Hacker News new | past | comments | ask | show | jobs | submit login
I got locked out of my Google account for a month (techcrunch.com)
257 points by rbanffy on Dec 22, 2017 | hide | past | favorite | 196 comments

> On December 5th, I sent a note to a PR contact who I work with on Google-related news and I told him about my problem. He said he had gotten my case escalated and I should hear within 24 hours.

Sadly in all these stories that end successfully there is an inside help from someone that has contacts in Google. I don't even want to think about what would happen to people that don't know anyone inside Google.

I used my work email as my backup for my gmail account, and thus could not retrieve my password after I left that job (on good terms even, but they would not let me use my old email). Having access to my android phone tied to the gmail account helped not at all.

I tried the gmail password retrieval system repeatedly, but could not get it to recognize me even though I had an archive of much of my email, so I thought I could be confident in answering questions about who I emailed and such.

So, I switched to a new email account. Luckily, I had a tablet that (to this day) is still logged into my lost gmail account, so I can tell that nobody I care about is still sending to the old address.

All in all, the consequences weren't that bad, although among them were the loss of my ability to have my straightforward firstname.lastname@gmail.com address...unfortunately using just my first initial and last name is not unique.

The concept of being able to reach a human being at Google is tantalizing but the fact is, I have such resentment and bile built up for the way things were designed that I'm not sure I want to reach out. And it doesn't matter a great deal anyway. I suspect in the long run it's lucky I learned not to trust them too much.

I have a similar situation with my cable company. I have a mail account that I used like 20 years ago that still gets mail, but I can only access it by copying a cookie to my browser.

According to the cable company, the account does not exist. Somehow between the multiple mergers, it keeps getting migrated but is orphaned from their identity system.

Please tell me you've at least set up the email forwarding and "send-as" features so that you can send/receive via that account from another account if you ever want to? And on that note, maybe also set up an application-specific password if it allows you to do this without entering a password? (Though MAKE SURE to test this on your new account to make sure it doesn't lock you out with a password prompt if you attempt this.)

(Although note that if you do this via Gmail it will leak your sending email address in the headers.)

Also, I think you might be able to retrieve the rest of your emails too. You might not have IMAP access, but at worst, you can write Google Scripts and have then upload your emails to another account. It will be rather slow but you should be able to copy all your emails this way. I don't think it should prompt you for a password when giving permission but I'm not sure; again, test this on your new account before trying. Make sure to wait like half an hour to make sure any internal password prompt timers expire.

My sister-in-law has a blog that sends out email notifications to subscribers (who requested them) when she posts a new article. After a few hundred subscribers had marked these notices as spam rather than unsubscribing, her blog, email account and entire site got blacklisted. She only managed to get this cleared up via a tech support friend who has contacts at Google.

This stuff makes me worried about the future. We'll have this massive AI/computer machinery making more and more decisions without any recourse. This will be the ultimate faceless bureaucracy.

At work I can almost every day hear someone yelling at his health insurance company because something has been f...ed up. Once they start hiding even more behind automation how can you resolve anything?

Automated lawsuits.

I chased down a spam flag by one of our users a while ago (we only send transactional emails to actual accounts) and actually spoke to the user since he complained about not receiving any of our emails.

Turns out he uses the spam button in his email client as a temporary deletion / archive for emails he wants to read later...

TLDR; Many users create their own issues by just not giving af. It reminds me of antibacterial hand wash.

Tell her to be sure there is a distinguishable "unsubscribe" link in letters.

You'd be surprised for how many technology-inept users that wouldn't make a difference. They'll still mark the email as spam. It's easier for many people to understand and easier to click.

You are absolutely right, e.g. I marked Microsoft's MSDN emails as spam. But that was largely due to the fact that the unsubscribe link in their emails redirected me to an unreachable server for weeks and then I gave up.

If an email doesn't offer an unsubscribe link, or if that link doesn't immediately unsubscribe me without any extra clicks (e.g. takes me to an "update email preferences" page or, god forbid, asks me for my email address or other info), I click Report Spam for it.

You'd be surprised how many opt-out messages and messages sent to unverified addresses I get. They all have unsubscribe links but I'll hit report spam each and every time.

It sometimes can be better to mark it as spam. There was a thing a while back where the unsubscribe link was just verifying that you still check that email account, and you click on links, so they'd send you more spam.

That's closer to an urban legend than the truth. If you once gave them your email address, they are generally good about honoring unsubscribe requests. It's expensive for them to create a high-quality customer list, so they're not going to play games that put them into a gray area. Don't be lazy and classify them as spam on this basis, because it fails to distinguish good-faith businesses from actual spammers.

Senders who bought, stole, or brute-forced your email address are a different story. For them it's just a numbers game. They are, by definition, spammers and should be treated as such.

