It's because Mike Hearn retired from the Google anti-abuse team - their bot protections went downhill from there, and now bulk Google accounts sell for a few cents each.
It's easy to make money when you can send out thousands of spam emails, each with hundreds of recipients, for under a cent.
And where do those bulk Google accounts come from? Compromised accounts due to weak/leaked passwords, without 2FA.
What does Google do about them? Making it harder to log in to dormant accounts from new devices and locations. What's the result? Periodic HN complaints on someone unable to access their decade-old dormant account, or an active account with a truly forgotten password, etc.
Anti-abuse is hard. Damned if you do something, damned if you don't.
They could do far more things to solve this issue...
For dormant account reactivation, they can ask the user for lots of details that are in the account. For example, "please type in email addresses of as many people as possible that you have sent emails to from this account". Which cities have you previously logged into this account from?
All info would be optional, but the more the user provides the quicker they're going to get in.
When the user has provided enough information to be fairly sure that it's a real user attempting to login, then start a 7 day countdown. During the 7 days, contact the users top contacted email addresses and ask them to reply confirming the user is trying to reactivate the account.
Hire attackers to try and break into old accounts, and use their input to find the likelihood of each type of information being correctly given by the real account owner and an attacker.
> For dormant account reactivation, they can ask the user for lots of details that are in the account. For example, "please type in email addresses of as many people as possible that you have sent emails to from this account".
Oh. no. I'd rather they just up an deleted the account, instead.
Google is already painful enough to get into old accounts that you haven't used for a while.
For a dormant account, what's the chances that you're going to remember the email address that someone used years ago? People have address books for that, and the address book is locked on the other side of that password prompt.
> During the 7 days, contact the users top contacted email addresses and ask them to reply confirming the user is trying to reactivate the account.
Yeah, nah. That's awful for several reasons.
It's another phishing-like prompt - "Hey joe bloggs is trying to log into their email. Do you think it's really them? Click here to let them into their account".
If you invert it, then you're at risk of someone with a grudge against you clicking the "No, it's an attacker" link. Even a friend clicking it because they think it's funny.
There's no way I'd want most of the people I email to have any involvement in accessing my account, without me being able to nominate specifically whom the system emailed.
God no. I don't think you've thought of the edge cases at all. I have a 2nd email address I use for emergencies and almost never log in, but when I need it, I'm going to need it straight away, not in a week.
Also, gmail should never ever by emailing your contacts! It has no idea what your relationship with them is or what information about your actions you want to keep secret from them.
Back in the day, when online banking used printed TAN-lists as a second factor, phishing sites would ask "Please type in your next 10 TANs". That is what your "please type in as many"-idea reminds me of. :-)
Have you ever tried to recover an old google account? They ask much harder questions than the silly examples you gave. It’s already extremely difficult for legitimate users.
> Making it harder to log in to dormant accounts from new devices and locations.
There is no justification in making it difficult to log in to accounts that have never sent spam, that's the user-hostile part of gmail. They have it in their logs which accounts are sending spam.
When an attacker gets into a dormant account and sends spam, it's because they have already mined all the data in that account... Ie. they've already taken over every account that used that account for password resets, they've already stolen any credit card numbers they could find in the drafts folder or pictures of driving licenses and passports that were uploaded to Google Photos...
Sending spam is the last step... The steps beforehand are much more damaging to the user involved. And, sure, you could blame them for reusing their login password, but not being well versed on computer security isn't widespread, nor a reason to punish them.
And Facebook, for some reason. Which is weird as I've never signed up for any Facebook owned service. Never looked into how they do it, but they keep coming.
