, or have a hacker locked in?
Why you'd use gmail professionnaly without a business account is beyond me.
Around a week ago Google suspended the account saying it broke terms and conditions. I've appealed it but haven't heard back, I've spoken to support many times but the case always needs to go to 'another team' who never gets in contact.
I've since setup a new paid G Suite account but have been unable to reuse my domain name as it's still locked to my old G Suite account... That I cannot login to. Support seem to be unable to help, so I've just had to point my MX records to Zoho for now until Google can sort this out.
I am a big Google fan, but this is now becoming a bit of a joke.
If you care about your Google, GitHub, Dropbox, Amazon, PayPal accounts the you should sign up for 2FA.
Ideally, you should have one-time recovery codes printed and U2F or TOTP when U2F isn't available.
I keep all of my TOTP tokens on my yubikey which also does the U2F magic. And of course I have a back up.
But if you don't care to setup 2FA, well, I can see how it's better for Google to lock you out as oppose to locking someone else in.
2. Have backups, redundant and different email accounts.
3. Use a thirdparty password manager.
4. Don't give google all your information.
It's a horrible ecosystem which ties convenience, and it's bad.
Google isn't your friend.
Facebook isn't your friend.
They've become your gatekeepers.
I’ve actually considered running my own mail server again now DKIM/DMARC is around.
But running my own mail server...argh. I wouldn't want to do that ever again. My approach is, instead, using my own domain with a 3rd party mail provider. That way you are always in control of your e-mail address, and you can always switch to another provider anytime, if anything happens.
May in the last weeks this person entered wrong passwords too often.
>I clicked ‘Forgot Password’ as I always had.
Did the journalist reset passwords too often?
It's worth taking some time to think about how you will recover from various disasters: forgot password, drive crashed, lost phone, etc. IMHO the best approach is to have one account with a hard but memorable password, that you can access from any device, and use to bootstrap the rest of your accounts and passwords. Maybe also keep the password on a piece of paper stored where you will know if it has been accessed.
I would suggest 2FA, if you really care.
> Ron is currently corporate blogger for Intronis where he writes once weekly on issues related to the cloud, and a weekly feature called The Cloud 5 where he aggregates five links related to the cloud computing
Might we perhaps have expected a slightly better understanding of the nature of the cloud? Of 'free' services? Of standard backup practice? Of password managers? Of password security? (Guy apparently used passwords simple enough that he could carry them in his head). It probably makes me a smug, uncaring bunghole, but my compassion doesn't really kick into gear over this.
I have had the pleasure of working with the user database of a certain media company. Passwords in plaintext, of course. Plenty of journalist users. Half of whom had gmail adresses for usernames, and 90% of whom had passwords along the lines of [birthday], [name], or kitty74.
Yes, there were tech people too.
I've been locked out by Google several times. And know of other instances including Google and othere services. Some never regained access.
I also have an account where I can't remember the password and I've given google three factors of identification and they still won't verify my account to reset the password.
I have no PR friends that work with Google, so I'm shit out of luck.
I should maybe start doing that again.
It's pretty slack to be taking people's money and providing zero customer service.
I use fastmail for emails, dropbox for storage, icloud for calendar and notes. I also use a security key with my fastmail and dropbox accounts. A physical one. So I don’t really forget my password to begin with.
Tldr: the author underestimated the importance of tech accounts, diversification and how shitty google support service is.
I'm fortunate enough to have a grandfathered free Gmail account so I can own my domain and point it to a Gsuite account without paying.
Otherwise it's worth paying up for Gsuite, Fastmail or similar.
Talk to Alexandra Elbakya about that, amongst others.
IMHO, free supportless email [like gmail] isn't really an option, given the huge impact that losing it would have.
I had the same. There's a good chance someone else has that number now - add them on WhatsApp/Facebook Messenger/etc by phone number, Google their number and try to find them, or call them.
In my case, I was able to recover the account by communicating with the new owner, and him quickly sending me the 2FA code he got from Google when I tried to log in.
6 months. That's all it takes between the last time a user successfully used a phone number, and a new user getting assigned the same number with prepaid SIMs in Germany.
6 months is a damn short time.
Or maybe they should stop being idiots and allow people with strong passwords to... just use passwords to authenticate.
Maybe some type of "I know what I am doing, kindly fuck off Google" option.
Tbf if you really knew what you're doing, you wouldn't be using gmail.