There is a final group of senders who you did once interact with but who show these behaviors:

1. They are too incompetent to keep the unsubscribe server running;

2. They broke the the mail template so it doesn't point to a valid URL;

3. They fail to control subscription preferences within their own company so that the marketing department keeps using the same old list even though months of unsubscription requests have accrued since then;

4. (My pet peeve) They take you to a blank form that asks for personally identifying information in order to unsubscribe, rather than embedding an identifying token in the email's unsubscribe link. Out of principle, I will not enter PII into any form on the other side of an email link, even if it comes from someone in my family. It's too easy to fall victim to phishing, and I resent any sender that puts me in that situation. If a business asks for any PII to unsubscribe, I close the tab and mark the email as spam.

Any of those get marked as spam. Their intent was not to spam me, but I can't do business with incompetent senders.

Mark spam as spam. Unsubscribe from content you signed up for and no longer want.

And how many things are "signed up for you"? There's a lot of those. It's getting harder to tell what I actually signed up for, and what I thought I was signing up for.

If they say "signed up for you," then it's spam -- it's unsolicited commercial email. Unless you designated someone else as your agent to sign you up for crap on the web, then you didn't solicit it.

me too. i consider it spam because i don’t want people sending me random crap and i could care less if it hurts the person sending the mail. either way it gets it out of my way.

Not just that. If I have to follow the link and log in, it's easier to go back and click spam.

And make sure people are intentionally opting in

I'm often signed up for emailing lists because I use a service. Or just gave them my email to see a demo thingy.

In general I try to hit unsubscribe if I know I've had business with the company. But if they are clearly just trying to sell more, it goes to spam.

I would still consider it as unsolicited if I didn't opt in to receive further emails. Just because I bought something from a company once doesn't mean I'm happy to receive a "please rate us" begging email, an offer to look at their other products, and a "merry Christmas to all our customers" message. Not really spam in the traditional sense but these type of emails seem especially prevalent at the moment and dealing with them is a big time sink.


She's a weaver, fabric artist, and teacher of fabric arts. Travels the country giving courses. Sells instructional materials and occasional tools and materials. Not a bit of shadiness involved. Your comment is inappropriate for this site.

In my experience, that is 100% true. I made an app and uploaded to the Play Store, but it was rejected for whatever reason, and I was told I'd hear back from them within 72 hours. 8 days later after not hearing anything from them despite multiple attempts, they got back to me only _after_ a friend of a friend connected me with someone who works at Google. The iOS store was a piece of cake compared to anything Google related.

I used Tor to access Google "products". After taking a hiatus and logging in with the correct (strong) password Google essentially locked me out.

And no I don't have any "techbro" friends who work for Google.


Do not use Google unless you are OK with losing your account if they one day decide to hold your identity and data hostage.

Even if you PAY Google ("Google Apps" or whatever the fuck they are calling it these days), you are still at risk.

Set up mail forwarding in Gmail and migrate to a service not run by an advertising monopolist.

Always setup 2FA for anything you care about. Both TOTP, U2F and one-time codes, if available.

And save the backup codes! Multiple physical copies.

If you use TOR you should be taking your operational security serious. Passwords are useless.

> inside help from someone that has contacts in Google

The same is happening with Amazon right now; sellers getting kicked out by default and there is no way to get hold of a real person, just talking to some machine learning bot. Real people simple don't matter anymore.

It happens all the time, and there is no recourse unless you can get lucky enough to cause a social media storm with enough outrage it catches someone's attention.

Agreed. I see this story several times a year. Usually with small time people with no contacts to get them help, but I have seen large companies lose control of everything as well. I just don't understand handing over mission-critical services to companies that offer you zero control or support in exchange for free or nearly free.

The ability to cause a social media storm alone could be a motivation for having some social media presence. It seems otherwise you are screwed if something goes wrong.

My AdWords account got locked a few years back. It was my first attempt to try AdWords on my website. I've loaded around $20 and it almost immediately got locked (not a single ad was shown/clicked). I could never unlock it or retrieve my money from it. So Google has my 20 dollars now.

I recently got a letter in the mail (from EY if I recall correctly) who on behalf of Google, asked me if I wanted to collect the unused balance from an inactive account (with options on how to receive said funds), otherwise it will go to your states' unclaimed funds. Perhaps check there to see if it got sent there?


Chargeback plus time machine you mean?

Whoops, yeah, I guess it depends on how many years back it was. I guess it's better advice for what to do when it happens. That said, I know at least bank's website allows disputing transactions over a year old but I'm not sure if they allow over 2 years or not (you may have to call).

> I don't even want to think about what would happen to people that don't know anyone inside Google.

Like me...

Luckily I'm still logged into gmail on the iPhone so there's a (slim) chance I might be able to get back in on the laptop.


Maybe last time was a fluke but I managed to get signed in, weird.

Sorry to doubt you google.

US over time has developed this amazing alternative system to deal with all kinds of really complicated b.s. it involves guys and gals in black robes. They even get to say "Agree, that thing you signed is stupid, so we are going to presume you did not actually sign that".

Use them. They are lovely. 1-800-BUILD-A-BEAR lovely.

They also happen to love to smash into faces of smug dumb entities. Like Google. Or Apple. Most often because they have their own horse to ride. But who cares. Just. Use. Them.

Wouldn't life be wonderful if this was true.

