Ask HN: My Google account was hacked, Google says they can't help
My Google account was hacked, I was messaged by someone on Facebook and they demanded I give them money or they would post my private photos. They started posting my pictures and even sent them to my family and friends, dad included! They then changed all my passwords, restore email, phone number ect to their own email and number, so I can't do anything. They wiped my phone and my son's tablet completely, all my banking is gone, everything is gone. I'm now stuck in a foreign country away from my baby with no way to get money or access my email for my travel documents. I'm really scared and don't know what to do. Google says they can't do anything to help me! They can't kick him off or disable my account, I just have to be harassed and blackmailed, and goodness knows what else. I'm a single mum and I'm in a different country to my baby, please can someone help me? I just want to get back.
Does anyone know how I can recover and secure my Google account? I've tried everything that I can find/Google have told me to do.
161 comments
[ 0.24 ms ] story [ 225 ms ] threadGoogle doesn't seem helpful in this situations, hoping someone here can help her and has solved this issue before.
Was the phishing email designed to impersonate Google and/or passed Gmail's spam filter? If so, Google should be very interested, so make sure this is communicated to them.
Getting Google's attention is unfortunately one of the few ways to increase your chances in the human intervention account recovery pipeline, which I suspect is understaffed. If that doesn't work, sharing an (appropriately redacted) screenshot of the phishing email on social media could also be helpful. (Absurd, I know)
If you're lucky, some Google employee on abuse/account recovery might see this and escalate. Wish your friend best of luck!
I believe it was one of these:
https://thethaiger.com/news/national/officials-warn-about-va...
Targeting people doing Thailand Pass, but can't confirm it's the exact same details in terms of headers and such.
Every time I commandeer a google account, its with the prior owner - usually in India - punching in the authentication number on the phone. (I get the 2 digit number on my screen and I tell them what it is, and they select the same number from a multiple choice selection on their phone)
Maybe this measure could be circumvented if remote desktopping into a computer nearby the prior owner’s postal code, and taking over the account from that computer, this is how some online credit card fraud passes scrutiny, because the hacker doesnt appear far from the location of other purchases.
> Every time I commandeer a google account, its with the prior owner - usually in India - punching in the authentication number on the phone. (I get the 2 digit number on my screen and I tell them what it is, and they select the same number from a multiple choice selection on their phone)
I think this is for Microsoft accounts not Google.
Its not that mysterious, many services uses the same authentication flow if it works to some extent.
It's not very useful advice after the fact, but multi-factor authentication and recovery email accounts are highly advisable.
Disagreed.
They could request knowledge that only the account owner would possess such as dates/locations of past activity, subjects of emails (received before the breach, so that the attacker can't just send out new emails to the target account), require multiple notarized proofs of ID or other past activity (get a letter from your ISP that attests that you had that IP address at that time, etc) and maybe a huge monetary deposit to that is required to start the process and is forfeited if bad faith is suspected.
The idea is to make the process as long, annoying and "dangerous" as possible to deter or make malicious activity unprofitable while still giving the rightful owner a chance. The legitimate owner wouldn't mind getting all these documents and leaving a huge paper trail behind him as well as waiting a month while the real owner of the account is spammed with notifications (allowing them to easily cancel the process if it turns out to be a takeover attempt), but an attacker trying to break into an account would think twice.
I once got a Hotmail account hacked and Microsoft was very much able to recover my account as long as I was able to provide them with enough information (old passwords, personal information, etc) to prove the account was mine, so I'd really try all Google avenues possible because it's your best bet for recovering your account.
If you can't access your money that's a banking issue, talk to your bank.
Ask yourself what would happen if your phone crapped out and/or if you lost your wallet. Very unfortunate for sure. But there are mostly things you can do to not make it a crisis.
I lost access to gmail because of 2FA - Google Authenticator to be precise.
One random sunny day my 2 year old bit in my phone, thereby breaking it. A few days before i had reinstalled linux and apparently had not yet logged into gmail. So suddenly I have only unrecognized devices and no authenticator. Despite living in the same place, using the same wifi, etc, I simply cannot get back in since then. Its been years with dozens of attempts from any possible 'known' device, but there simply is no way. I know the password, I know previous contacts, i have old emails, i have the password, ... But even when I enter all the info Google requests for account recovery I simply get a screen saying they will get back to me - and never do.
My fault for not having a backup sheet of codes, but I was too worried someone would find and abuse that sheet. Well, goodbye 10 years of email.
At one point I actually had a couple backup codes for some important accounts in my wallet, such as to my email. My thinking was that if I ever lose my phone and need to login to my Google account on someone else's device I would at least have access to some backup codes to get me in ASAP.
But I'd appreciate if someone from cybersecurity were to weigh in. What are the best practices for 2FA backup codes?
- recover the files on the phone, esp. files that have google authenticator cache/dbs/secret keys and transfer that to new device
- see if any token using google account is still able to perform activities and work from there
to avoid this next time, use Authy (it works the same as google authenticator and works anywhere they tell you to use 2fa with Google Auth, but it allows you to install it on multiple phones and desktop/web login too)
More than this: use a password manager that has 2FA built-in and use THAT as your google account MFA.
The "easy" MFA with gmail involves approving new login attempts with an existing authed app present. But without an activated phone or other authed devices present, there is no way to authenticate to the GMail app to receive email.
Apple replaced the back of my iPhone after I dropped it. They do this by putting a new phone onto your screen and then tossing your old phone along with its activation status. ESIM, so no way to activate it without the old phone (which is now screen-less and inoperable). I could not even activate my phone because TMobile required a OTP from my email which I could not access. (Apple did not warn me about this at all btw.)
I was essentially 100% locked out of my account and unable to use voice, data, or access my google account until I could find a TMobile store to get a new SIM card and then use live-chat on the TMobile website to relay the one-time code from my laptop which thankfully was still authed. To say I was panicking about not being able to access anything was an understatement.
Lesson learned: use an MFA mechanism that doesn't require an activated phone since you can't activate your phone without having access to your phone. Now I have my MFA details in 1Password which is restored as a part of iCloud backup.
Buy a cheap domain and use that with your gmail account. All the convenience of gmail, but if the worst happens and you lose your account, you can pick a new email provider, redirect your email and you're back in business without losing access to all those accounts tied to your xyz@gmail.com email address.
The embassy should care about a citizen stuck without money or travel documents.
2. Assume any passwords stored with your account have been breached
3. Start canceling all services and getting new ones issued
Not kidding - How do we know you are not the hacker ?
In future please use 2F authentication otherwise there is really no way for anyone to tell who is the right owner.
I think usually it's obvious for someone who can see the account's recent activity. You can also design challenge-response type questions for the person claiming the account, that only they could know, within some reasonable confidence interval.
0460 [## ## ##] and had Belgian flag so that must be Google saving country code that way.
We don't. But we can assume that they aren't for the purpose of discussion. It seems more likely that a victim would post the OP's post than a perpetrator.
Google also doesn't, but they can say with increased confidence what the probability of the OP being a victim is.
But there's an even hard problem: say person A sells their Google account to person B, and does this with completely offline communications (offline wrt Google). To Google, this situation may look no different than a stolen account, at least for some period of time. But person A is a scammer, claims their account was stolen, and attempts to initiate a recovery process with Google.
This situation is the reason I virtually never perform account recoveries for players of my games. I also require users to use a third party login (like Google or Facebook) for their account, because I want as little to do with account management as possible.
As for wiping the phone, that's a standard feature of both "Find My iPhone" and the android equivalent "Find My Phone" so presumably they used that to wipe them.
A suggestion I would make to anyone who is uncertain of how this works, and since it's a moving target: once a year, test what it takes to compromise your own account. Ensure that you're comfortable with a recovery scenario of "I can demonstrate control over X to the automated recovery service."
I did it a few years ago with my personal GMail account, which I had thought was well-secured, and it caused me to make significant changes to my security settings.
Moral of the story is when you do get ahold of Google Support they actually can sometimes be some really good help. It would be great if this was a more accessible option for people.
That would have been nice. The people I interacted with were not empowered to write bug reports (or chose not to), and suggested the community forums.
Disagree! Workarounds are solutions, just of varying quality for the long-term.
She is still logged into her account on the laptop, so she can see things, but can't make any changes (they require a password she no longer has since the attacker changed it). We saw what the attacker changed the recovery info to their email / phone as well. So recovery options aren't working. She is trying to pass their email/phone along to some form of law enforcement.
This doesn't make sense; the attacker changed all of her account information but didn't click "log out of all other locations"?
Whatever you still have access to (again, from cache, existing browser that's still logged in, etc), start making backups - screenshots, etc.
Then it would be been impossible to login. Did you use a password that was leaked? If yes - may be they logged in - and you would have got a 'notification' on your phone to allow them. And you perhaps said yes to that remote login.
So what I would suggest is to focus on getting home. If you have to borrow money from family or friends or whatever, that's what you do.
Go to your embassy, lock down your life and start a new account ENABLE 2FA. Use a decent password manger, dont reuse passwords.
A) You aren't part of the scam. (Including the possibility your HN account was stolen)
B) You haven't been fooled by the scammer as a first step.
For what it's worth my suggestion would be focus on getting home first (contact embassy) and then contact a lawyer to see if you can use the courts to force a resolution from Google.
B) See A. This is a personal friend who I spent multiple hours on video chat trying to help her recover her digital effects and trying to get access back into her account fully and ownership of it.
She needs help reaching someone at Google / some authorities who can actually help. They can verify her information and story. They can see the email being reset to a BS gmail account with typos in it which looks like a phishing email. They can see her phone number was attached to the account. She has identification.
Alternatively maybe someone has dealt with this scenario before and knows ways people have recovered from this type of ordeal that know other avenues to help.
We all dread the day our Gmail password stops working, but this is what we signed up for.
I know my gmail is safe, because I know that without the password, not even I can get into it.
This is by design.
How can it prevent phishing?
I think it's complete conjecture that it's meant to be some kind of anti-phishing method - the solution there is just removing the ability to create addresses with periods - but I guess this way has some kind of utility for users?
I'm not sure I follow? This isn't an exploit, but a feature of Gmail. It doesn't allow you to receive anyone else's email.
John.Doe@gmail.com, JohnDoe@gmail.com and J.ohnDoe@gmail.com are not 3 different gmail accounts.
It’s one account with multiple dynamic aliases using the dot.
From the link in the other comment in this thread
I tried doing a password recovery of the account (to see what I could do to change the address, or contact Playstation) and found that on their end, firstnamelastname@gmail.com and firstname.lastname@gmail.com are treated differently:
Both gave the message that a reset e-mail had been sent. Only firstnamelastname@gmail.com caused me to receive an e-mail.
So Google (and other e-mail providers, like ProtonMail) ignore the dots, but it's possible that other companies don't ignore this.
Resolving the Playstation account required calling their support line for about 30 min, talking with an agent, and then replying to an e-mail generated specifying some information to confirm that I hold the e-mail account. They seem to already have the option for reporting misuse of an e-mail address.
Anyway I couldn't remember the password, and their security requirements at the time was different from today (no recovery email, no verification etc). And as a good security practice they also put cool down periods for trying passwords too fast...
Filed for a support ticket, they told me nothing could be done because security of the account. I told them to send recovery info to the account in question (so that it would be forwarded to me), but they didn't. They also verifiably know who I am, and there was some amount of trust that it was my account.
I spent few hours of writing down passwords and copy pasting to find out. Eventually did.
This shit is nonsense.
As others have said, go to your country's embassy. Helping stuck tourists like you is their top responsibility.
Once you are home file a police report and start the process outlined at https://www.identitytheft.gov/. Consider that Google account gone.
Are you sure they changed your restore number? I just checked on my account and it doesn't seem to be possible. Even if it is possible to add another number, Google should still know your old number?