Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: My Google account was hacked, Google says they can't help
291 points by lululouise on March 14, 2022 | hide | past | favorite | 154 comments
My Google account was hacked, I was messaged by someone on Facebook and they demanded I give them money or they would post my private photos. They started posting my pictures and even sent them to my family and friends, dad included! They then changed all my passwords, restore email, phone number ect to their own email and number, so I can't do anything. They wiped my phone and my son's tablet completely, all my banking is gone, everything is gone. I'm now stuck in a foreign country away from my baby with no way to get money or access my email for my travel documents. I'm really scared and don't know what to do. Google says they can't do anything to help me! They can't kick him off or disable my account, I just have to be harassed and blackmailed, and goodness knows what else. I'm a single mum and I'm in a different country to my baby, please can someone help me? I just want to get back.

Does anyone know how I can recover and secure my Google account? I've tried everything that I can find/Google have told me to do.



I've had requests like this from family members supposedly "stuck overseas" etc. These types of requests are often scams.

My boss recently emailed me (from a weird email) saying the landlords payment hadn't gone through and we needed to wire them the money pronto and they were stuck traveling and couldn't do it. This was a scam.

In my neighborhood folks rent out houses for great deals, the landlord is temporarily traveling and can't meet. A fair number of these turn out to be scams.

I just mention this because if some low level support agent providing support to FREE accounts was able to reset an account based on this narrative - and no phone access - that would be HUGE security HOLE.

If google starts allowing recovery of passwords by folks overseas who are "stuck overseas" with no documents - game over. We are focusing on the folks getting locked out, but google is doing a fair bit to keep folks from getting taken over.

I have a 2FA key (hardware) they ask me for once a month. I'm not sure how someone takes over my account unless they get access to my computer with remote access and then maybe re-uses a session somehow? Even then I have to re-auth when doing security steps... so it's a bit weird to have an account takeover like this.

My request. For a fee of $1,000, an in person visit, fingerprints, and research effort, communication with existing account holder for any disputes (ie, someone sold them the account) google would allow for an account recovery. This last step is what is missing. Charge $2,500 even. In some cases that would be worth it and allow them to make a pretty good job on recovery. Even wipe the account / lock all old messages so they are unreadable on recovery.


I’m not sure money would be a great solution here. Malicious actors would be able to fork that over for important targets. IMO this is definitely something that should go through the legal system rather than any honor system. If people lie to the authorities in any respectable country, that’s a criminal offense and could mean jail time.


Impersonating someone to take over their account is already illegal in most 'respectable' countries, but generally the people doing this either can't be traced (at least not cost-effectively) and/or don't live in one of those countries.

I think the point of the money here isn't to dissuade bad actors trying to take over accounts, but to allow Google to hire the people necessary to do proper identity verification for account recovery, when there's no automated option available. It would provide a last resort for people who are legitimately in situations like that of the OP. The problem I see with that is that things aren't worth Google's time unless they have the potential to make (or save) billions of dollars. If this is a problem that only ever affects a handful of people, I don't see how they would ever have sufficient incentive to do something about it, even if they could charge for the service.


The money pays google for the work needed to validate.

Just showing up in person is a huge control. A ton of scams rely on no one ever showing up IN PERSON. Let google troll through google photos etc, run face match, ask you questions about what you did when, send someone to visit your living situation or work etc.

Perfect? No, but maybe a better compromise.


Yep. Some financial services transactions switched to allowing electronic/telephonic transactions during the pandemic. My broker basically switched back to certain transactions requiring in-person confirmation in some way or another. It's a nuisance but it also shuts down a lot of avenues of fraudulent activity.


Exactly, 2FA with yubico or similar is a must. I love that my Tutanota supports this.

But also make sure to get the recovery sorted for yourself - just in case you lose your key or password. To me that's the biggest threat as so much important information is in there. It's good that no one can hack it (if you have 2FA), but even better if you've made sure you don't lose access either!


I suggested OP post here since we spent over an hour trying to recover the account and I can't figure out any way to help recover it either. Google appears to be a stone wall, the hacker's account is obviously using a disposable email (looks like a phishing email account with typos and word accoount in it).

Google doesn't seem helpful in this situations, hoping someone here can help her and has solved this issue before.


[This is one of my worst nightmares]

Was the phishing email designed to impersonate Google and/or passed Gmail's spam filter? If so, Google should be very interested, so make sure this is communicated to them.

Getting Google's attention is unfortunately one of the few ways to increase your chances in the human intervention account recovery pipeline, which I suspect is understaffed. If that doesn't work, sharing an (appropriately redacted) screenshot of the phishing email on social media could also be helpful. (Absurd, I know)

If you're lucky, some Google employee on abuse/account recovery might see this and escalate. Wish your friend best of luck!


She doesn't have a copy, she deleted it.

I believe it was one of these:

https://thethaiger.com/news/national/officials-warn-about-va...

Targeting people doing Thailand Pass, but can't confirm it's the exact same details in terms of headers and such.


If she downloaded and executed a file, I can see how everything can go wrong fast; what are other ways to get into your Google account unless by having your enter your password in a phishing page?


I suspect the attacker had (maybe still has) full access to her laptop. They wiped her phones, so I am assuming they are clean of malware and trying to get her to do everything from the phone which should be clean and not the laptop which we have to assume is compromised.


How was the hacker able to change OP’s phone number attached to the Google account?

Every time I commandeer a google account, its with the prior owner - usually in India - punching in the authentication number on the phone. (I get the 2 digit number on my screen and I tell them what it is, and they select the same number from a multiple choice selection on their phone)

Maybe this measure could be circumvented if remote desktopping into a computer nearby the prior owner’s postal code, and taking over the account from that computer, this is how some online credit card fraud passes scrutiny, because the hacker doesnt appear far from the location of other purchases.


> How was the hacker able to change OP’s phone number attached to the Google account?

> Every time I commandeer a google account, its with the prior owner - usually in India - punching in the authentication number on the phone. (I get the 2 digit number on my screen and I tell them what it is, and they select the same number from a multiple choice selection on their phone)

I think this is for Microsoft accounts not Google.


Ive only done this on Google accounts


Is the two-digit number on your screen from a Google prompt? I thought it was Microsoft because I have seen the same flow when using Microsoft authenticator to access an outlook/live accoun.


Its on my computer screen from a Google prompt, in the browser I tried to log in with.

Its not that mysterious, many services uses the same authentication flow if it works to some extent.


nope, it's standard google practice when authenticating on a new device


Google are incredibly helpful in this situation, you just have to look at it from the hacker's point of view.


Definitely talk to the nearest embassy for your home country ASAP. They won't be able to help with your Google account, but can definitely help with travel docs and may be able to make travel arrangements for you.


Right, an embassy or equivalent (if you are an American in Taiwan there is no "embassy" because that would annoy the nearby PRC but it's pretty obvious the "American Institute" is in practice an embassy) is where to start. If you are an EU citizen any embassy for an EU member state will do in a pinch, this can be important if you're a citizen of a smaller or younger nation with few embassies of its own, a different EU embassy may not speak your language but should be able to secure a translator and work with your home country's relevant government agencies.


I was a Google employee at the time, and wanted to login into an email with my first and last name@gmail.com. at the time I setup email forwarding so didn't have to login at all for years.

Anyway I couldn't remember the password, and their security requirements at the time was different from today (no recovery email, no verification etc). And as a good security practice they also put cool down periods for trying passwords too fast...

Filed for a support ticket, they told me nothing could be done because security of the account. I told them to send recovery info to the account in question (so that it would be forwarded to me), but they didn't. They also verifiably know who I am, and there was some amount of trust that it was my account.

I spent few hours of writing down passwords and copy pasting to find out. Eventually did.

This shit is nonsense.


Highly recommend using a password manager like 1password to avoid issues like this in the future (on top of other benefits).


Is it just me, or is anyone else also uneasy about using commercial, closed-source password manager? I'd literally be putting my life's savings in their hands.


I'd be nervous to keep using Lastpass. I'm not concerned about 1password under its current management.


Yes, same here. I only use offline, open source programs.


Oh yeah, like i said this was a very old account I setup a long time ago that I didn't have to login since I set up the forwarding. Long ago was probably a decade or more.


> Google says they can't do anything to help me! They can't kick him off or disable my account, I just have to be harassed and blackmailed, and goodness knows what else.

Not kidding - How do we know you are not the hacker ?

In future please use 2F authentication otherwise there is really no way for anyone to tell who is the right owner.


> Not kidding - How do we know you are not the hacker ?

We don't. But we can assume that they aren't for the purpose of discussion. It seems more likely that a victim would post the OP's post than a perpetrator.

Google also doesn't, but they can say with increased confidence what the probability of the OP being a victim is.

But there's an even hard problem: say person A sells their Google account to person B, and does this with completely offline communications (offline wrt Google). To Google, this situation may look no different than a stolen account, at least for some period of time. But person A is a scammer, claims their account was stolen, and attempts to initiate a recovery process with Google.

This situation is the reason I virtually never perform account recoveries for players of my games. I also require users to use a third party login (like Google or Facebook) for their account, because I want as little to do with account management as possible.


The extreme sob story makes me suspicious too. It seems that every detail submitted by this person is designed to maximize sympathy.


Yes indeed, what a bizarre post to get so many upvotes. I'd bet money that there is something shady going on here.


Ill-conceived research paper attempt?


I hope dang checks out the submission upvote analytics to see any red flags


Unfortunately it's true, I'm sorry to make it sound like a sob story, Ive had the worst few days with this. I offered everything including my ID, banking, anything I could provide,to confirm it really is my account. Luckily I now have everything that's important.


My BS detector is at defcon 5. I'm betting this is a current or former boyfriend attempting to gain access to a account. Likely to do what has said to have happened.


Please see my current replies. I don't think I have an ex boyfriend who would be capable of this, morally or intellectually, I tend to have a type thats generally sh*t with computers like me haha


> Not kidding - How do we know you are not the hacker ?

I think usually it's obvious for someone who can see the account's recent activity. You can also design challenge-response type questions for the person claiming the account, that only they could know, within some reasonable confidence interval.


I think they meant "how does a random reader on an internet forum confirm that the OP is who they claim they are"?


And most people can tell what to search for find specific emails; if that doesn’t prove it….


If he had any purchase history, address, real name (combined with govt ID), or phone number in their account history perhaps those would be means of authentication? Authenticating the true owner of a hijacked account is hardly impossible or even very hard. Google knows who people are without them even having to log into an account from their relentless hoovering of data.


We've been going through facebook recovery, it requires pictures of ID. Same way you do any KYC. They still have access to the phone that was connected originally as well but the attacker put in a swedish or belgium number (it says 046 but google shows belgium flag).


+46 is Sweden and +32 is Belgium, 046 is neither though?


Yeah I am not sure, I assumed leading zero didn't matter. It had flag of belgium on google's screen but started with 046 which as you said, Sweden is +46. Maybe it's a Belgium number and starts with 046 and it hides country code.


04[5-9][0-9](+6 digits) are Belgian mobile numbers in national notation. In international notation the leading 0 is ommitted and +32 put in front.


Got it, so country code is hidden.

0460 [## ## ##] and had Belgian flag so that must be Google saving country code that way.


They could just verify he knows the old password and controls the old phone number, and probably also has devices logged into or connected to the account.


If you're in a foreign country then you have to go to your embassy, they are there to help in exactly situations like this. Go in person if you can.


You are delusional if you think any embassy will give a toss with respect to gmail account appropriation or associated blackmail attempts.


> I'm now stuck in a foreign country away from my baby with no way to get money or access my email for my travel documents.

The embassy should care about a citizen stuck without money or travel documents.


As time has gone by I've seen Google be less responsive to spam and phishing attempts. I've been getting substantially more attacks since 2016 and they go into overdrive around election time. I'm not sure what is going on because they are fairly obvious attempts. Examples include: a pdf on Google Drive shared with hundreds of people and text that is in Russian (I've translated a few and they want me to contact the embassy); very obvious spam emails like "Hey, do you still live in Illinois?" (I never have, but have had several password change attempts from this location (same IP even) and Google says "enable 2-factor", which I already have); emails that go to myname@gmail.com instead of my.name@gmail.com; phone calls (I have Fi) from obviously voided numbers (numbers almost identical to my own); and many more. Last election cycle I almost abandoned gmail all together.

I know there's Googlers here. So why isn't Google taking this seriously anymore? The attempts are so bad a naive bayesian classifier could catch these! Worst of all, Google provides no help. Google should be preventing OP's problem in the first place (they seem to not be caring) and doing something to fix it when it does happen. As a user it just feels that Google is just becoming complacent in this activity.


> emails that go to myname@gmail.com instead of my.name@gmail.com

Google ignores all '.' before the '@'. It's another way you can effectively created gmail aliases.


I'm aware of that (and that I can create a filter this way) but I'm saying that there are strong indicators that hint towards spam. That being a very obvious one. I'm trying to say that there's obvious single that a basically ML classifier should be able to catch onto and thus questioning what Google is doing if they can't catch these things (one doesn't even need to read the email).

I have also tried using the email+feed@gmail.com to create filters but companies have mostly caught on and are stripping that. So the dots an pluses are not nearly as useful as they used to be.


1. Hitup @askworkspace and @googleworkspace on twitter - loudly and publically

2. Assume any passwords stored with your account have been breached

3. Start canceling all services and getting new ones issued


I wonder - if HN became a really effective escalation mechanism for Google support issues, then would it make an attractive attack vector?


Easy fix, only accounts with >10k karma get the platinum tier support plan.


Sounds like I'll have to stop lurking to get ready for this.


Don't worry, you can jump to the platinum tier for a monthly subscription of only $49.99


You joke, but you pay for the increased Google storage on your account you likely do get access to support you can reach.


I was a paid Google Apps (aka gsuite and maybe some other renames?) administrator. In response, I got access to a real person to answer the phone and not be empowered to do anything useful.


When I got a Google Home device it would not work to recognize my voice during the setup process and I eventually ended up somehow in contact with Google support. It was surprisingly one of the best support interactions I've actually had with probably almost any company out there. The person I was speaking with via a chat had no solutions to my problem but was creating a bug report for the problem and asking for lots of details to fill out the report. They reached out to other employees and their supervisor to try and find a solution. Weirdly the work-around ended up being them asking if I had an old phone I could try to do the setup on. It ended up working on the old phone and would not work on the other phone I had.

Moral of the story is when you do get ahold of Google Support they actually can sometimes be some really good help. It would be great if this was a more accessible option for people.


> The person I was speaking with via a chat had no solutions to my problem but was creating a bug report for the problem and asking for lots of details to fill out the report.

That would have been nice. The people I interacted with were not empowered to write bug reports (or chose not to), and suggested the community forums.


Yeah I was actually pretty surprised. I totally expected to get sent a link to their Q&A and be basically told "goodluck". But they stuck with me for quite awhile trying to figure something out.


I think it depends strongly what region hosts the Google office you get sent to!


> The person I was speaking with via a chat had no solutions to my problem

Disagree! Workarounds are solutions, just of varying quality for the long-term.


Nope! I have an account I pay for and Google is as helpful as always


I have nothing to contribute to the discussion, but hoping this comment gets me some karma for when this actually gets implemented


It has been done before, via Twitter and slashdot, to get into Microsoft accounts.


That’s horrible.

My Google account was also suspended at a time when I needed it most, due to no actions of my own. A hacker gained access to it and was demanding Bitcoin donations in my name.

I tried every appeal process. I tried to backchannel through a great attorney.

I received an email years later that my entire Google account was being deleted from their tape archives.

I bought into the dream of the cloud, I transferred most of my data to GMail and Drive early on. That was all erased and I, after years of trying, never was able to contact a human. Nor was my attorney.

Google is a TERRIBLE company. Do not work there. Innovate them out of business.


This happened to me, I went through the google account recovery process and it was recovered. I was a victim of an on the air SIM jacking of my phone - which suddenly went dead. I had 2 factor enabled, but once the SIM was jacked they reset the account and used the phone to capture the code. My name is the same as an Ambassador - which I am not, I suspect that once they did not have a high profile Ambassadorial account they just ignored it as nothing was deleted (unless google recovery restored it to a prior state??)and after I went through the google account recovery process, google restored my account. After which I implemented a Fido token system. which you can buy. It works like this, but you better make sure you guard your token = lose it = screwed. https://fidoalliance.org/how-fido-works/ I also suggest you download your mail archive every month using the google download process.


Well, this is not a solution for your situation, but for anyone reading this who doesn't want to be in your situation ENABLE TWO-FACTOR AUTHENTICATION on every account you have anything remotely valuable.

I once got a Hotmail account hacked and Microsoft was very much able to recover my account as long as I was able to provide them with enough information (old passwords, personal information, etc) to prove the account was mine, so I'd really try all Google avenues possible because it's your best bet for recovering your account.

If you can't access your money that's a banking issue, talk to your bank.


Not true.

I lost access to gmail because of 2FA - Google Authenticator to be precise.

One random sunny day my 2 year old bit in my phone, thereby breaking it. A few days before i had reinstalled linux and apparently had not yet logged into gmail. So suddenly I have only unrecognized devices and no authenticator. Despite living in the same place, using the same wifi, etc, I simply cannot get back in since then. Its been years with dozens of attempts from any possible 'known' device, but there simply is no way. I know the password, I know previous contacts, i have old emails, i have the password, ... But even when I enter all the info Google requests for account recovery I simply get a screen saying they will get back to me - and never do.

My fault for not having a backup sheet of codes, but I was too worried someone would find and abuse that sheet. Well, goodbye 10 years of email.


I keep a backed up list of all my 2fa codes in a password/key encrypted storage. I am trying to avoid the kind of situation you described. I have A LOT of accounts with 2fa now, and losing access to the 2fa app would be an incredibly frustrating issue as I would lose access to many accounts.

At one point I actually had a couple backup codes for some important accounts in my wallet, such as to my email. My thinking was that if I ever lose my phone and need to login to my Google account on someone else's device I would at least have access to some backup codes to get me in ASAP.


I think the threat model for most of us is online takeovers, not physical ones. Even if you live in a dangerous country like myself, criminals don't care about your email, so I don't think there's much danger in just storing the 2FA backup codes in your wallet. They're only good for when they've already input your password, aren't they?

But I'd appreciate if someone from cybersecurity were to weigh in. What are the best practices for 2FA backup codes?


A few things I would try in that situation:

- recover the files on the phone, esp. files that have google authenticator cache/dbs/secret keys and transfer that to new device

- see if any token using google account is still able to perform activities and work from there

to avoid this next time, use Authy (it works the same as google authenticator and works anywhere they tell you to use 2fa with Google Auth, but it allows you to install it on multiple phones and desktop/web login too)


That's a huge inconvenience, but at least it wasn't stolen.


> ENABLE TWO-FACTOR AUTHENTICATION

More than this: use a password manager that has 2FA built-in and use THAT as your google account MFA.

The "easy" MFA with gmail involves approving new login attempts with an existing authed app present. But without an activated phone or other authed devices present, there is no way to authenticate to the GMail app to receive email.

Apple replaced the back of my iPhone after I dropped it. They do this by putting a new phone onto your screen and then tossing your old phone along with its activation status. ESIM, so no way to activate it without the old phone (which is now screen-less and inoperable). I could not even activate my phone because TMobile required a OTP from my email which I could not access. (Apple did not warn me about this at all btw.)

I was essentially 100% locked out of my account and unable to use voice, data, or access my google account until I could find a TMobile store to get a new SIM card and then use live-chat on the TMobile website to relay the one-time code from my laptop which thankfully was still authed. To say I was panicking about not being able to access anything was an understatement.

Lesson learned: use an MFA mechanism that doesn't require an activated phone since you can't activate your phone without having access to your phone. Now I have my MFA details in 1Password which is restored as a part of iCloud backup.


Twilio Authy is another option for those who don't want to integrate MFA with their password manager. It will sync across multiple devices and optionally back up to the cloud. (All E2E encrypted of course.) Honestly the risk of having MFA in 1password is extremely low to zero I'm sure, but I still feel safer with the two separate.


2FA is helpful, but you can usually call most service providers and get them to remove it. Often with totally inadequate security checks, like “what’s your phone number associated with the account, ok, great, I’ve removed the 2FA”. Can’t comment on Google, but I’ve had this with the British government, of all people.


Especially for international travel, it's also a good idea to print out key travel information and carry it with you (also cash/spare credit cards etc.). Phones get lost/broken/etc., credit cards get flagged for fraud/left in restaurants, etc. It's easy to just assume that how you do things day to day will always be available--and then they may not be and you are in an unfamiliar place.

Ask yourself what would happen if your phone crapped out and/or if you lost your wallet. Very unfortunate for sure. But there are mostly things you can do to not make it a crisis.


The other thing you should be doing is _not_ using the gmail.com domain for your email - at least for account sign-ups to important services.

Buy a cheap domain and use that with your gmail account. All the convenience of gmail, but if the worst happens and you lose your account, you can pick a new email provider, redirect your email and you're back in business without losing access to all those accounts tied to your xyz@gmail.com email address.


I've always done this, but I've run an email server forever so it wasn't any added hassle to have gmail download the emails using pop. I'm curious how you go about it without running your own server. Do you pay for the google email service? Or just use your registrar's email forwarding to forward from your custom email to your gmail? Something else? I tried forwarding in the past for simplicity but found it results in a significantly higher rate of false positives in the spam folder.


Enabling two-factor can help, but if you are the victim of a phishing attack as many are, one would expect one of the largest tech companies on the planet to have a plan for that.


This will only get worse. Most people have no clue what mfa is and when I tell them they find it incredibly annoying and/or forgot how it worked again when they login from somewhere else a month later. I had people deleting Google authenticator or Authy from their phone because they forgot what it was for and their phone was getting slow…


It's crazy that the onus is on individuals, who, as you point out, are often ignorant about online security practices. Put the onus for security on the businesses who safeguard information, and they will have a big incentive to force users to use more secure methods of logging in, they will do more verification for account changes, etc. End users won't have any excuse for not using MFA when they can't do anything without it.


Agreed, and if people don't want to use 'difficult tools', they could swap it for privacy: do KYC for your email account. Then you, in this case, the business could freeze the accounts until you go through the motions of proving you are the owner. Tech savvy people can then stay 'private'. Amazon has a simple KYC form for when you lose your otp device (I lost access to my sms and forgot to change to phone based otps).


Agreed, companies forcing horrible 2fa implementations are turning people off to the idea of using it at all on their personal accounts (even when it's far less onerous)


Cell phones are also not good second-factors, preferably a physical offline device like a yubikey.


I spoke to Google on the phone and via chat, they said there is nothing they can do, except walk me through the restore process, which is impossible, as the hacker has the restore email and number. Google says only the account holder can make changes, yet I can't and someone else can. They have hung me out to dry!!!


Honestly, your first problem you need to solve is getting back home. Google has no way to distinguish between an overseas hacker trying to get into your account vs your current situation. You currently have no way to prove your ownership.

So what I would suggest is to focus on getting home. If you have to borrow money from family or friends or whatever, that's what you do.


actually I'd get my bank accounts etc locked down. consider that everything tied to that email address is now vulnerable.

Go to your embassy, lock down your life and start a new account ENABLE 2FA. Use a decent password manger, dont reuse passwords.


If it were possible to just call up Google and get your account back then that's how people would steal accounts.

It's not very useful advice after the fact, but multi-factor authentication and recovery email accounts are highly advisable.


> If it were possible to just call up Google and get your account back then that's how people would steal accounts.

Disagreed.

They could request knowledge that only the account owner would possess such as dates/locations of past activity, subjects of emails (received before the breach, so that the attacker can't just send out new emails to the target account), require multiple notarized proofs of ID or other past activity (get a letter from your ISP that attests that you had that IP address at that time, etc) and maybe a huge monetary deposit to that is required to start the process and is forfeited if bad faith is suspected.

The idea is to make the process as long, annoying and "dangerous" as possible to deter or make malicious activity unprofitable while still giving the rightful owner a chance. The legitimate owner wouldn't mind getting all these documents and leaving a huge paper trail behind him as well as waiting a month while the real owner of the account is spammed with notifications (allowing them to easily cancel the process if it turns out to be a takeover attempt), but an attacker trying to break into an account would think twice.


Still that can be vulnerable. If you really wanted to give up privacy, it could work like bank accounts work where a human banker actually knows you. But this would cost.


I have a bank account and it costs me nothing (because the bank reinvests my money). Maybe the answer is that Google should become a bank, or banks should offer email accounts.


Even given easy access to customer service reps, there is a tradeoff between them being helpful and friendly and them being susceptible to social engineering attacks.


Yeah, one of my oldest Google accounts was taken over.

I even got an email saying password/info was changed. Logged in, recovered the account, then changed the password (!) and made sure my recovery email and phone number are good.

All good, I thought!

Nope, just an hour later they accessed it again! Apparently from a mobile phone (same model as mine). The hacker changed all the info again (!), the password and after that recovery was useless for me (kept saying it's impossible because we can't trust your device or some shit).

That's it, account gone.

Google really should have an option to disable any recovery options. I use strong passwords and have multiple backups of the password database. If the password is not correct, that's it, no access. I'd be very fine with that.

I do not want 2FA, tied to my prepaid SIM that I could lose (I also just buy a new one if I move country, no contracts, none of that bs).

I have detached myself from all of this online bullshit, I use my own backups, my own notes, Google is just for email (I have my own mail server, too) and Youtube (I have backups), I can lose them any time.


Your post sounds like a textbook scam sob story in itself. I am sorry if it's actually true.


I can verify that it's true and it is a sad story. I've spent hours today trying to help her, I am hoping someone in this community can actually help because traditional processes are clearly failing her.


How do we know

A) You aren't part of the scam. (Including the possibility your HN account was stolen)

B) You haven't been fooled by the scammer as a first step.

For what it's worth my suggestion would be focus on getting home first (contact embassy) and then contact a lawyer to see if you can use the courts to force a resolution from Google.


A) What scam do you think is potentially going on here? Getting into a random gmail that the person controls the old phone connected to it and all the pictures on the account happen to be of them and their child? How can I prove I'm not part of some scam in your mind? I can't. I can't disprove a negative. I'm easily Googleable if you're worried about my HN account being compromised, can find half a dozen other ways to reach me if you look (Reddit, Twitter, Github, many emails, forums, etc), feel free to check in on me. You at some point have to either believe something or not. Short of publicly doxxing everything - which is generally frowned upon - and even I'm sure there still would be skeptics.

B) See A. This is a personal friend who I spent multiple hours on video chat trying to help her recover her digital effects and trying to get access back into her account fully and ownership of it.

She needs help reaching someone at Google / some authorities who can actually help. They can verify her information and story. They can see the email being reset to a BS gmail account with typos in it which looks like a phishing email. They can see her phone number was attached to the account. She has identification.

Alternatively maybe someone has dealt with this scenario before and knows ways people have recovered from this type of ordeal that know other avenues to help.


Maybe, but in that case wouldn't it be a better use of your time to click on the back button and move on to the next story? Nobody's asking you to unlock the account.


Hey guys thanks so much for your response. I do believe 2 step was going but the hacker changed the details to his, wiped my phone and with it, my Google authenticator and presumably set it up on his phone! I'm completely locked from making any changes yet I can still see my emails and stuff but I can't change anything or verify myself. I did use the authenticator app plenty of times so I'm certain I had it set up. Although I'm starting to doubt myself now.... It's a nightmare!


If you still have any devices that have your old data (cached, etc) it might be worth keeping them powered on but disconnected from the internet, so that they don't end up realizing they should no longer have access and delete what could be the last copy of your data that you can actually access.

Whatever you still have access to (again, from cache, existing browser that's still logged in, etc), start making backups - screenshots, etc.


I've backed up all my important things and emptied the account too, unfortunately it's probably too late as he may have downloaded all anyway as he used the Google takeout to get backup data. I'm not in that account at all now, after I backed up and emptied it, I factory reset my computer.


> I did use the authenticator app plenty of times so I'm certain I had it set up.

Then it would be been impossible to login. Did you use a password that was leaked? If yes - may be they logged in - and you would have got a 'notification' on your phone to allow them. And you perhaps said yes to that remote login.


You're not making sense. You need to slow down, calm down and write clearly and with more detail. Doubly so when communicating with Google Support staff.


She believes she had 2 factor because she used the app on her phone and would enter in codes. But her phone was remotely wiped (presumably by the attacker) and lost access to the authenticator. She can't verify that way anymore because the attacker took that tool away from her.

She is still logged into her account on the laptop, so she can see things, but can't make any changes (they require a password she no longer has since the attacker changed it). We saw what the attacker changed the recovery info to their email / phone as well. So recovery options aren't working. She is trying to pass their email/phone along to some form of law enforcement.


>> She is still logged into her account on the laptop, so she can see things, but can't make any changes

This doesn't make sense; the attacker changed all of her account information but didn't click "log out of all other locations"?


Bad actors make mistakes, too.


Sorry, I was in a panic , I have updated my situation in the comments , thank you


Try to use https://takeout.google.com/ to back up your account data.


We tried this, needed to validate your identity to get it. The hacker started it though, presumably to get all the data.


I would really like to thank everyone for taking time out of their day to respond to me. You can all probably tell I'm a bit of a dud with computers, maybe I didn't have my security as secure as it should have been, maybe I was using the 2f for something else and got them confused. I don't know, but I've learnt the lesson.

I have downloaded all of my precious memories, deleted everything on the account, it may have been too late as he's probably downloaded all my information already.

He tried to get back into my Facebook but failed but he is still messaging family and friends and posting on my Facebook as comments, he also linked his account to mine, I quickly deactivated it, even though I set up all possible security measures since this all started going on.

I've used USB storage for my data and completely reset my computer, I've made new and secure emails.

I guess I'm just going to have to live with the fact that all my pictures are going to he posted to the internet. Oh well, we all have taken compromising pictures I'm sure, I and everyone else will just get over it.

I can't wait to get back home, and hug my family, Im never going to be high profile or a celebrity, so who cares. Maybe I try to sell my pictures myself and beat him to it. Haha.

He kinda peaked already anyway, by sending pictures to my father. Thanks again dudes and dudettes, and I do apologise about my erratic post, I was in a huge panic.

Peace


I can't help, and I do not absolutely want to being rude but IMVHO it's about time anyone start thinking about personal IT autonomy.

I mean: first computer for the (wealthy and educated) masses was desktops, designed to work in a decentralized network of desktops, It's about time to rediscover such concept:

- can you afford a small homeserver? A simple celeron/8Gb ram/storage as needed? Well for most people that's more than enough to have with public IP/dynamic DNS with a not-so-crappy connection

- do you know how to set it up with FLOSS tools?

If the answers are yes I see exactly ZERO reasons to use someone else computer. I can understand a student that live day-to-day, I can understand someone who do not have enough knowledge to deploy something personal, but in other cases well... We are in 2022...

It's not just a matter of ideology, convenience etc it's a matter of civilization: do we really want to arrive at 2030 owning nothing as the WEF want? Because owning contracts with third party services already means owning nothing. If software side something lack it's about time for FLOSS devs to look at it, perhaps instead investing time in creating stuff on top of proprietary cloud APIs witch is by nature wasted time since those APIs can always change dropping all works on top of them in a snap.


I see many commenters are implying I'm the scammer, I'm not so good with computers, I wouldn't know how to scam someone online I asked Google if I could verify myself with my ID, driver's licence, passport, security questions... Anything! But they simply said there is nothing they can do. Today I managed to get all my photos, I've contacted relevant companies and got my travel documents, I even managed to salvage my bank account - they were way more helpful and I was easily able to change my details and log in within 2 emails to them. I deleted everything on my Google account, however I can see the hacker backed up all 100 GB of data I had on there, so he has that anyway. I then factory reset my computer.

I can't believe Google can do nothing.

The hacker is trying to blackmail me again today, he said he's going to out my pictures up online. Despite his efforts, he wasn't able to post as me this time, but he posted as himself on Facebook. He did however link another Facebook account to mine, I deleted it quickly and deactivated the account, however he is still blackmailing my boyfriend with these pictures in messenger

On top of this, I got a positive covid test today so I can't fly home anyway, this is the worst trip ever! Urgh!


I'm fairly sure I had it (2F) and the hacker wiped my phone and got the authenticator on his phone. I could be wrong, I have set up the 2F today on everything. I thought I secured my Facebook account today, I did every security measure possible and he was still trying to sign in. He has posted my private pictures as comments on my posts and sending them to my Facebook friends and family..... But this time from his own profile. So I think I was quick enough in deactivating my account and verifying it wasn't me signing in on the 2F. He's now threatening to post my pictures on the internet and adult websites. I'm not sure I even really care at this stage. I've managed to back up all my photos and retrieve my travel documents as well as a bank account, thank god

To top my day off, I got a positive covid test, so I can't go home and have had to cancel all my flights ect anyway. I'm so exhausted

And very disappointed that Google can't do anything about it. My bank got me into my account and changed my emails through chat today, yet Google can't kick this guy off my account. It's crazy!


2FA is just fine until you are Sim-jacked.

DO NOT use your phone as a recovery device.

Use another email provider for Google account recovery.

Then if you get SIM-jacked, the culprit can't get into your Google account because your jacked phone number won't get an account recovery code; it will go to your non Google email which you will receive, even if your phone can only access wifi.

Do make sure that your Google and non Google email accounts have super strong passwords.


Why do you insist that the other email address be a non-Google account? Is it not sufficient if the other/recovery email is your family member's Google/GMail account?


Sadly I don't think anyone here can really help you. If it was possible to "recover" an account that you didn't have access to then anyone could take over anyone else's account. In fact support agents are trained not to respond to "I'm stuck in another country without money please help me out" requests since they are one of the top entry points for scammers.

As others have said, go to your country's embassy. Helping stuck tourists like you is their top responsibility.

Once you are home file a police report and start the process outlined at https://www.identitytheft.gov/. Consider that Google account gone.


Sure there is. There has to be a Googler here with the necessary access and can just mediate with their support department, run a few "select * from mails" queries on their DB and use good judgement when asking the user to give info about the emails they know they have or have received. Heck, there should be some sort of PM/PO/Manager from Google here that should use this as a catalyst to have some sort of feature be built to solve this problem in some sort of risk-based approach.


The victim, luluouise, account is just as old as this post.

The job of ohasi, who tring to help the victim is: "Founder of Review Signal - We collected and analyze opinions shared on social media and turn that data into a review website."

The phone number of alledged hacker is in sweden or belgium and ohasi had education from : MSc Entrepreneurship - Lund University, Sweden and MSc International Marketing and Brand Management - Lund University, Sweden ( from ohasi's profile listed links ).

Is this a real issue for someone or ohasi collecting opinions shared on social media?


The only thing I can think of is to file a court case in the US. Not sure on how to go about it, or on what basis you can do it on, but that's what I would do if I had no other options. The sooner you do this the more likely they'll have backups they can restore. Of course you'll need to find a way to get to the US first (or find e.g. a lawyer to do this on your behalf), so best of luck.


One question. Whenever you try to change something in Gmail. They will ask you to verify via phone? Isn't that mandatory today. I don't believe you can simply change passwords without a phone. But I might be wrong. Also can't you call your bank and request new access? They need to verify you, but that should be possible. Last question. How did they wipe your phone?


>They will ask you to verify via phone? Isn't that mandatory today.

A suggestion I would make to anyone who is uncertain of how this works, and since it's a moving target: once a year, test what it takes to compromise your own account. Ensure that you're comfortable with a recovery scenario of "I can demonstrate control over X to the automated recovery service."

I did it a few years ago with my personal GMail account, which I had thought was well-secured, and it caused me to make significant changes to my security settings.


It's possible but not super easy to not associate a phone with it. You have to very careful not to opt in because once you do you can't opt out.

As for wiping the phone, that's a standard feature of both "Find My iPhone" and the android equivalent "Find My Phone" so presumably they used that to wipe them.


Guessing that is the case on the wipe and probably standard MO for these types of attacks.


If the account is set up long ago, that may not be a requirement


this happened to me (minus the travel part, but the theif was from what appears to be a south east asian country), I tried for quite some time getting attention because for about 2 weeks I was still being forwarded messages to my other address so I could observe what they were receiving which was... strange.

in any case my final attempt was contacting a group of people who wrote about account recovery [0] as a last ditch effort, unfortunately some emails bounced and no one responded.

my parents and grandparents occasionally still use my old email and I'm still bothered by it despite it happening over a year ago now. if there is anyone on this list working at google email, I have a lot of evidence showing I owned the account and I would love to have the opportunity to talk to a person about options.

[0] https://static.googleusercontent.com/media/research.google.c...


Get in touch with your banks and your embassy. Google account might as well be gone, but try to prevent any further escalation.


> They then changed all my passwords, restore email, phone number ect to their own email and number,

Are you sure they changed your restore number? I just checked on my account and it doesn't seem to be possible. Even if it is possible to add another number, Google should still know your old number?


Old number is still listed in the account but the attacker put their number as the recovery email and phone (I guess there is a priority/default)


You shouldn't do it but your only decent chance (without knowing someone at google) of getting your account back is probably to pay the ransom though I suspect this person is probably more interested in fucking with people than making money so I don't think your chances are good.


Small claims or tribunal. In Australia we have state based courts which you pay a small fee to, they’ll make a ruling and at least Google will give attention to the case it deserves.

It’s annoying, but it’ll work.


To help others could you please tell us more information... Did you have 2FA? If yes was it SMS or with U2F-key? Which country where you previously in? Did you change places?


Curious what people are doing avoid such situations? apart from 2FA, two different email accounts for banking and other services?


If you have any logged in devices, run Takeout so you don't lose what's in your account if you fully lose control.


You won't get it back, sorry. Even as a paid Google user they have the worst support I've ever encountered.


Keep trying to login and reset the password that will eventually lock the account. That’s my suggestion


AWS requires a notarized doc proving your identity to gain access. It's a bitch but works.


this has happened to me. there are no resources for recovery or recourse anywhere in the world at all. google won't help you. law enforcement won't help you.

those accounts are lost. close what you can and open new accounts with 2FA.


And thank you to my dear friend who's tried to help me. What a star


Thank you google


Never use google. Truly an evil company.


In the future: Do not use Google. It's too big to be practical. They are entirely incapable of telling legitimate access from fraud. I logged in to my childhood email from 20 years ago to prove I was who I said I was, I've been locked out for 3 years with no recourse.


This happened to a friend. His life was destroyed. The only person he could talk to was the FBI. They told him they get dozens of calls about this a week. On top of that, there's a exploit that allows anyone with a dot in their email to receieve any other person email it's been active for 19 years. Google doesn't care what so ever. Google has the worst infrastructure support. There probably needs to be regulation that if your a company making over 1B a year in revenue, you need to have a basic escalation procedure and human decency... or you can't make any tax deductions, and it claws back 10 years, and it applies to all share holders who own more than $1M in stock. Suddenly, they might answer the phone!


Not an exploit, it is intentional, and ironically, is a countermeasure against phishing.

We all dread the day our Gmail password stops working, but this is what we signed up for.

I know my gmail is safe, because I know that without the password, not even I can get into it.

This is by design.


Indeed, it's a publicly documented feature: https://support.google.com/mail/answer/7436150?hl=en#:~:text....


> is a countermeasure against phishing

How can it prevent phishing?


Taking a guess - If your Gmail address is larrypage@gmail.com - it prevents someone creating a completely different Gmail address like - larry.page@gmail.com - and using it to impersonate that other account.

I think it's complete conjecture that it's meant to be some kind of anti-phishing method - the solution there is just removing the ability to create addresses with periods - but I guess this way has some kind of utility for users?


I received a few e-mails from Playstation/Sony recently that were intended to go to <firstnamelastname>@gmail.com but I received them at <firstname.lastname>@gmail.com.

I tried doing a password recovery of the account (to see what I could do to change the address, or contact Playstation) and found that on their end, firstnamelastname@gmail.com and firstname.lastname@gmail.com are treated differently:

Both gave the message that a reset e-mail had been sent. Only firstnamelastname@gmail.com caused me to receive an e-mail.

So Google (and other e-mail providers, like ProtonMail) ignore the dots, but it's possible that other companies don't ignore this.

Resolving the Playstation account required calling their support line for about 30 min, talking with an agent, and then replying to an e-mail generated specifying some information to confirm that I hold the e-mail account. They seem to already have the option for reporting misuse of an e-mail address.


> there's a exploit that allows anyone with a dot in their email to receieve any other person email it's been active for 19 years

I'm not sure I follow? This isn't an exploit, but a feature of Gmail. It doesn't allow you to receive anyone else's email.


yeah, it just allows you to receive email from people who don't know their email address. I have my full name @gmail and constantly get folks who send stuff to first.last@gmail


>Adding dots doesn't change your address, so dots aren't why you got someone else's mail. Instead, the sender probably mistyped or forgot the correct address.

From the link in the other comment in this thread


Somehow there's a Google service (I am guessing mobile) that allow you to register firstl.ast@gmail or f.irstlast@gmail, and then they will both get each other's email. Fundamentally if you allow any account to be created with a dot and without a dot (two accounts), but filter out the dot in the email received, it will cause a problem. The dot is one to one with the account, but filtered out becomes one to many with the email. Nobody seems to notice this logical issue.


My understanding is…

John.Doe@gmail.com, JohnDoe@gmail.com and J.ohnDoe@gmail.com are not 3 different gmail accounts.

It’s one account with multiple dynamic aliases using the dot.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: