Ask HN: My Google account was hacked, Google says they can't help

291 points by lululouise ↗ HN
My Google account was hacked, I was messaged by someone on Facebook and they demanded I give them money or they would post my private photos. They started posting my pictures and even sent them to my family and friends, dad included! They then changed all my passwords, restore email, phone number ect to their own email and number, so I can't do anything. They wiped my phone and my son's tablet completely, all my banking is gone, everything is gone. I'm now stuck in a foreign country away from my baby with no way to get money or access my email for my travel documents. I'm really scared and don't know what to do. Google says they can't do anything to help me! They can't kick him off or disable my account, I just have to be harassed and blackmailed, and goodness knows what else. I'm a single mum and I'm in a different country to my baby, please can someone help me? I just want to get back.

Does anyone know how I can recover and secure my Google account? I've tried everything that I can find/Google have told me to do.

161 comments

[ 0.24 ms ] story [ 225 ms ] thread
I suggested OP post here since we spent over an hour trying to recover the account and I can't figure out any way to help recover it either. Google appears to be a stone wall, the hacker's account is obviously using a disposable email (looks like a phishing email account with typos and word accoount in it).

Google doesn't seem helpful in this situations, hoping someone here can help her and has solved this issue before.

[This is one of my worst nightmares]

Was the phishing email designed to impersonate Google and/or passed Gmail's spam filter? If so, Google should be very interested, so make sure this is communicated to them.

Getting Google's attention is unfortunately one of the few ways to increase your chances in the human intervention account recovery pipeline, which I suspect is understaffed. If that doesn't work, sharing an (appropriately redacted) screenshot of the phishing email on social media could also be helpful. (Absurd, I know)

If you're lucky, some Google employee on abuse/account recovery might see this and escalate. Wish your friend best of luck!

She doesn't have a copy, she deleted it.

I believe it was one of these:

https://thethaiger.com/news/national/officials-warn-about-va...

Targeting people doing Thailand Pass, but can't confirm it's the exact same details in terms of headers and such.

If she downloaded and executed a file, I can see how everything can go wrong fast; what are other ways to get into your Google account unless by having your enter your password in a phishing page?
I suspect the attacker had (maybe still has) full access to her laptop. They wiped her phones, so I am assuming they are clean of malware and trying to get her to do everything from the phone which should be clean and not the laptop which we have to assume is compromised.
How was the hacker able to change OP’s phone number attached to the Google account?

Every time I commandeer a google account, its with the prior owner - usually in India - punching in the authentication number on the phone. (I get the 2 digit number on my screen and I tell them what it is, and they select the same number from a multiple choice selection on their phone)

Maybe this measure could be circumvented if remote desktopping into a computer nearby the prior owner’s postal code, and taking over the account from that computer, this is how some online credit card fraud passes scrutiny, because the hacker doesnt appear far from the location of other purchases.

> How was the hacker able to change OP’s phone number attached to the Google account?

> Every time I commandeer a google account, its with the prior owner - usually in India - punching in the authentication number on the phone. (I get the 2 digit number on my screen and I tell them what it is, and they select the same number from a multiple choice selection on their phone)

I think this is for Microsoft accounts not Google.

nope, it's standard google practice when authenticating on a new device
Ive only done this on Google accounts
Is the two-digit number on your screen from a Google prompt? I thought it was Microsoft because I have seen the same flow when using Microsoft authenticator to access an outlook/live accoun.
Its on my computer screen from a Google prompt, in the browser I tried to log in with.

Its not that mysterious, many services uses the same authentication flow if it works to some extent.

Google are incredibly helpful in this situation, you just have to look at it from the hacker's point of view.
Get in touch with your banks and your embassy. Google account might as well be gone, but try to prevent any further escalation.
To help others could you please tell us more information... Did you have 2FA? If yes was it SMS or with U2F-key? Which country where you previously in? Did you change places?
If it were possible to just call up Google and get your account back then that's how people would steal accounts.

It's not very useful advice after the fact, but multi-factor authentication and recovery email accounts are highly advisable.

Even given easy access to customer service reps, there is a tradeoff between them being helpful and friendly and them being susceptible to social engineering attacks.
> If it were possible to just call up Google and get your account back then that's how people would steal accounts.

Disagreed.

They could request knowledge that only the account owner would possess such as dates/locations of past activity, subjects of emails (received before the breach, so that the attacker can't just send out new emails to the target account), require multiple notarized proofs of ID or other past activity (get a letter from your ISP that attests that you had that IP address at that time, etc) and maybe a huge monetary deposit to that is required to start the process and is forfeited if bad faith is suspected.

The idea is to make the process as long, annoying and "dangerous" as possible to deter or make malicious activity unprofitable while still giving the rightful owner a chance. The legitimate owner wouldn't mind getting all these documents and leaving a huge paper trail behind him as well as waiting a month while the real owner of the account is spammed with notifications (allowing them to easily cancel the process if it turns out to be a takeover attempt), but an attacker trying to break into an account would think twice.

Still that can be vulnerable. If you really wanted to give up privacy, it could work like bank accounts work where a human banker actually knows you. But this would cost.
I have a bank account and it costs me nothing (because the bank reinvests my money). Maybe the answer is that Google should become a bank, or banks should offer email accounts.
Well, this is not a solution for your situation, but for anyone reading this who doesn't want to be in your situation ENABLE TWO-FACTOR AUTHENTICATION on every account you have anything remotely valuable.

I once got a Hotmail account hacked and Microsoft was very much able to recover my account as long as I was able to provide them with enough information (old passwords, personal information, etc) to prove the account was mine, so I'd really try all Google avenues possible because it's your best bet for recovering your account.

If you can't access your money that's a banking issue, talk to your bank.

Cell phones are also not good second-factors, preferably a physical offline device like a yubikey.
Especially for international travel, it's also a good idea to print out key travel information and carry it with you (also cash/spare credit cards etc.). Phones get lost/broken/etc., credit cards get flagged for fraud/left in restaurants, etc. It's easy to just assume that how you do things day to day will always be available--and then they may not be and you are in an unfamiliar place.

Ask yourself what would happen if your phone crapped out and/or if you lost your wallet. Very unfortunate for sure. But there are mostly things you can do to not make it a crisis.

Enabling two-factor can help, but if you are the victim of a phishing attack as many are, one would expect one of the largest tech companies on the planet to have a plan for that.
This will only get worse. Most people have no clue what mfa is and when I tell them they find it incredibly annoying and/or forgot how it worked again when they login from somewhere else a month later. I had people deleting Google authenticator or Authy from their phone because they forgot what it was for and their phone was getting slow…
It's crazy that the onus is on individuals, who, as you point out, are often ignorant about online security practices. Put the onus for security on the businesses who safeguard information, and they will have a big incentive to force users to use more secure methods of logging in, they will do more verification for account changes, etc. End users won't have any excuse for not using MFA when they can't do anything without it.
Agreed, and if people don't want to use 'difficult tools', they could swap it for privacy: do KYC for your email account. Then you, in this case, the business could freeze the accounts until you go through the motions of proving you are the owner. Tech savvy people can then stay 'private'. Amazon has a simple KYC form for when you lose your otp device (I lost access to my sms and forgot to change to phone based otps).
Agreed, companies forcing horrible 2fa implementations are turning people off to the idea of using it at all on their personal accounts (even when it's far less onerous)
2FA is helpful, but you can usually call most service providers and get them to remove it. Often with totally inadequate security checks, like “what’s your phone number associated with the account, ok, great, I’ve removed the 2FA”. Can’t comment on Google, but I’ve had this with the British government, of all people.
Not true.

I lost access to gmail because of 2FA - Google Authenticator to be precise.

One random sunny day my 2 year old bit in my phone, thereby breaking it. A few days before i had reinstalled linux and apparently had not yet logged into gmail. So suddenly I have only unrecognized devices and no authenticator. Despite living in the same place, using the same wifi, etc, I simply cannot get back in since then. Its been years with dozens of attempts from any possible 'known' device, but there simply is no way. I know the password, I know previous contacts, i have old emails, i have the password, ... But even when I enter all the info Google requests for account recovery I simply get a screen saying they will get back to me - and never do.

My fault for not having a backup sheet of codes, but I was too worried someone would find and abuse that sheet. Well, goodbye 10 years of email.

I keep a backed up list of all my 2fa codes in a password/key encrypted storage. I am trying to avoid the kind of situation you described. I have A LOT of accounts with 2fa now, and losing access to the 2fa app would be an incredibly frustrating issue as I would lose access to many accounts.

At one point I actually had a couple backup codes for some important accounts in my wallet, such as to my email. My thinking was that if I ever lose my phone and need to login to my Google account on someone else's device I would at least have access to some backup codes to get me in ASAP.

That's a huge inconvenience, but at least it wasn't stolen.
I think the threat model for most of us is online takeovers, not physical ones. Even if you live in a dangerous country like myself, criminals don't care about your email, so I don't think there's much danger in just storing the 2FA backup codes in your wallet. They're only good for when they've already input your password, aren't they?

But I'd appreciate if someone from cybersecurity were to weigh in. What are the best practices for 2FA backup codes?

A few things I would try in that situation:

- recover the files on the phone, esp. files that have google authenticator cache/dbs/secret keys and transfer that to new device

- see if any token using google account is still able to perform activities and work from there

to avoid this next time, use Authy (it works the same as google authenticator and works anywhere they tell you to use 2fa with Google Auth, but it allows you to install it on multiple phones and desktop/web login too)

> ENABLE TWO-FACTOR AUTHENTICATION

More than this: use a password manager that has 2FA built-in and use THAT as your google account MFA.

The "easy" MFA with gmail involves approving new login attempts with an existing authed app present. But without an activated phone or other authed devices present, there is no way to authenticate to the GMail app to receive email.

Apple replaced the back of my iPhone after I dropped it. They do this by putting a new phone onto your screen and then tossing your old phone along with its activation status. ESIM, so no way to activate it without the old phone (which is now screen-less and inoperable). I could not even activate my phone because TMobile required a OTP from my email which I could not access. (Apple did not warn me about this at all btw.)

I was essentially 100% locked out of my account and unable to use voice, data, or access my google account until I could find a TMobile store to get a new SIM card and then use live-chat on the TMobile website to relay the one-time code from my laptop which thankfully was still authed. To say I was panicking about not being able to access anything was an understatement.

Lesson learned: use an MFA mechanism that doesn't require an activated phone since you can't activate your phone without having access to your phone. Now I have my MFA details in 1Password which is restored as a part of iCloud backup.

(comment deleted)
Twilio Authy is another option for those who don't want to integrate MFA with their password manager. It will sync across multiple devices and optionally back up to the cloud. (All E2E encrypted of course.) Honestly the risk of having MFA in 1password is extremely low to zero I'm sure, but I still feel safer with the two separate.
The other thing you should be doing is _not_ using the gmail.com domain for your email - at least for account sign-ups to important services.

Buy a cheap domain and use that with your gmail account. All the convenience of gmail, but if the worst happens and you lose your account, you can pick a new email provider, redirect your email and you're back in business without losing access to all those accounts tied to your xyz@gmail.com email address.

I've always done this, but I've run an email server forever so it wasn't any added hassle to have gmail download the emails using pop. I'm curious how you go about it without running your own server. Do you pay for the google email service? Or just use your registrar's email forwarding to forward from your custom email to your gmail? Something else? I tried forwarding in the past for simplicity but found it results in a significantly higher rate of false positives in the spam folder.
If you're in a foreign country then you have to go to your embassy, they are there to help in exactly situations like this. Go in person if you can.
You are delusional if you think any embassy will give a toss with respect to gmail account appropriation or associated blackmail attempts.
> I'm now stuck in a foreign country away from my baby with no way to get money or access my email for my travel documents.

The embassy should care about a citizen stuck without money or travel documents.

1. Hitup @askworkspace and @googleworkspace on twitter - loudly and publically

2. Assume any passwords stored with your account have been breached

3. Start canceling all services and getting new ones issued

Definitely talk to the nearest embassy for your home country ASAP. They won't be able to help with your Google account, but can definitely help with travel docs and may be able to make travel arrangements for you.
Right, an embassy or equivalent (if you are an American in Taiwan there is no "embassy" because that would annoy the nearby PRC but it's pretty obvious the "American Institute" is in practice an embassy) is where to start. If you are an EU citizen any embassy for an EU member state will do in a pinch, this can be important if you're a citizen of a smaller or younger nation with few embassies of its own, a different EU embassy may not speak your language but should be able to secure a translator and work with your home country's relevant government agencies.
> Google says they can't do anything to help me! They can't kick him off or disable my account, I just have to be harassed and blackmailed, and goodness knows what else.

Not kidding - How do we know you are not the hacker ?

In future please use 2F authentication otherwise there is really no way for anyone to tell who is the right owner.

> Not kidding - How do we know you are not the hacker ?

I think usually it's obvious for someone who can see the account's recent activity. You can also design challenge-response type questions for the person claiming the account, that only they could know, within some reasonable confidence interval.

I think they meant "how does a random reader on an internet forum confirm that the OP is who they claim they are"?
And most people can tell what to search for find specific emails; if that doesn’t prove it….
We've been going through facebook recovery, it requires pictures of ID. Same way you do any KYC. They still have access to the phone that was connected originally as well but the attacker put in a swedish or belgium number (it says 046 but google shows belgium flag).
+46 is Sweden and +32 is Belgium, 046 is neither though?
Yeah I am not sure, I assumed leading zero didn't matter. It had flag of belgium on google's screen but started with 046 which as you said, Sweden is +46. Maybe it's a Belgium number and starts with 046 and it hides country code.
04[5-9][0-9](+6 digits) are Belgian mobile numbers in national notation. In international notation the leading 0 is ommitted and +32 put in front.
Got it, so country code is hidden.

0460 [## ## ##] and had Belgian flag so that must be Google saving country code that way.

> Not kidding - How do we know you are not the hacker ?

We don't. But we can assume that they aren't for the purpose of discussion. It seems more likely that a victim would post the OP's post than a perpetrator.

Google also doesn't, but they can say with increased confidence what the probability of the OP being a victim is.

But there's an even hard problem: say person A sells their Google account to person B, and does this with completely offline communications (offline wrt Google). To Google, this situation may look no different than a stolen account, at least for some period of time. But person A is a scammer, claims their account was stolen, and attempts to initiate a recovery process with Google.

This situation is the reason I virtually never perform account recoveries for players of my games. I also require users to use a third party login (like Google or Facebook) for their account, because I want as little to do with account management as possible.

(comment deleted)
They could just verify he knows the old password and controls the old phone number, and probably also has devices logged into or connected to the account.
The extreme sob story makes me suspicious too. It seems that every detail submitted by this person is designed to maximize sympathy.
Yes indeed, what a bizarre post to get so many upvotes. I'd bet money that there is something shady going on here.
Ill-conceived research paper attempt?
I hope dang checks out the submission upvote analytics to see any red flags
My BS detector is at defcon 5. I'm betting this is a current or former boyfriend attempting to gain access to a account. Likely to do what has said to have happened.
Please see my current replies. I don't think I have an ex boyfriend who would be capable of this, morally or intellectually, I tend to have a type thats generally sh*t with computers like me haha
Unfortunately it's true, I'm sorry to make it sound like a sob story, Ive had the worst few days with this. I offered everything including my ID, banking, anything I could provide,to confirm it really is my account. Luckily I now have everything that's important.
If he had any purchase history, address, real name (combined with govt ID), or phone number in their account history perhaps those would be means of authentication? Authenticating the true owner of a hijacked account is hardly impossible or even very hard. Google knows who people are without them even having to log into an account from their relentless hoovering of data.
(comment deleted)
One question. Whenever you try to change something in Gmail. They will ask you to verify via phone? Isn't that mandatory today. I don't believe you can simply change passwords without a phone. But I might be wrong. Also can't you call your bank and request new access? They need to verify you, but that should be possible. Last question. How did they wipe your phone?
It's possible but not super easy to not associate a phone with it. You have to very careful not to opt in because once you do you can't opt out.

As for wiping the phone, that's a standard feature of both "Find My iPhone" and the android equivalent "Find My Phone" so presumably they used that to wipe them.

Guessing that is the case on the wipe and probably standard MO for these types of attacks.
If the account is set up long ago, that may not be a requirement
>They will ask you to verify via phone? Isn't that mandatory today.

A suggestion I would make to anyone who is uncertain of how this works, and since it's a moving target: once a year, test what it takes to compromise your own account. Ensure that you're comfortable with a recovery scenario of "I can demonstrate control over X to the automated recovery service."

I did it a few years ago with my personal GMail account, which I had thought was well-secured, and it caused me to make significant changes to my security settings.

I wonder - if HN became a really effective escalation mechanism for Google support issues, then would it make an attractive attack vector?
Easy fix, only accounts with >10k karma get the platinum tier support plan.
Sounds like I'll have to stop lurking to get ready for this.
Don't worry, you can jump to the platinum tier for a monthly subscription of only $49.99
You joke, but you pay for the increased Google storage on your account you likely do get access to support you can reach.
(comment deleted)
Nope! I have an account I pay for and Google is as helpful as always
I was a paid Google Apps (aka gsuite and maybe some other renames?) administrator. In response, I got access to a real person to answer the phone and not be empowered to do anything useful.
When I got a Google Home device it would not work to recognize my voice during the setup process and I eventually ended up somehow in contact with Google support. It was surprisingly one of the best support interactions I've actually had with probably almost any company out there. The person I was speaking with via a chat had no solutions to my problem but was creating a bug report for the problem and asking for lots of details to fill out the report. They reached out to other employees and their supervisor to try and find a solution. Weirdly the work-around ended up being them asking if I had an old phone I could try to do the setup on. It ended up working on the old phone and would not work on the other phone I had.

Moral of the story is when you do get ahold of Google Support they actually can sometimes be some really good help. It would be great if this was a more accessible option for people.

> The person I was speaking with via a chat had no solutions to my problem but was creating a bug report for the problem and asking for lots of details to fill out the report.

That would have been nice. The people I interacted with were not empowered to write bug reports (or chose not to), and suggested the community forums.

Yeah I was actually pretty surprised. I totally expected to get sent a link to their Q&A and be basically told "goodluck". But they stuck with me for quite awhile trying to figure something out.
I think it depends strongly what region hosts the Google office you get sent to!
> The person I was speaking with via a chat had no solutions to my problem

Disagree! Workarounds are solutions, just of varying quality for the long-term.

I have nothing to contribute to the discussion, but hoping this comment gets me some karma for when this actually gets implemented
It has been done before, via Twitter and slashdot, to get into Microsoft accounts.
Hey guys thanks so much for your response. I do believe 2 step was going but the hacker changed the details to his, wiped my phone and with it, my Google authenticator and presumably set it up on his phone! I'm completely locked from making any changes yet I can still see my emails and stuff but I can't change anything or verify myself. I did use the authenticator app plenty of times so I'm certain I had it set up. Although I'm starting to doubt myself now.... It's a nightmare!
You're not making sense. You need to slow down, calm down and write clearly and with more detail. Doubly so when communicating with Google Support staff.
She believes she had 2 factor because she used the app on her phone and would enter in codes. But her phone was remotely wiped (presumably by the attacker) and lost access to the authenticator. She can't verify that way anymore because the attacker took that tool away from her.

She is still logged into her account on the laptop, so she can see things, but can't make any changes (they require a password she no longer has since the attacker changed it). We saw what the attacker changed the recovery info to their email / phone as well. So recovery options aren't working. She is trying to pass their email/phone along to some form of law enforcement.

>> She is still logged into her account on the laptop, so she can see things, but can't make any changes

This doesn't make sense; the attacker changed all of her account information but didn't click "log out of all other locations"?

Bad actors make mistakes, too.
Sorry, I was in a panic , I have updated my situation in the comments , thank you
If you still have any devices that have your old data (cached, etc) it might be worth keeping them powered on but disconnected from the internet, so that they don't end up realizing they should no longer have access and delete what could be the last copy of your data that you can actually access.

Whatever you still have access to (again, from cache, existing browser that's still logged in, etc), start making backups - screenshots, etc.

I've backed up all my important things and emptied the account too, unfortunately it's probably too late as he may have downloaded all anyway as he used the Google takeout to get backup data. I'm not in that account at all now, after I backed up and emptied it, I factory reset my computer.
Try to use https://takeout.google.com/ to back up your account data.
We tried this, needed to validate your identity to get it. The hacker started it though, presumably to get all the data.
> I did use the authenticator app plenty of times so I'm certain I had it set up.

Then it would be been impossible to login. Did you use a password that was leaked? If yes - may be they logged in - and you would have got a 'notification' on your phone to allow them. And you perhaps said yes to that remote login.

This happened to me, I went through the google account recovery process and it was recovered. I was a victim of an on the air SIM jacking of my phone - which suddenly went dead. I had 2 factor enabled, but once the SIM was jacked they reset the account and used the phone to capture the code. My name is the same as an Ambassador - which I am not, I suspect that once they did not have a high profile Ambassadorial account they just ignored it as nothing was deleted (unless google recovery restored it to a prior state??)and after I went through the google account recovery process, google restored my account. After which I implemented a Fido token system. which you can buy. It works like this, but you better make sure you guard your token = lose it = screwed. https://fidoalliance.org/how-fido-works/ I also suggest you download your mail archive every month using the google download process.
I spoke to Google on the phone and via chat, they said there is nothing they can do, except walk me through the restore process, which is impossible, as the hacker has the restore email and number. Google says only the account holder can make changes, yet I can't and someone else can. They have hung me out to dry!!!
Honestly, your first problem you need to solve is getting back home. Google has no way to distinguish between an overseas hacker trying to get into your account vs your current situation. You currently have no way to prove your ownership.

So what I would suggest is to focus on getting home. If you have to borrow money from family or friends or whatever, that's what you do.

actually I'd get my bank accounts etc locked down. consider that everything tied to that email address is now vulnerable.

Go to your embassy, lock down your life and start a new account ENABLE 2FA. Use a decent password manger, dont reuse passwords.

Your post sounds like a textbook scam sob story in itself. I am sorry if it's actually true.
Maybe, but in that case wouldn't it be a better use of your time to click on the back button and move on to the next story? Nobody's asking you to unlock the account.
I can verify that it's true and it is a sad story. I've spent hours today trying to help her, I am hoping someone in this community can actually help because traditional processes are clearly failing her.
How do we know

A) You aren't part of the scam. (Including the possibility your HN account was stolen)

B) You haven't been fooled by the scammer as a first step.

For what it's worth my suggestion would be focus on getting home first (contact embassy) and then contact a lawyer to see if you can use the courts to force a resolution from Google.

A) What scam do you think is potentially going on here? Getting into a random gmail that the person controls the old phone connected to it and all the pictures on the account happen to be of them and their child? How can I prove I'm not part of some scam in your mind? I can't. I can't disprove a negative. I'm easily Googleable if you're worried about my HN account being compromised, can find half a dozen other ways to reach me if you look (Reddit, Twitter, Github, many emails, forums, etc), feel free to check in on me. You at some point have to either believe something or not. Short of publicly doxxing everything - which is generally frowned upon - and even I'm sure there still would be skeptics.

B) See A. This is a personal friend who I spent multiple hours on video chat trying to help her recover her digital effects and trying to get access back into her account fully and ownership of it.

She needs help reaching someone at Google / some authorities who can actually help. They can verify her information and story. They can see the email being reset to a BS gmail account with typos in it which looks like a phishing email. They can see her phone number was attached to the account. She has identification.

Alternatively maybe someone has dealt with this scenario before and knows ways people have recovered from this type of ordeal that know other avenues to help.

(comment deleted)
You shouldn't do it but your only decent chance (without knowing someone at google) of getting your account back is probably to pay the ransom though I suspect this person is probably more interested in fucking with people than making money so I don't think your chances are good.
This happened to a friend. His life was destroyed. The only person he could talk to was the FBI. They told him they get dozens of calls about this a week. On top of that, there's a exploit that allows anyone with a dot in their email to receieve any other person email it's been active for 19 years. Google doesn't care what so ever. Google has the worst infrastructure support. There probably needs to be regulation that if your a company making over 1B a year in revenue, you need to have a basic escalation procedure and human decency... or you can't make any tax deductions, and it claws back 10 years, and it applies to all share holders who own more than $1M in stock. Suddenly, they might answer the phone!
Not an exploit, it is intentional, and ironically, is a countermeasure against phishing.

We all dread the day our Gmail password stops working, but this is what we signed up for.

I know my gmail is safe, because I know that without the password, not even I can get into it.

This is by design.

> is a countermeasure against phishing

How can it prevent phishing?

Taking a guess - If your Gmail address is larrypage@gmail.com - it prevents someone creating a completely different Gmail address like - larry.page@gmail.com - and using it to impersonate that other account.

I think it's complete conjecture that it's meant to be some kind of anti-phishing method - the solution there is just removing the ability to create addresses with periods - but I guess this way has some kind of utility for users?

> there's a exploit that allows anyone with a dot in their email to receieve any other person email it's been active for 19 years

I'm not sure I follow? This isn't an exploit, but a feature of Gmail. It doesn't allow you to receive anyone else's email.

yeah, it just allows you to receive email from people who don't know their email address. I have my full name @gmail and constantly get folks who send stuff to first.last@gmail
Somehow there's a Google service (I am guessing mobile) that allow you to register firstl.ast@gmail or f.irstlast@gmail, and then they will both get each other's email. Fundamentally if you allow any account to be created with a dot and without a dot (two accounts), but filter out the dot in the email received, it will cause a problem. The dot is one to one with the account, but filtered out becomes one to many with the email. Nobody seems to notice this logical issue.
My understanding is…

John.Doe@gmail.com, JohnDoe@gmail.com and J.ohnDoe@gmail.com are not 3 different gmail accounts.

It’s one account with multiple dynamic aliases using the dot.

>Adding dots doesn't change your address, so dots aren't why you got someone else's mail. Instead, the sender probably mistyped or forgot the correct address.

From the link in the other comment in this thread

I received a few e-mails from Playstation/Sony recently that were intended to go to <firstnamelastname>@gmail.com but I received them at <firstname.lastname>@gmail.com.

I tried doing a password recovery of the account (to see what I could do to change the address, or contact Playstation) and found that on their end, firstnamelastname@gmail.com and firstname.lastname@gmail.com are treated differently:

Both gave the message that a reset e-mail had been sent. Only firstnamelastname@gmail.com caused me to receive an e-mail.

So Google (and other e-mail providers, like ProtonMail) ignore the dots, but it's possible that other companies don't ignore this.

Resolving the Playstation account required calling their support line for about 30 min, talking with an agent, and then replying to an e-mail generated specifying some information to confirm that I hold the e-mail account. They seem to already have the option for reporting misuse of an e-mail address.

I was a Google employee at the time, and wanted to login into an email with my first and last name@gmail.com. at the time I setup email forwarding so didn't have to login at all for years.

Anyway I couldn't remember the password, and their security requirements at the time was different from today (no recovery email, no verification etc). And as a good security practice they also put cool down periods for trying passwords too fast...

Filed for a support ticket, they told me nothing could be done because security of the account. I told them to send recovery info to the account in question (so that it would be forwarded to me), but they didn't. They also verifiably know who I am, and there was some amount of trust that it was my account.

I spent few hours of writing down passwords and copy pasting to find out. Eventually did.

This shit is nonsense.

Highly recommend using a password manager like 1password to avoid issues like this in the future (on top of other benefits).
Oh yeah, like i said this was a very old account I setup a long time ago that I didn't have to login since I set up the forwarding. Long ago was probably a decade or more.
Is it just me, or is anyone else also uneasy about using commercial, closed-source password manager? I'd literally be putting my life's savings in their hands.
I'd be nervous to keep using Lastpass. I'm not concerned about 1password under its current management.
Yes, same here. I only use offline, open source programs.
Sadly I don't think anyone here can really help you. If it was possible to "recover" an account that you didn't have access to then anyone could take over anyone else's account. In fact support agents are trained not to respond to "I'm stuck in another country without money please help me out" requests since they are one of the top entry points for scammers.

As others have said, go to your country's embassy. Helping stuck tourists like you is their top responsibility.

Once you are home file a police report and start the process outlined at https://www.identitytheft.gov/. Consider that Google account gone.

Sure there is. There has to be a Googler here with the necessary access and can just mediate with their support department, run a few "select * from mails" queries on their DB and use good judgement when asking the user to give info about the emails they know they have or have received. Heck, there should be some sort of PM/PO/Manager from Google here that should use this as a catalyst to have some sort of feature be built to solve this problem in some sort of risk-based approach.
> They then changed all my passwords, restore email, phone number ect to their own email and number,

Are you sure they changed your restore number? I just checked on my account and it doesn't seem to be possible. Even if it is possible to add another number, Google should still know your old number?

Old number is still listed in the account but the attacker put their number as the recovery email and phone (I guess there is a priority/default)
Keep trying to login and reset the password that will eventually lock the account. That’s my suggestion