Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Will Google delete inactive gmail accounts that forward email?
69 points by tikkun on Sept 9, 2023 | hide | past | favorite | 92 comments
Google is doing their "deleting inactive account" thing.

I have some old gmail accounts that forward email to my main account. I don't login to the old ones, but I read the mail that comes through.

Does anyone know if they'll count those old ones as inactive and delete them?




All those people in this thread saying to just login to these accounts to reactivate their deletion timers are off track.

It is virtually impossible to login to an old Google account for which you never set a recovery phone number - and completely impossible if you did set one but no longer own it.

And there is no human support of any kind at Google that you can discuss it with.


I'm in this boat. I have valid credentials for my (now deceased) dad's Gmail account. But I can't login because Google doesn't trust my valid credentials and insists on sending a recovery code to a phone number that hasn't been in service for a decade.

His hotmail account I can get into no problem. There used to be a time when you would trust Google ten times more than Microsoft not to mess with your account, lock you out, delete you for inactivity. Those days are long gone, fuck Google.


Have you considered filing a complaint with the FTC?

I’ve contacted them recently with regards to how Big Tech unilaterally handles account security with no consumer recourse for these cases, so follow on complaints from those experiencing this would be helpful.


"Federal Trade Commission | Protecting America's Consumers" - what about the rest of the world? Does anyone know whether it makes sense to exercise this option for non-American citizens?

I can't log in into my Google account either. And yeah, the account was free (money-wise) - judging by FTC's forms, the paid accounts are the ones that matter.


Most countries have an equivalent body and given Google operates globally they could help.


Might be worth trying since Google is headquartered in the US. More complaints on the pile get more attention.


Long shot, but have you tried contacting the person with that phone number?


Seems legit:

<Total stranger> Hi, when you receive some TOTP codes on your phone, those are supposed to be mine. Could you be a lad and just forward those on to <random number>? Thx!


If you want to sabotage your chances, that's one way to do it. Or you could write something else that's more likely to be successful.


“Hi, my Dad died a number of years ago and this was his old number. I’m trying to reactivate one of his old accounts as there are a lot of old memories that mean a lot to me in there. Any chance you could forward the signin texts you get so I can do that? I’d greatly appreciate it, and I’ll change the info as soon as I can so you stop getting spammed. Thank you for any help you can offer!”


“Hi, I'm a Nigerian Prince, and my Dad, the King, was brutally assassinated by the opposition a number of years ago and this was his old number. I’m trying to reactivate one of his old accounts as there are a lot of evidence that mean a lot to me in there. Any chance you could forward the signin texts you get so I can do that? I’d greatly appreciate it, and I’ll change the info as soon as I can so you stop getting spammed. Thank you for any help you can offer!”

"Oh and I have $500 to sweeten the deal, just send me your bank deets."

In seriousness, it is not impossible to envision a near future when it would be illegal to share TOTP codes or other secrets related to security/authentication. If someone is the target of your scam and shares these things, perhaps he can just be sued into the Stone Age by the allegedly dead grandfather with all the nice photos.

I don't care how you sugar-coat your cutesy text messages, this sort of scheme sets off every social-engineering red flag possible. How rude, to ask a total stranger to share secrets. Many of these texts are explicit: "don't share this with anyone!"


And you can get a lot more creative than that. Even paying them, verifying your identity for them, etc. See the thread from the last time I mentioned this for a few ideas:

https://news.ycombinator.com/item?id=32862891


This is only partially true. I have many GMail accounts (I often create a new one per each service where I create an account) and went through all of them a couple of months ago to make sure that they are not deleted. All I needed was a recovery email address (to which I luckily have access) and a brand new phone number (whatever number you have access to, does not have to be associated with the account in any way).

The part that is true though is that you're out of luck if you set a recovery phone and you no longer have access to it (same for recovery email). But even then I was offered a possibility to contact support to resolve it. And if someone is desperate they may try calling the new owner of the phone number and kindly ask for the code (you'll sound like a scammer, but hey, it's worth trying ;))


No, it's all true... personal experience, several times over.

Even if you do everything right in the new phone number case, in many cases Google will just deny you entry for no stated reason at the final step. Sometimes you get lucky, as you did (and me too in some cases), but many times you don't.

As for being offered an option to contact support, I've never seen that myself.


I was recommended ‘OneGoogle’ awhile back on a similar thread, which turns the account into a paid one, and gives access to (some) support.

Obviously not helpful once the account is locked, but might be worth considering for worthwhile accounts before something like that happens.


So the best thing to do is pre-emptively delete the recovery number from the account (providing you have alternative recovery options set up)?


Heck, I have trouble connecting to my work Google account from my personal laptop. I have the username, password, 2FA and I’m connecting from the same IP, but Google somehow knows better.


Oh, that’s just the a work-life balance feature!


There is one way but it's not easy, maybe impossible.

Use the same ISP in the same city you created the account.

Google security seems to sees that as one step in the validation of ownership.

If you've moved or your ISP is gone, well that's impossible of course.


There was a related Tell HN post about this situation that led to me recovering my pre-undergrad gmail account recently.

https://news.ycombinator.com/item?id=36335975

In my case, I had a record of what my password on the gmail account had been when I last used it, but when I tried logging in with that password years later, it didn’t work, and there was no way I could figure out to recovering access. A few months after seeing that Tell HN post, I tried again and the system allowed me to log in.


The thing that baffles me the most is that literally no one at Google has thought of this. They should be having meetings where they come up with scenarios like this and plan out realistic ways of dealing with them. Google isn't responsible enough to run an email service, it's a toy business where techbros fuck around all day.


They have and do. The issue is fraud and account compromises are so common (due to password reuse being the norm and every other site under the sun getting compromised), that they’re in a catch-22.

Support can be Social Engineered easily (especially if you don’t spend massive amounts of money on it). Making support not socially engineer-able is essentially impossible too with their user base, as the user base is too diverse.

Technical solutions currently suck, even if we ignore that most of the population is unable to effectively use them.

There is no consistent way across their user base to even verify a person exists, let alone that they are who they say they are, let alone that they are who created or owns the account!

And no one even puts the closest local equivalent into their Google account for legitimate reasons anyway.

Like who would want to upload their Birth certificate? Or passport? Or DL/ID? That’s a terrible idea. And many people don’t have the US equivalent to one anyway.

Not to mention, deep fakes have gotten really good. Not that a US company is going to have much luck identifying a fake (or real!) Belgian equivalent for instance anyway.

So they go with heuristics, which always have edge cases, try to hide what rules they use to avoid being gamed at scale, and hope for the best. Not great. But seriously, what else are they going to do?


Thank you for the thoughtful reply. I will admit I was fulminating a bit. I'm just extremely frustrated that their solution to edge cases is to drop them on the floor and there's nothing to be done. No individual Google user actually matters to the company, but many people actually need their email account. The asymmetry of power and money here just isn't sustainable.


I get it. It really sucks. Banks doing it too is also really shitty. I didn’t take it personally, I hope you didn’t either.

At some point I’m hoping a sane plateau becomes apparent. Or at least a realistic ‘plan B’ for how to recover from this.

Generative AI though is really poisoning the online well, and I don’t know what we’re going to do about it.

Captchas were never great, but near as I can tell they’re literally only stopping real humans now, for instance.

When someone can easily gin up thousands of impossible-to-tell-they’re fake IDs for people that never existed?

That breaks almost every verification process anyone has right now. Except in person ‘show up and provide the actual physical ID’.

and that’s the reality we live in.


My gmail somehow allows to click some options, show the last digits of the number, and just type the complete number to login


> It is virtually impossible to login to an old Google account for which you never set a recovery phone number

Define impossible? If you've forgotten the old password obviously you can't get in. I don't see why it would otherwise be impossible.


Because Google can unilaterally reject valid credentials if it doesn't feel it's certain it's you.

Although I can see why this would be impossible if you have a phone number set that you no longer own. I'm not sure what exactly Google would ask for if you never had a phone number set.


I never gave a recovery phone number for any of my accounts. While they regularly ask for one to improve my security, I've never given one and they continue to accept my logins from all over the US as well as granting some apps (thunderbird) access to the account.

I do however get notifications on my phone asking if the login was me.


> Because Google can unilaterally reject valid credentials if it doesn't feel it's certain it's you.

Unbelievably, this even includes rejecting credentials for a non-GMail Google account, even after the user has clicked a link to confirm ownership of the email account the account is associated with.

Ask me how I know!


Clearly you haven't done this yourself, because it's not enough with just your password.


So what happens? If there's not a backup phone number or email set, what could they possibly ask for beyond the password?


They ask for your current mobile number -- at least in germany and without any anonymization beside standard browser configuration like e.g. uBlock Origin. So it's simply to suck in numbers. I have not tried if they ask for more data after giving a phone number and so I can't log into two google/youtube test accounts any more since a few years.


The phone number is the last step, at least it was for me. I had luck with virtual phone numbers, not the freely available ones, but paid apps like e.g. Vyke.


So what happens after you use Chrome and type in your number?


I have an ancient alternate identity Yahoo account which I used as the recovery account when I created a similarly named Gmail account.

Have used each every few months.

Each specifies the other as the recovery or backup account.

Neither has 2FA set up because I did not want to tie my cell phone to the identity.

I am now locked out of both accounts because…each sends a second factor code to the other.

It isn't a huge loss to me…though recruiters trying to recruit the related but obviously fake LinkedIn profile may be saddened to never get a reply.

I totally understand why Google, Yahoo, and others are purging inactive accounts. Between GDPR and widespread account takeovers it's an expensive nuisance (and if the account is "inactive" then it's not generating meager advertising revenue to pay for the nuisance).


[flagged]


I paid 400 USD per month for their support and this is completely untrue. Google has a culture of unhelpful support. They might have someone that answers the phone. But they will NEVER help you. It's against the Google DNA to help individuals.


We have AdWords accounts that spend 6-7 figures a year and it takes 3 weeks to escalate a ticket correctly.


Except we see this all the time on HN. Google support is yelling loudly into HN/Twitter and hoping a Googler picks up your case internally.

The way Google has proven to work, is you have support until the AI/ML model says terminate the account. Essentially, support exists until you need it most. There's no warning, no explanation, just one day you're done, locked out. You can't even export your content off the platform once terminated. I don't see how Google One is expected to help users when developers for Android/Stadia which pay Google a heck of a lot more end up the same creek [0] [1] etc. You even concede it probably won't be helpful.

[0] https://news.ycombinator.com/item?id=37224391

[1] https://news.ycombinator.com/item?id=26061935

They eventually get reinstated (looks like d4rken got reinstated last night), but not before they take to social media and Google gets requests for comment from a handful of news outlets. And still, they usually have no idea what they did/didn't do to cause it. They're left guessing but ultimately could have the rug pulled again at anytime.


Your description is pretty on point. It was eerily casual in relation to how much turmoil it creates for me. One day it was gone, another day, it was back. I have no idea why anything happened.

I also think that social-media reach has helped my case.

It feels very dystopian that this is de-facto way to approach these issues with mega-corps.


It's ridiculously dystopian. At a whim they can end a person's livelihood, and depending on how integrated one is in their ecosystem, just erase their whole interface with the world. Unless you get a personal comment from a Googler on social media, there isn't a drop of humanity in the whole thing. Heck, it's almost ritualistic, like how some religions pray/yell out to the God's and craft offerings to appease them. Instead of rain, we pray for access.


How do you subscribe to Google One if you can't sign onto your account?

Create a new account just to give Google some money and pray that they'll give you support about another account?


Not to mention, google is the flakiest company ever. Even if you paid for supoort, the second you tried to use it, you'd likely find it canceled, google having moved on, distracted by some new shiny.

Oh, that support was for google video, but we transitioned your account to Android TV and then Play Video and that support isn't valid, because I'm a vapid airhead called google!

Jesus Google, the average person doesn't want a soap opera and drama, just to use core services.


Human support of any time opens up tons of social engineering situations that enable account takeovers - and these hurt Google’s reputation more than any abandoned account story.

What do you suggest would be sufficient proof to the Google human support representative that would verify that you actually did own that account? They already have a process in account recovery that includes inputting the last password you know, entering the month you think you opened the account, and answering some extra questions, after which a human reviews your answers to determine if it’s really you. I’ve had this done for one of my old accounts and I was granted a link to reset the password for that account and set up new recovery details.


>Human support of any time opens up tons of social engineering situations that enable account takeovers - and these hurt Google’s reputation more than any abandoned account story.

That's an absurd assertion to make. Amazon makes it very easy to get a hold of a human for support (particularly compared to Google), they have no issue with social engineering driven account takeovers despite that it'd be pretty easy to cause significant financial damage within just a few hours.


All Amazon accounts that have ever purchased something are linked to a name, payment card, and address. A random Google account might not have any of those. How could Google possibly tell who has access to it?


For example, if an account has been inactive for years and suddenly someone is trying to login, is consistently making an effort over a reasonably long period and is willing to prove their own identity in some official way (such that if it turned out they were lying they could be trivially identified and prosecuted), then they can reasonably allow access.

On the other hand, if an account is still actively logged into, it would be obvious that anyone else trying to get access should not be allowed to do so.


This happens all the time via credential stuffing - or even after credential stuffing someone's email inbox and searching through all relevant account activation emails. Just saying "lower the security if it's been x years" isn't adequate and could cause serious harm if the abandoned account has important or secret information on it. Better to keep it secure and inaccessible if there is any doubt that the human is an attacker.


So I checked with Google One support, here is the answer from them: (and they were fine with me quoting them in a public forum)

Q: if I have an email account X and it auto-forwards email to an email account Y , will X be considered as an active account

A: “The short answer will be NO. Google considers an account active if there is a recent login to the account.”


Disgusting position, thanks for sharing though


The way I read their deletion terms, if you have some money in the account's Play Store Balancee (say by depositing a $10 gift card), they won't delete those accounts.


Came to the thread to say this.

The same is apparently not true about the old Grand Central phone numbers though. The account will still be active for phone but the number will be gone.


Your forwarding accounts will probably be deleted according to their policy [0] as an active account is specified as "include these types of actions you take when you sign in or while you’re signed in to your Google Account:

    * Reading or sending an email

    * Using Google Drive

    * Watching a YouTube video

    * Downloading an app on the Google Play Store

    * Using Google Search

    * Using Sign in with Google to sign in to a third-party app or service"
 
[0] https://blog.google/technology/safety-security/updating-our-...


"Downloading an app on the Google Play Store" is what will spare my account and any body's with am Android phone.


Trite reminder: Google sells advertising, not email accounts. P**ing off an individual email user (or many tens of thousands of them) is not something they are going to worry about. What are you going to do, stop using the Internet?


What I’m going to do is not trust google.

Not trust their AdWords and look for alternatives.

Not trust GCP and use aws and azure.

Not trust new products.

Google’s brand is interconnected and it’s shortsighted of them to think “it’s just a few thousand inconvenienced.”

Imagine if Whole Foods also had a product line that sold caviar and they swapped it out for dog shit and they didn’t care because it only affected a few thousand customers. It’s not the number of customers that are important, it’s the reflection of the organization.

It’s deontology vs utilitarianism. Trying to do spot based utilitarian calculations without considering what principles lead to overall good is a stupid thing for an org to do.


Somewhere a Google executive is writhing on the floor, moaning from pain and despair. "Prepend's words burn like fire."

As the OP said, What are you going to do, stop using the Internet?


I use the Internet just fine without google, not sure what you’re on.


I am Spartacus.


I would agree, but it's observably not true since their brand going to shit has had no effect. If it had, they wouldn't continue being as terrible as they are.


It takes a long time for big companies to collapse. I mean Novell was still around until 2014 and they peaked and sucked since like 1995.

Google can coast for 30 more years, or longer.

Comcast is slowly dying but will be profitable for a long, long time.

So you can have a bad brand and exist for a long time.


If this was true, it's going to hurt a lot more than Novell and Microsoft's domination :(


> What are you going to do, stop using the Internet?

No, simply cut them out of my life while using AdNauseum to bleed them dry. The Internet existed before Google and will continue existing after they are gone.


Google is run by accountants and the bottom line is all that matters.


Not sure but sounds like you’ll have time to try avoid the deletion. The warning emails should forward to your main account.

“Before deleting an account, we will send multiple notifications over the months leading up to deletion, to both the account email address and the recovery email (if one has been provided).”


Putting any personally important email account in the hands of some huge corporate provider is pretty much always a recipe for eventual problems.

Although big companies also have some leeway to steal domains (and the associated email addresses) from small companies and hobbyists, so just trying to keep your email to yourself doesn't solve everything.

Of course, that nearly every domain anyone wants is taken already is also a bane on us caused by a big company - Network Solutions, the privatized descendant of the Internic, as they realized their old rule of one entity / on domain didn't have to be followed, and blithely made their first evil sale of 80-odd domains to some household name drug company that wanted a domain for each common ailment or something. The idea of saving readable domains for future generations went right out the windows once someone waved money under their nose (and they didn't use that money to improve their UX for over a decade), and now virtually all registers are shills for shoving domains you don't need down your throats. Ugh. At least the old Internic had ethics.

Just like Google had the do-no-evil motto - somehow I doubt that's still a thing. Good luck getting a lost email account of them - they didn't give my Google phone number back even though the system still knows it's mine.

A bit off topic at this point, sorry.


Owning the domain is a good compromise. I own my domain but it’s managed by Outlook. If I ever lose my Microsoft login, I can update the DNS and switch email providers.


It's good as long as you don't forget to pay the yearly fee. Sure, they send reminders, but if you don't log in to your account often then it's easy to miss them. I lost a couple of domains this way...


In Finland we have Iki Ry[0], which is basically a non-profit that does nothing except give people access to @iki.fi email addresses. They've been running since 1995 IIRC and they collect no monthly fees, just a one-time joining fee.

They don't do homepages, shells, mail hosting or anything - just an email address you can forward anywhere you want.

Nothing is stopping anyone from doing the same elsewhere in the world, all you need to do is NOT try to make it into a billion dollar unicorn startup with a hockey stick growth curve. Just make enough money to keep the lights on and maybe pay something to person or two who manage the stuff part-time.

[0] http://www.iki.fi/

(Iki is a version of the Finnish word "ikuinen" meaning forever)


Google will send you notices to your backup/recovery email if and when a time comes that they want to delete the account.

Make sure you have a backup/recovery email on the old accounts and you’ll be notified before anything irreversible happens.


Except Google blocks you from logging in to your own account even if you can receive the forwarded emails elsewhere.


One of the best ways to prevent the count down timer from even starting is to take an old android or iOS burner phone, sign into Google services, leave the phone powered on and connected to a Wi-Fi network, and then walk away.

The countdown timer will never start and it satisfies one of googles requirements.

Another way is to deposit cash into something like Google voice or playstore. I used to use Google voice to call internationally and have like $4 in there. Google won't ever delete this account because of my unused funds. Annoying but worth it if the account is valuable to you.

Regardless, remember when Google used to have that storage counter that kept going up? I do.


Anecdata of one. I've got a Gmail address that forwards emails to another address.

Somehow I can no longer login to the address that forwards these emails and I can't reset my password. It's been like that for a long time.

Suffice to say I'm transitioning away from Gmail. I also assume that there are more people like me in this situation.


What are some good alternatives?


Maybe sharing my experience helps in some way:

I’ve been using a handful of these accounts nearly 10 years ago. Not much if any mails received on them for at least a few years, and received the inactive notification for all of them last month. Note the nuance that these account didn’t have mail to forward for several years.


Likewise curious about this, I haven’t actively used my gmail account for 5+ years but I still get the occasional genuine email forwarded to my real account from it.

Also curious whether “deleted” means “actually erased” or just “removed from gmail and your mailboxes added to the pile”.


Posts like these make me so happy I cut all Google services out of my life. It really is an evil, unreliable company.


I receive emails on several accounts I never log in to, which forward through my main account and they do not appear to be flagged as inactive.


Deleting inactive accounts is a new Google policy only starting this coming December: https://support.google.com/accounts/answer/12418290


No. From the announcement email:

> While the changes go into effect today, the earliest we would enforce any account deletion would be December 2023.

> If your account is considered inactive, we will send several reminder emails to both you and your recovery emails (if any have been provided) before we take any action or delete any account content. These reminder emails will go out at least 8 months before any action is taken on your account.

I have no indication that any of my accounts are inactive and thus there should be no action for the next eight months.


My understanding is that the reminders will only start in December, and then actual deletions will only follow after the appropriate grace period. My point is that you shouldn’t be surprised that you are not yet seeing any indications of your accounts being considered inactive. I have several inactive accounts myself and haven’t received any reminders as well.


That may be true, but then I fail to see how it is possible that an account could be deleted per this policy in December. The wording seems to clearly indicate that deletions could happen in December, which implies that notice would have to already have been given.


What about delegated account access? Is that considered a login, given it wasn't using the credentials of the account being accessed?


Does checking the email via the iOS gmail app count as logging in? Or does one need to explicitly log in via a browser?


This is oddly comforting tbh.


Why not Just log into those accounts once?


Many account don't log in because of security issue. They start to ask recovery email which I have forgotten or phone number that I don't have access anymore.


Just set the forwarding address as the recovery email.


They'd have to go back in time to do that if they can't get in... that's the point.


Why not have something log into those accounts and pull the email into your main account?


That's what email forwarding is, i.e. using IMAP or POP.

OP is just asking if that counts as "logging into" the Google account


> That's what email forwarding is, i.e. using IMAP or POP.

No, mail forwarding is SMTP and requires no access to pop/imap. What you're thinking of is the ability of Google to fetch from other accounts using POP.

Once mail forwarding is setup you can lose access to the account and it will still with. In contrast pop fetch will only work as long as you can log in the account.

They can both achieve similar goal (have mail from one account show up in another), but they work in fundamentally different ways


It’s not at all what email forwarding is.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: