Tell HN: Lost then regained access to Google account, with correct credentials
"Google couldn’t verify this account belongs to you."
I clear cookies once in a while and usually can recover my account but this time, no option to recover: https://i.imgur.com/vb1mliN.png
Even if I have the correct login and password.
Luckily, I forward all my emails to a 3rd party so I should still be able to read my new mail but I lost access to a lot of other stuff.
Edit: Account recovered. I used chromium to login (which I never do) and then back to Firefox.
150 comments
[ 3.9 ms ] story [ 199 ms ] threadThe only option is to "try and enter the last password I remember". Besides that there's no way to reset the password.
Why even bother informing me at my recovery address about the suspicious login then?
As long as a recovery address exists, it must be able to reset password?
I'm not saying that's good behaviour on their part but it looks that way.
I recently wasn’t able to recover an old account because I did not have access to my 2FA number and their help site suggested I “contact the phone company to recover the number, then try again.”
I had to do the same exact thing for another service but they did allow me to change the number by providing some information like last transaction, ID, selfie with statement.
I tried to find a pay as you go sim where the number doesn't expire and I would use that exclusively for 2FA but such a sim does not exist in the UK, most expire after 3 months the longest is 6 months.
Now I know this is an issue but it doesn't seem like there is anything I can do to solve it.
I wonder if used with a smartphone (mine is in a dumb Nokia) whether you can automated a SMS send or outgoing call once every month or something?
You can't create regulation requiring anyone or anything be competent and responsible.
If you entrust your livelihood to a company that cannot be trusted, that's on you.
The 'free' era of the internet has been enabled by excessive liability shields granted to shareholders that are collectively worth trillions of dollars, and those riches have been built around callous disregard for the property and rights of billions of people worldwide.
That being said, with Gmail, you get what you pay for. With Google's paid for hosted email, you don't get what you pay for either. It's not a good provider if you ever have any issues with it that cannot be solved by their automated processes.
«A malpractice lawsuit? You silly goose!»
The GDPR's Right to Data Portability means that a company is obligated to give you access to your personal data - they are within their right not to have you as a customer anymore, but they must give you at least a copy of whatever data they already have.
Of course, you'll probably have to jump some hoops to prove that you are you, but IMHO that's a reasonable compromise.
Assuming it's the latter: given enough evidence that you are you (same name as the recipient, deep knowledge of the account, knowledge of the password, etc), any court would rule in your favor and force Google to turn over the account. But I would be willing to bet that, assuming you are no one "special", they would relent much earlier in the process - the cost of the lawyers alone would probably outweight whatever profit they obtain from you, and GDPR fines can be high.
But how can I prove I own my email if I don't have the credentials / Google won't let me log in?
https://7c0h.com/blog/new/lost_gmail_ii.html
In short, you can send their Data Protection Office a letter demanding access to your data. In my case it took almost three months but they eventually relented and reset my password. I guess a lawyer could have gotten it done faster, but who knows.
Edit: I was able to login using Chromium (even if I never usually do)... and now it works again in Firefox. I wish Google would just accept my credentials and ignore the rest.
https://xkcd.com/806/
In the end we just said: "Sure whatever, it smelt like burned electronics."
The most frustrating thing was that even though my phone number was linked to my Google Account, they didn't have an option to send OTP to my phone number to reset my password. Even after contacting Google support nothing helped, eventually I gave up and created a new account :/
This is good, really. https://en.wikipedia.org/wiki/SIM_swap_scam
Am I understanding this right that you had the correct password but no 2FA authentication and somehow a Firefox user agent on Linux triggered google mail servers to shut you out?
I never really tried with chromium perhaps I can still retrieve old data (Google Support was obviously non existing on this issue).
Also I travel a fair share (used to) and never faced any issues with any other services except gmail.
It's too stringent to assume the same machine/storage/ip are always used.
Firefox didn't work, because person deleted session and didn't have second factor (nor backup auth methods). Chromium worked, because it still had device session.
I'm traveling and using TOR and VPNs just like everybody else and haven't faced any issues. There most definitely is a problem with communicating security/accessibility tradeoffs to the public though, so I'm not putting blame on the op here.
https://support.google.com/accounts/answer/1187538?hl=en&co=...
Not sure why companies nowadays rely on your tiny device to provide a second password. Both my passwords and 2FAs are on that device, what security does it add?
And why do they need a password if they are going to require Timestamped-2FAs anyways?
(Sorry for the obviously totally useless comment that is not helpful in any way. But seriously: I've seen this happen to a number of people, and you're just out of luck - computer says no. If you value your digital history, host your mail and file at a party where you pay for the service - that makes you a customer not a product)
I have my main email service through Protonmail and my GMail account is for all the spamming email stuff.
And then the hosting company has a fire in their datacenter and there’s someone on HN saying it’s still your fault because you needed to do backups as well. And then you have a backup issue and there’s someone on HN saying it’s still your fault for some other reason.
https://www.reuters.com/article/us-france-ovh-fire-idUSKBN2B...
Tech megacorps often behave badly yes. But what can we realistically do about it? Discussing that just puts into yet another pointless political argument. Even in the best case situation it may take a decade to actually do anything, assuming whatever gets done actually works the way we hoped.
Maybe we should do something like that one of these days. But meanwhile, the OP has an actual problem right now. They would probably appreciate something they can directly do to fix it now or ensure it doesn't happen, instead of moving the discussion to the 50 billionth political argument on the internet that does nothing to help them.
I have some sympathy for both sides of the debate, but fact is that if your emails are important to you, using a free service from a rather unreliable company like Google is the lazy choice. One of the main reasons it is free is because you get no support if something goes wrong.
No, it’s the opposite: you get no support because there are too many people using it because it’s free. In theory paying for a service should get you better support, but in practice there are thousands of counter-examples.
https://news.ycombinator.com/item?id=19146110
[1] https://isync.sourceforge.io/mbsync.html
[2] https://github.com/JakeWharton/docker-mbsync
Obviously I am not the only one who have been experiencing the issue, e.g. https://webapps.stackexchange.com/questions/71153/takeout-br...
The issue does not happen when doing backup with another tool e.g. mbsync.
The responses I've seen to other people with this problem are not encouraging, amounting to "oh, you must have done something out of the ordinary, try again in a few days". See, for example:
https://news.ycombinator.com/item?id=20054083
https://old.reddit.com/r/DataHoarder/comments/i6cn1x/google_...
https://support.google.com/accounts/thread/13380514/i-can%E2...
https://twitter.com/veerismo/status/1341605248834498561
Edit: better links
If anyone wants to see how intent big tech is on tying your profiles back to personally identifiable information, connect to a VPN and try to create new accounts on various services. It's basically impossible without a non-VOIP phone number. If you manage to get an email address, big sites like Facebook and Twitter will instantly lock your account and require SMS verification.
Big tech discriminates against anyone that doesn't have enough money to own a phone.
My general understanding is that Google wants to prevent account takeovers, as it happens far too often. They flag accounts for various heuristics, even if you know the login (as it could be someone that stole your credentials). This normally should just trigger 2FA for that login. If that doesn't work, you likely need to go through the account recovery flow:
https://accounts.google.com/signin/recovery
I hope they appoint the fruit ninja as head of the DoJ so he can slice Google into a thousand pieces :-)
Every one of them required a phone number and had all kinds of algos and databases in place to thwart anonymity. If all of your demographic information didn't match the country your IP address was in the experience turned into a brick wall.
I did this a few years ago when establishing an onion (new accounts created and accessed only over VPN+TOR) identity for the dark web and didn't have a problem.
If I needed to hide my identity and communicate with people as a non-techie journalist or dissident I would not know how to proceed at this point.
This is not being done to fight terrorism. The real reason is to ensure that every user is a real person that can be sold.
When some fat cat spend thrift advertising executive complains about possible sock puppets numbering in the millions on their platform they just kick back and explain thier byzantine system of identity verification.
People still send emails to my gmail address, including my own family. It forwards to swiley.net for now but that probably won't last.
Goodle production: "We're not responsible for your livelihood"
Same from Microsoft
Clueless users next day: "Damn, I got locked out of my account, there are no alternative email addresses for recovery, I lost Ubikey and didn't save backup codes"
They have your data and they are effectively arbitrarily deciding you can't access them anymore.
you may have to get a letter from an actual lawyer
Could it be some autofill or other cached information jacking with the form input?
I've been exposed to that type of Kafkian catch-22 nightmare scenario all too many times :|
It's a very bad idea if you want to use the account as a Google account. i.e. smart home does not work, lots of user features do not work, there is no workaround to this other than "don't use a Google Workplace account for personal life things, get a Gmail account".
Example of the pain to try and migrate from Workplace to Gmail just to get the workaround working: https://medium.com/@buro9/one-account-all-of-google-4d292906...
By far a better email service and the 2fa just works.
Also I have created accounts for my children, my wife with very little costs. The magic? This very well supported project:
https://github.com/docker-mailserver/docker-mailserver
All of a sudden my hand written emails to clients were going to spam. Namecheap verified my spf/dmarc/etc was all setup correctly and told me there was nothing they can do.
I don't communicate often and am just using my personal email address for now, but I'm looking to switch providers
I've not found an online service you can't switch emails with.
I've probably switched email addresses on 200+ websites now, and there were a handful that don't seem to allow switching email addresses back when I made the switch. The situation could have improved since then, but you're basically right, very few don't allow one to change their email address.
Doesn't this work for folks?
Before I migrated my domain and old emails to Fastmail I contacted their support twice to see what I got. Once I simulated an account lockout, the second was more of a technical problem. I can't remember the exact steps that I needed to take, but I do remember that their support was quick to react, had surprising technical depth, and fixed my "problems" faster than expected. I had no problem trusting them with my data.
Has anyone actually tested Google One's support?
To give a baseline: I pay for email hosting through a reputable non-Google company. It costs me about $40 a year, for both the domain name and the email hosting, and it didn't require me to have any technical knowledge to set up. Compare that with, for example, my cell phone plan (around $100 a year) and it seems pretty affordable, or at least comparable to other common bills.
I think it's helpful to think of this in terms of other utility services. People tend to agree that heat, electricity, phone, etc. should be accessible to the non-rich. But those still cost money to operate, and the cost is paid by consumers. (There can be a broader discussion around who should pay for this, but the money does come from somewhere.)
If we decided that electricity could be free, but that it would be funded through personal data collection, that you could permanently lose access at any time, and that you wouldn't be able to get outages fixed in a timely manner, that most people would prefer the current model.
The bottom line is that email is pretty important to modern life, similar to a phone. One way to ensure that your email is reliable is to pay for it.
What's more funny is that I figured, well, I'll just create a new Google account and sign up for Adsense again for my domain with the new account. Turns out you can't do that because the domain for the Adsense account "is already in use by another Adsense account".
There is simply no customer service.
I then requested a password reset and tried a couple of the account rescue codes. Turns out I'd used these specific ones before but hadn't marked them as used (doh!) and at that point stopped in case of a hard lockout due to "suspicious activity".
So at this point I capitulated and just went for the "I'm dumb and forgot my password and have no other codes or keys" option. I was then told it'd take SIX HOURS for google to verify my account before they'd send me a password reset link.
Luckily it all worked out and all I lost was an evening of Stadia, but I couldn't help feeling I was teetering on the edge of loosing my account.
Footnote: yes I have considered switching to a paid service such as Proton Mail, but at the time covid happened, I lost my income and couldn't afford it. I think this experience will spur me on now that I'm gainfully employed.
"Edit: Account recovered. I used chromium to login (which I never do) and then back to Firefox"
How can google keep getting away with this? MS got into trouble with IE with much less.
Then they expanded it to the app store - some apps, even ones that don't seem to need to be age restricted - now require I verify my age in the same way. I just give them the middle finger and manually install the APKs for those apps.
Unfortunately, no way to get around the YouTube restriction though.
Google having a complete monopoly on this stuff has got to end at some point. They have way too much power over what are now pretty mainstream services to the internet, especially since they cannot be completed with by most companies, even those with adequate funding and reach.
Wasn't this added because of some EU law? It seems that YouTube's interpretation was that asking this is the opposite of illegal, actually legally required.
I'll give it a try though, thanks. There are some High Boi videos I still haven't seen :|
If you're not trusted, then any phone number you give shouldn't be trusted, either.
If you're trusted enough to be let in when you give a phone number, then you should be trusted enough to be let in without it, and then asked for a phone number, if one is really needed for 2FA.
I assume this restriction is against automation. As a complete guess on the heuristics: If the phone number you gave them is a "virtual" one, you are out. If it was used too frequently for recovery, you are out. If they are already familiar with it as belonging to someone else who is unlikely to also own the current account, you are out.
With those heuristics you need to provide a "fresh" phone number that likely belongs to a real person and costs real money to purchase and you are unlikely to want to "burn" for just 5 out of 5,000,000 of your automated attempts.
Their response email was simply my password. Not a password reset link, not a new random password. No questions asked.
This happened less than 5 years ago, when password hashing should be standard practice. But tripod was created in the 1990s when it wasn't standard, and I guess there was no budget/willingness to refactor the old database and login code.
I was not surprised to hear a few years later that their cleartext password database had been hacked and published.
Despite only ever logging in from a residential line in the same city for entire life of the account; one day there was """suspicious activity""". I did everything asked.. confirmed every detail, provided backup codes, secret answers, gave up phone numbers, every password change and dates, even the exact date and location when the account was created, E V E R Y T H I N G.
Turns out that my account is so secure that even I cannot access it. Well I'm sure you can imagine what a total fucking nightmare it was to workaround the absolute evil that is Google. That's my rant, I'm glad that you got your account back OP.
Recently, I became a "Microsoft Partner" which gets you a monthly Azure allowance, software licenses, and five Enterprise accounts for Office365. This is only $550 a year which is cheaper than my previous office365 small business account.
The support is great when or if you need it. You probably will.