Talk less. File more.

I dunno if you're a lawyer, but you should be in marketing.

I think this is the money quote:

“That same day I opened a second GMail account so I could have access to services like an email account if need be, [...]”

So, this journalist is in the middle of a horrible experience with Gmail and responds by ... opening another Gmail account, because basically realistically imagining email as something other than Gmail is far too much of a stretch in most people’s minds.

This happens all over the place -- for some reason, the majority of the people won't learn. They'll tell you horror stories about how they lost a lot of work (or even money!) because a provider never gave them support, yet, go back to that same provider.

A group of acquaintances had a Facebook group where they shared research and documents. It got deleted and they lost everything. Thrice. I suggested they used something else for document storage each time, but was just ignored or shooed off.

The root cause of the problem is kinda beyond me -- but it's clear that people are unwilling to learn from experience when it comes to these things, and that these free services will continue to behave as they do because there's no downside to doing so.

My sister had her broadband slammed (taken over by an ISP without any request or permission whatsoever) which left her with an unreliable and slower service. She stayed with them.

For about three years the router they sent her would kick off the fifth-oldest DHCP lease and the ISP kept refusing to replace it.

It's a truly fascinating psychological effect.

It's "who moved my cheese". People will violently resist changing their routines.

But a Google account is not just email. It's also drive, calendar, and so on. There's a lot of time spent becoming familiar with those services, and to up and switch that entire suite would take a massive amount of relearning. Under the same circumstances as the author, I think I'd be back to Google. Remember, other services have their own issues as well.

Having read the article, I start to wonder whether GMail is a service for Google, run by the user, where Alphabet are given invaluable personal information about a person, which they can then correlate with their other services in order to build a detailed mine of data about that person.

In the course of this transaction the user may be permitted to read the emails that belong to Alphabet.

This is very much true. I built an ecosystem around Google because they work fine (usually). Rebuilding this for, say, Microsoft would be a tremendous effort.

Worse than that, if we take those words at face value (and that person works in journalism), they apparently don't even know that email != gmail.

I'd love to switch away from gmail, but their 'important mail' function is essentially unique to them, and I love it.

Sadly, this seems like a system that can't really be self-hosted. It requires data.

If you have Gmail you have a fantastic training set of important and not important email pre-labeled for you to try learning that model for yourself.

What alternatives to GMail do you recommend?


It costs $5/month if you want to use your own domain. I've pretty much stopped using Gmail, etc. and switched totally to them.

Do you find their web interface as good as Gmail?

Yes, I do. The only thing I miss is tagging/archiving. Fastmail uses a traditional folder paradigm, and archiving only moves the message to a special archive folder.

Their login 2FA options are as good as Gmails, and I like their mail-rules better (though you have to drop into "power users" mode more than I'd like).

How is their calendar?

I haven't used it as much, but it seems just as good for single-person use. It's WebDAV IIRC. I haven't tried to use any "shared calendar" features.

https://protonmail.com/ is free, open source, and encrypted.

Honestly I think the answer to your question is: giant fail by the tech community, because to my knowledge there isn’t anything actually comparable, free or paid.

Fastmail certainly is comparable.

Yeah well I got locked out of my hotmail account 5 years ago and I never got back in. There was a bug in an iOS release that caused the Mail app to make repeated, unnecessary requests to authenticate hotmail/outlook so Microsoft determined that there was suspicious activity and locked me out. They have an account recovery process for situations like this and I tried, and tried, and tried, and failed to regain access. I just tried again last week. I tried contacting them directly, too of course. No luck.

So I know what happens when you don't know someone on the inside: you are out of luck. You lose important emails, photos, notifications, bills. You have to change a lot of your other accounts. No fun at all.

Wait...you want to know the worst? That's the email I used for coinbase that I think still has a few Bitcoin in it. I can't log into coinbase because I don't have the same phone with the same phone number for Authy, and the recovery email is the hotmail email I am locked out of. Of course I have open support tickets with coinbase bu you can imagine that I'm not exactly real high in their priority queue. So being locked out of my email has cost me a lot of money in the long run.

I'm sympathetic to your situation. But being locked out of selling your bitcoin for a few years might have resulted in you earning a lot of extra money! Hopefully you can regain access to Coinbase. Since they are regulation-complaint and legit, you should eventually be able to gain access to your assets. If it's enough BTC to be worth the expense, maybe you could expedite the process with a lawyer?

You didn't back up your 2FA keys?

I'm in the same situation right now. I didn't back up my Authy keys because when I switched phones, the balance on my Coinbase account was zero (still is), so it wasn't a high priority to me.

Now, I'm trying to get back into the account so I can add some BTC to sell it, and I'm getting nowhere with the customer support. For an account with a 0 balance. And I still have access to the correct email, phone number, etc.

At this point it'd just be easier for me to sign up for a new account I guess, but I don't want to have to use a throw-away email for that. You'd think there'd be some kind of easy path to regain control of an account with zero balance, as there's no risk of theft. Nuke all attached bank accounts and the like as a safety measure.

> Imagine you have spent much of your digital life for the last 12 years on Google. You rely on their mail and calendar, Google Drive for storage and Google Photos for your photo archive.

Like I've said in the past here [1], if something is so important to you, you need to treat it as such. Continuing to use a service that offers no guarantees, availability or even continuing access to your account is a sign of ignorance, when you rely on that service so much.

Now ignorance is not the fault of the user. It's primarily the failure of education. There are multiple deficiencies at play here:

1. Lack of knowledge of general population about significance of terms of service, and literacy to read and understand them.

2. Lack of regulation to enforce service providers to provide concise and less technical terms of service.

3. Lack of clear options provided by the service provider for users, so that if a paid option with guarantees is available, it's easy to sign up for and use.

In case of Google, you can, for $60 a year, have an email account under your own domain (which by the way decouples you from Google if you wish to move to another provider in the future), a 24/7 phone support and other goodies. The issue is the number of hoops you need to jump through to set that up, making it inaccessible for the average user. This is Google's fault.

[1]: https://news.ycombinator.com/item?id=6839142

You don't have to use the business option. There's a paid subscription for $5 a month that has the same level of support.

Being able to call someone means you can tie up a $20/hour resource until you can log back in to your account.

The main problem is that people do not want to pay. Simple as that. For example, I met so many real estate agents which refuse to have G Suite and pay $60/year because it is "too expensive".

Can you, or someone else, point to an alternative to gmail that won't decide to lock me out of my account and still offers generous data storage?

Google will give you a chance to move your data out of their cloud should they decide to kick you out. This option is available if you pay for the GSuites (their business plans) which I mentioned above.

Any provider has the right to terminate your account for variety of reasons even if you're a paid customer.

I think GPs point is that it shouldn't be free.

But yeah, fastmail have a decent reputation.. and they are known for improper verification (which they've hopefully fixed).

Seriously though, 2FA and recovery codes is the way to protect important accounts!

>Like I've said in the past here, if something is so important to you, you need to treat it as such.

Which is why you use a password manager and keep a copy of your Google account backup codes in the event you need them.

Google can lock you out of your account even if you have the right password.

That's why you have 2FA, U2F and one-time recovery codes.

Isn't a big problem is that they will sometimes lock you out of everything for some behavior they think is bad on just one of their services. You have been denied access. No tech solution to this problem.

In the era of cloud services, if it's not on your hard drive you could ultimately lose access to it at any time. People tend to think about reasons like companies shutting down services, getting acquired, etc. but this brings up an entirely new class of ways you could lose access to your cloud info: Locking yourself out. Maybe you forgot the password, your password manager had a bug, or the account was with an old school or work email you no longer have access to. This may seem silly but as a dev I forget my passwords for things all the time. Imagine how this kind of technological shift impacts a non-technical person.

I worked for a large b2c website.

Many users used the password recovery flow essentially as their login mechanism.


Some companies understood and embraced this: Slack and auth0 can send you "login links" via email which log you right in.

Remove that pesky "password" from the entire "password reset" flow. Makes perfect sense (meaning: there's clearly users making use of it).

We did the same after realizing what was going on.

What's surprising about that? It's the easiest way to deal with a system where you need to log in occasionally.

So why not take advantage of that... instead of passwords just email the user a link they need to press to login.

That is a great idea. For many people that would be quicker and a nicer work flow.

Google (and other companies) are purposely opaque about how they determine whether you have provided enough information to verify you are the owner of the account...

Getting it wrong has significant impact on how much the brand is trusted (and for some companies, that's all they have)... Lose it and it's time to shutter!

To be fair to Google, they do regularly prompt users to review the security of their account (e.g. with checklists like this: https://support.google.com/accounts/answer/46526?hl=en). Note that Step 3 is "Update your account recovery options"!!

They always seem to want phone numbers, which in a lot of countries are easily attributable to real people.

One more time the "techbros" of Silicon Valey don't realize their actions are hurting people.

Just buy two yubikeys.

Why? Instead of 2FA?

You can do both TOTP and U2F on an yubikey.

U2F is much harder to trick..

And TOTP on your phone is likely to get hacked. TOTP on a physical yubikey is a much harder target.

> That same day I opened a second GMail account so I could have access to services like an email account if need be, even if it didn’t have any of my previous data in there.

When service is this terrible, why stick with the bad provider? I generally find the whole article sort of depressing... “Google ignored my problems for a month. But now I have access again oh well yay!!”

Because what's the alternative? You can spend weeks moving all your data to Microsoft or Apple... and suffer lost messages when people don't update their e-mail for you... and then discover they're just as bad or worse?

What's an alternative to Gmail+Drive+Apps that has as much functionality, ease of use and convenience, and at a comparable price, but guarantees you won't get locked out?

If you're opening a new 2nd account, there isn't anything to "move", is there?

You have to update your email address with every person, service, mailing list, etc.. you use.

Just to provide one example - about a year ago I moved from a 12 year old Gmail address to another address/service. The lift for updating people, services, etc. really wasn’t that much. I left the gmail around and I do log in once a month or so but the last time I remember anything of interest coming there was maybe six months ago.

I also exported all of my emails from Gmail. I recall accessing them once maybe a month or two after the move, but since then I haven’t touched them.

In general I think people attach much more significance to things like email addresses and phone numbers than is necessary. Frankly I’d much rather things like that change from time to time so they aren’t so easily used as semi-permanent identifiers.

Just like with a second gmail account…

yes, if you are opening a second account, regardless of where, there is plenty to move.

I just moved all my E-mail from Gmail to my own VPS running Exim. Took maybe two evenings of work including IMAP access and a basic spamassassin setup.

> What's an alternative

It’s called paying for the services you use. You don’t even need to switch to a different product / provider, just pay $5/month and ~$10/year for a domain name. Then worst case scenario, you can move your domain off of Google Apps and not need to update your email address everywhere with everyone.

Exactly this. I truly don't understand that people put their professional career on the line for the price of a domain name.

I also use GMail, it's incredibly useful. But it's my own domain, and if there's a problem, I point the MX records of my domain name to another email provider and forget about Google.


1) please check the rules of HN before replying that way

2) I did read the article, paying for Google Drive or Photos storage is not paying for Gmail.

1) Apologies

2) The article isn't about Gmail, it's about an entire Google account where the author stated they ARE paying for extra storage for Gmail and Drive -- where you seemed to imply they're not paying. And buying your own domain does nothing for getting access back to your 10,000's of past e-mails or your 100's of GB's of files you're paying to store.

> And buying your own domain does nothing for getting access back to your 10,000's of past e-mails

Now if only Google had a way to “take out” your data and made it trivial to have backups for emergencies.

Of course you have to back them up yourself. But that's true for any service.

When is the last time you heard the same kind of story about Apple or MS?

Didn't Apple shut down their .me or whatever it was called services some time ago (and AFAIK that was even a paid service)? What happened to the websites, blogs, emails, etc that were hosted by them?

They discontinued the hosting, but the rest of the services (including email) are largely still around, just rebranded to iCloud. https://en.wikipedia.org/wiki/MobileMe

It’s important to note that the old email addresses still work. New ones are assigned to the icloud domain, but my @mac.com email still works and that was a (free) service when I signed up for it in 1999. Old @me.com addresses also remain functional.

Just to echo you, I also still have my @mac.com / @me.com versions of my iCloud login too.

Trusting "your life" to a third party service is very dangerous. Because if your life depends on that service, your life can't continue with out it, so I ask, why do this to yourself?

The convenience is a serious trade off.

The thing is, people round small risks to zero. As a heuristic, it's not correct, but there are so many possible small risks that it's impossible to round them all up to a significant amount either. Same principle leads to people accepting abusive licensing terms.

What's the alternative though? It's not like Microsoft and Yahoo's email/calendar services are much better. Use a paper calendar and run your own private email server and hope you never have to run for president?

Pay someone for the critical services you rely on. I'd never trust Google with my main email service; Fastmail.fm has been great to me.

For calendaring, I rely on Apple; even if they were to somehow vanish, I'd still have 3 copies of my calendar lying around.

Buy your own domain name and forward your mail from an address on that domain to your gmail. Keep a backup of your email. If you lose access, just create a new account and update the address you're forwarding to.

This is an absolute minimum of money (under $20/year), effort, and disruption to your current habits. Plus, you get to use whatever vanity email address you want.

> run your own private email server

Why not? It works for a lot of people. I don't understand why some people are so eager to hand their personal data out to 3rd parties. This is a very do-able solution.

Honest question - what happens if you don't know the password on your Mac, Windows, Linux box? Are there routes to recover the information on the hard drive if the user does not have the password and there is no admin?

I don't know. It might be a unpopular opinion, but I am okay to be locked out if I forgot my password to my email. I prefer that to weaken security, and complex processes to sign in.

If that were all that could do it, sure. That's not the end of it, though. I was trying out anonymization methods a while back, and created an account for use through Tor + a VPN (yes, I know it's Google). I recently tried to get back into it, but since I wasn't "where I usually sign in" (and can't actually say what city they thought that was), I'm locked out. I have the correct password in my manager, and I can even answer that "when did you create this account" question because of that, but Google still won't give me any way in. Since there's nothing important in there, I'm fine leaving that particular address behind rather than escalating things, especially after reading the article, but there's a few really dangerous implications there if you do want to habitually decouple your IP from your physical location.

Usually if you can SMS verify they will let you in. Google (and many other companies) insist on SMS not because it is secure (it's not) but because it requires account spammers (scammers) to put up some money (buy a phone) before they let you use the service too much. I would be surprised if you get through the registration process before they insist on SMS verification if you are coming out of a VPN provider netblock. And forget coming out of a TOR exit node.

Keeping your identity hidden from Google while using their services is a fools errand. Find some other email provider with less big data mining expertise.

I'm confused, so you are answering every single security question correctly and you age logging in from your usual location without any kind of Tor/VPN/etc. and you still have no way to access that account? Or are you merely prevented from logging in via Tor/VPN?

That is correct, I had the same issue.

My account was previously always used in Germany, and then fell into disuse once I migrated to another Google account (to change the primary email address).

Someone tried several passwords for the account from Russia, Google warned me by sending a warning to the backup email, and let the attacker in anyway.

Being in Germany, the reset flow asked me to either

(a) provide the phone number used, prove I control the backup email, and provide the exact account creation date (I was off by a few months, and it failed to allow me in),

(b) prove ownership of the backup SMS, backup email, and answer all security questions correctly (which I couldn't, because the phone number had long been reassigned).

I, desperately, called Google Nexus support (not possible to solve), and even asked people on the inside, who got the account team on it (more on that later). No can do.

In the end, I got the new owner of the phone number (ALDI Talk reassigns phone numbers after 6 months disuse) to help me by him sending me the SMS verification code, which I'd enter, to verify identity, and get the account back.

After I managed to log into the account, I obviously enabled 2FA, secured it, etc, but I also found a new message in the inbox, from Google's account recovery team, the usual 'thank you for contacting us, etc' one. They had contacted 'me', after I complained that the account was hijacked, by writing an email to the account, and talking with the attacker. Who obviously said there's no problem.

>> I'm confused, so you are answering every single security question correctly and you age logging in from your usual location without any kind of Tor/VPN/etc. and you still have no way to access that account?

> That is correct, I had the same issue.

> the reset flow asked me to either (a) provide the phone number used [...] or (b) prove ownership of the backup SMS [...]

> (which I couldn't, because the phone number had long been reassigned)

But this means what I said earlier is not correct, since you are not answering all of their security questions correctly.

I managed to successfully complete the (a) flow, but it was considered not enough, due to the different IP, and minor inaccuracy with the creation date.

I later managed to successfully complete the (b) flow due to the SMS.

I believe Google isn't using a binary definition of success, but a confidence interval of how sure they are you are the actual owner - if they are reasonably sure you are the owner, less questions need to be solved, if they are reasonable sure you are not, they cancel the flow before you even have a chance, and if they're unsure, they ask you more questions.

On my first attempt, I got over a dozen questions to validate myself, later on, I got told "sorry, we don't believe you" after already one question.

> I managed to successfully complete the (a) flow, but it was considered not enough, due to the different IP, and minor inaccuracy with the creation date.

That's exactly what I mean though. You didn't answer their questions correctly. It wasn't just due to your location/IP; you put in the wrong date. (It's quite funny/ironic that you are also answering my questions incorrectly and yet insisting otherwise. While I sympathize with you for the actual problem, it doesn't help anyone sympathize when they see facts being twisted!)

> you put in the wrong date

There is no "wrong" or "right" date for Google. Google's support says to input whatever date you remember, Google will judge it as neither "true" or "false", but based on how close you are, and (this part is now speculation) combine that with other factors.

> There is no "wrong" or "right" date for Google. Google's support says to input whatever date you remember, Google will judge it as neither "true" or "false", but based on how close you are, and (this part is now speculation) combine that with other factors.

I'm sorry but you're not going to win over anybody like this. They asked you for a date, they potentially gave you some leeway for error (or not), and you gave the wrong date. Evidently your error was too high for them to overlook. You could argue they asked a bad question or should have given more leeway, and people might actually sympathize with you there, but relying instead on pedantry like this does not help.

This is very surprising - what of people who like to travel??

2FA if you care about you accounts.

You should probably do U2F with yubikeys, if you care.

If you are smart enough to use TOR shouldn't you also be using 2FA?

Ideally, U2F...

Do you have any evidence that Google treats 2FA differently in this scenario?

If I travel many accounts often ask for 2FA...

Sounds like either Google is a terrible company with useless customer service and dysfunctional standard procedures, or known journalists and bloggers immediately set off alarms when they use this recovery mechanism because there has been too much negative press about social engineering leading to account theft recently. I.e. perhaps they wanted to prove that his account is safe from cheap tricks.

Free Gmail users aren't customers.

Why don't they just offer some kind of emergency support with a hefty pricetag for these cases? Eg pay 200$ to have an actual human verify your identity? I don't think that would cost them anything and most people in this situation would likely pay any price to regain access..

I'd think they would be accused of engineering the situations where that help is needed, and profiting from it.

Why don't you just buy two yubikey and print one-time recovery codes?

If you care about it, then lock it down.

In many ways there is no good way to verify you, if you don't invest in 2FA.

Would you rather be locked out, or have a hacker locked in?

Well, I use 2FA extensively, including for my Google account. However, there are even more vectors possible with 2FA where you lock yourself out of your account (e.g.loose backup codes, phone and access to phone number) which a human could easily solve (verify scan of ID, address proof, phone call, confirm that no activity for X days on the account in question).

How would that work? I can of course go to their office and prove my identity but since nobody did that when opening the account, they can't necessarily prove that it is my account..

Business accounts already have payed support built-in, and are able to contact a human (I know because I did).

Why you'd use gmail professionnaly without a business account is beyond me.

Because they would likely lose money over it.

I have (had?) a G Suite Legacy Free account, that I used for my personal emails.

Around a week ago Google suspended the account saying it broke terms and conditions. I've appealed it but haven't heard back, I've spoken to support many times but the case always needs to go to 'another team' who never gets in contact.

I've since setup a new paid G Suite account but have been unable to reuse my domain name as it's still locked to my old G Suite account... That I cannot login to. Support seem to be unable to help, so I've just had to point my MX records to Zoho for now until Google can sort this out.

I am a big Google fan, but this is now becoming a bit of a joke.

Few people seem to realize that if you loose access and they restore you access with limited information, then any attacker could do the same.

If you care about your Google, GitHub, Dropbox, Amazon, PayPal accounts the you should sign up for 2FA. Ideally, you should have one-time recovery codes printed and U2F or TOTP when U2F isn't available.

I keep all of my TOTP tokens on my yubikey which also does the U2F magic. And of course I have a back up.

But if you don't care to setup 2FA, well, I can see how it's better for Google to lock you out as oppose to locking someone else in.

1. Don't trust google with all your information.

2. Have backups, redundant and different email accounts.

3. Use a thirdparty password manager.

4. Don't give google all your information.

It's a horrible ecosystem which ties convenience, and it's bad.

Google isn't your friend. Facebook isn't your friend.

They've become your gatekeepers.

Recently I had a similar experience, thankfully with my work account. Even then, with having GSuite support, it took around 2 weeks to resolve the issue. If you lose access to your personal GMail account, well....you're fucked :/ Since then I have slowly started migrating my personal email and all logins to another mail provider, where you can actually contact support, as to not rely on Google.

This sort of stuff scares me so much. I see many people relying on one basket of eggs all the time (AWS is a fine example) with no backup plan.

I’ve actually considered running my own mail server again now DKIM/DMARC is around.

I know how that feels and I agree. Vendor lock-in is crazy. Too many people and businesses rely on a company, without giving a second thought about what would happen if that company suddenly changed its terms or stopped providing a service that they are using.

But running my own mail server...argh. I wouldn't want to do that ever again. My approach is, instead, using my own domain with a 3rd party mail provider. That way you are always in control of your e-mail address, and you can always switch to another provider anytime, if anything happens.

>use different passwords all the time and I forgot which one I had used most recently for Google.

May in the last weeks this person entered wrong passwords too often.

>I clicked ‘Forgot Password’ as I always had.

Did the journalist reset passwords too often?

That convinces me never to use Google for a primary, trusted account. It's just too easy to get locked out forever.

It's worth taking some time to think about how you will recover from various disasters: forgot password, drive crashed, lost phone, etc. IMHO the best approach is to have one account with a hard but memorable password, that you can access from any device, and use to bootstrap the rest of your accounts and passwords. Maybe also keep the password on a piece of paper stored where you will know if it has been accessed.

Imagine you used a password manager that required memorizing just one diceware phrase then using randomly generated passwords and never got locked out again, that's what happened to me.

If you start logging in over TOR or other sketchy locations, you might...

I would suggest 2FA, if you really care.

1Password has 2FA available and I obviously use that when possible as well as OpenVPN server I control. Google is helpful enough to alert you when someone fails to log in to your account, and when that someone is in another country, it's obviously time to enable 2FA. Their piss poor inability to provide customer service also means no one is going to social engineer their way into my email, which is a pro imho.

Would you mind explaining more?

1Password or KeePassX (google em)

Why or why Google asks about the date the account has been created? 9/10 you won't remember exact month/year and this screws up any chance of account recovery.

> Ron Miller is enterprise reporter at TechCrunch. He has been a Freelance Technology Journalist since 1998

> Ron is currently corporate blogger for Intronis where he writes once weekly on issues related to the cloud, and a weekly feature called The Cloud 5 where he aggregates five links related to the cloud computing

Might we perhaps have expected a slightly better understanding of the nature of the cloud? Of 'free' services? Of standard backup practice? Of password managers? Of password security? (Guy apparently used passwords simple enough that he could carry them in his head). It probably makes me a smug, uncaring bunghole, but my compassion doesn't really kick into gear over this.

I have had the pleasure of working with the user database of a certain media company. Passwords in plaintext, of course. Plenty of journalist users. Half of whom had gmail adresses for usernames, and 90% of whom had passwords along the lines of [birthday], [name], or kitty74.

Yes, there were tech people too.

It's my belief that if you enable 2FA it's a lot harder to be casually dissociated from your account. This is because you have to do more work to establish a chain of authority over the account to enable it, and because you precreate account recovery tokens you can save offline.

"Who are you?" is the most expensive question in information technology. No matter how you get it wrong, you're fucked.

I've been locked out by Google several times. And know of other instances including Google and othere services. Some never regained access.



Scary. Makes me think about moving my personal mail domain back to a regular hosting company

Fastmail is great for this, in my opinion. I vastly prefer every single aspect of the experience. The web mail client alone is worth the switch away from Gmail, IMHO.

How does Fastmail handle lost passwords?

There was a discussion here: https://news.ycombinator.com/item?id=15853477


I also have an account where I can't remember the password and I've given google three factors of identification and they still won't verify my account to reset the password.

I have no PR friends that work with Google, so I'm shit out of luck.

Where any of those factors: U2F, TOTP, one-time recovery codes?

They didn't offer me TOTP but did offer SMS verification.

I used Thunderbird before I switched to Gmail, and for several years after I kept it running on my Gmail account without ever opening the window, just so I'd have a local backup of all my mail.

I should maybe start doing that again.

This is why I switched to proton mail. Never looked back.

As have I, though again, it only shifts the problem.

> They don’t have customer service, yet I’m paying for storage.

It's pretty slack to be taking people's money and providing zero customer service.

I don't think there's anything wrong with it as long as both parties are aware that the deal is about storage and doesn't include additional phone counselling.

There is no solution to this other than paying and diversification.

I use fastmail for emails, dropbox for storage, icloud for calendar and notes. I also use a security key with my fastmail and dropbox accounts. A physical one. So I don’t really forget my password to begin with.

Tldr: the author underestimated the importance of tech accounts, diversification and how shitty google support service is.

This is too technical for most unfortunately, but the only way to guard something as valuable as your email address is to own the domain and so control the MX records.

I'm fortunate enough to have a grandfathered free Gmail account so I can own my domain and point it to a Gsuite account without paying.

Otherwise it's worth paying up for Gsuite, Fastmail or similar.

That only shifts the problem to retaining control of the domain.

Talk to Alexandra Elbakya about that, amongst others.

Does anyone have experience with g suite's support (paid gmail) and how it would compare in the same situation?

You get a phone number you can call. But the person behind that phone seems to only be allowed to get your case on the support system

Nothing special. The same happened with email addresses from ISP and they get closed if you ever change provider.

Man, that's scary! My email account is so central to everything.... better make some changes

For those of us for whom email is so important, having a paid provider that has human support staff (that actually responds) should be equally important.

IMHO, free supportless email [like gmail] isn't really an option, given the huge impact that losing it would have.

2FA, buy two yubikeys and feel safe.

Host your own email server (like me) or use email services of your webhosting or ISP. Email is a simple service originally developed to be decentralized but modern Idiocracy makes people use only a handful of corprations for IT services. :(

1. Don't trust google with all your information.

2. Have backups, redundant and different email accounts.

3. Use a thirdparty password manager.

4. Don't give google all your information.

It's a horrible ecosystem which ties convenience, and it's bad.

Why are big companies so inaccessible? It's a strange paradox to think that almost everyone uses Google services on daily basis, yet it is near impossible to communicate with Google itself.

Good job getting this published on techcrunch. Saw you had posted it just on your own blog. Definitely got to spread that word, man!

I use google apps for email and a couple other services but do monthly google takeout downloads of all my data for this reason.

Hmmm, how many tech journalists not use password managers? How many google employees do not use 2FA? Can anyone comment?

Yeah I have given up hope with ever using my ten year old twitter account due to a similar story :(

I recommend using a password manager like LastPass or Keepass. Never lose a password again.

To avoid such things, I have a notebook in my drawer in which I have all the passwords to all my online accounts written down. If I change a password, I update the entry. If I create any sort of online account, it gets added to the diary. I figured if someone bothered enough to physically steal my diary from my drawer, I'd have bigger problems to worry about than my YouTube credentials.

I'm currently locked out of a Gmail account I have the password for but Google decided that isn't enough; it doesn't like my IP address and wants me to verify against a phone number I no longer have.

Oh wait, missed that you needed access to the number. I thought it was just prompting you for the number.

> wants me to verify against a phone number I no longer have.

I had the same. There's a good chance someone else has that number now - add them on WhatsApp/Facebook Messenger/etc by phone number, Google their number and try to find them, or call them.

In my case, I was able to recover the account by communicating with the new owner, and him quickly sending me the 2FA code he got from Google when I tried to log in.

That would be a clever phishing technique if you know your target no longer owns the number associated with an account.

That's why it's so insane to consider it a safe 2FA source.

6 months. That's all it takes between the last time a user successfully used a phone number, and a new user getting assigned the same number with prepaid SIMs in Germany.

6 months is a damn short time.

So I guess the diary should include a history of phone numbers. And maybe addresses to be safe.

...And the IP you used to sign up... and the city for that IP in the geolocation database at that specific date... and the exact User Agent string... and the time zones... and...

Or maybe they should stop being idiots and allow people with strong passwords to... just use passwords to authenticate.

Maybe some type of "I know what I am doing, kindly fuck off Google" option.

> Maybe some type of "I know what I am doing, kindly fuck off Google" option.

Tbf if you really knew what you're doing, you wouldn't be using gmail.

This from the guy with all his passwords in a notebook in the desk drawer.. Have you thought of ROT13 encoding them?

Just do one-time recovery codes.

Was it the happiest time of your life? ;)

Is it normal that GMail marks email with a link to this thread "suspicious" and asks me if I'm sure I'm not getting scammed here?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact