Ask HN: How do I get my Google account back?
A couple of days back, after I logged in to my gmail account, a security message flashed that someone had logged into my account and I was prompted to change the password or confirm that it was me who logged in. This was during a time when I had to replace my fried router twice within the span of 2 days (one that I rented immediately from my internet service provider on the same day my router died and then with brand new router that I bought a day later). I presumed that the security message was because of new IP addresses that must have been assigned. While I was initially able to log in to my accounts after replacing both the routers, on subsequent logins, I started getting a message that google was not able to ascertain that the email accounts really belonged to me. I managed to use my recovery email on 2 of my accounts and was able to gain access. However, after I entered a recovery email on the email account that displayed the security alert, google refused to accept that the account belongs to me. I have had this account, where I have my whole digital life, ever since goggle offered one. Unfortunately I did not have a phone number associated with this account. My understanding is I would have been able to recover my account, If I had one.
Is there a way I can recover my account? I have started changing the email id’s at various business and agencies where I have used this Id. Is there anything else I need to do?
153 comments
[ 2.8 ms ] story [ 30.2 ms ] threadhttps://gmailaccountrecovery.blogspot.com
There's also a Google forum where you could ask:
https://support.google.com/accounts/community
This is not true, in my experience. Having a phone number verified and linked to the account as a recovery number may help, but it does not always mean that you’d be able to recover the account. I recently had trouble with one of my Gmail accounts where I successfully changed my password and linked a phone number, but it wouldn’t allow me to login again or allow me to go through the recovery process.
As more stories of such casualties come up, one can only hope that more people stop using Gmail (it seems to me that this is what Google really wants).
Good luck, and I hope you’re able to get back into your account and/or move to a reliable provider.
Only thing you can try is to use the same device and browser and this time, use your mobile internet to access it (if not done already). This might have 1% extra chance of success but there's no guarantee.
Google's AI (or the engineer's brain) has decided that logging in with new routers is only the job of a scammer or a terrorist, hence you're logged out permanently.
I've moved 90% of my life away from Google. Perhaps you can try that as well.
Email, I'm using the POP3 and SMTP servers of the registrars of my domains. They also have IMAP and a web interface but I'm fine to look at my mail with K9 on my phone, delete the cruft and download the messages I need. You probably want IMAP and web mail.
Photos, I sync to my laptop with Syncthing and then backup as any other file. It means that I can look at all my photos only on my laptop because I don't sync between mobile devices. Occasionally I'd like to show a picture so old that's not even on the microSD card I passed along phones but nobody really care, telling the circumstances is always good enough.
I think it would be better to come up with and popularize a phrase similar to "not your keys, not your coins". Maybe something along: "not your server, not your data" or "not your hard-drive, not your data".
please remember to not use google mail for the future, anything important should not be offloaded to yahoo google Microsoft.
What I would do now is concentrate on right now is buy a new comouter and phone, swap the sim card to it, shutdown all other connected devices, change my main password manager password, the login on each service / account I have in my password manager and change the password, email address and credit card number (get a new one from your bank asap). The point is that anyone who own my email account now cannot login to them or do some social engineering using recepts found in old emails. More often than not acccount recovery support ask you to verify your identity by asking you the last 2 to 4 numbers of your credit card numbers...very often the very same numbers that are left in clear text in receipt, you may still have some in your email history.
Once done, do an offline backups of your other computers and wipe them all as well and factory reset your original smartphone.
Start now and already call you boss to take a day off if needed it will probably take you more than a day if you have hundreds of accounts.
A best practice should be to unsubscribe to any automatic newsletter and delete all mail that relate to an account so that someone who compromise our accounts cannot figure out which service we consume based on our email history. This is better kept locally without staying on the email servers. Most people don't do that because they want their email archive accessible from any device out of conveniency.
I was stupid and used poor security which made it easier for this person (who was also probably using data from the Equifax leak for social engineering). But I wouldn't fault someone for erring on the side of paranoia.
Other tips on backups and phone/pc resets noted.
I assume you tried contacting Google's online support and got nowhere. Try writing Google a _physical_ letter. Maybe even make it registered mail. In your letter, ask them sternly to make either the account or a dump of its contents available to you. Explain that, since it is of extremely importance for your personal and professional life, they must understand you will use any legal means at your disposal to obtain the data associated with that account. Also consider mentioning this situation is damaging your personal or professional life.
This may or may not solicit a response. If it does, then good, you've probably succeeded (unless it's a "taking under advisement" response). If not, contact a lawyer and check whether you can legally force them to give you access to your information. IANAL, but it stands to reason that you may be able to - either at their expense or at yours.
---
And I too will join the advice given by others: *A Google account is not under your control.* It is read by others, and can be blocked by others. You must back-up your emails and other content, rather than relying on its availability via Google. I would go as far as recommending avoiding a Google account altogether (I do).
More importantly, though: I use POP3 and a proper mail client, so I don't rely on GMX for my old email to continue to exist. I also back it up one in a while along with my other personal file backups.
That should not cause your IP address to change. Either you have a static IP and always get that static IP assigned to your account (which you'd know as you'd likely pay for that). Or 'replacing the router' is just seen as 'connecting to the internet' from your ISP's point of view. So from Google's POV you're connecting from the regular region that your home connection always is from. I know it doesn't help, but I'm pretty sure whatever you're facing isn't because of your home router issues.
Just because you've lost access doesn't mean your gmail doesn't continue to receive emails, and if those emails are considered personal data, what stops you continuing to send data access requests to help yourself migrate?
What should be possible, though, is to migrate your account without access to your email. For example make the user save a special TOTP secret that will be used only for dangerous actions and not just for logging in.
It boggles my mind how people can have their entire life tied to this service and not connect a phone number, especially since google regularly warns you during login that this can happen if you don't add your number. They even ask to confirm every now and then in case your number changed and you forgot to update it. If you're worried about giving them your number for data privacy reasons, you should not have used their service for your whole life's activities anyway.
It might sound rude, but people have to learn a thing: only things you really own are yours, the rest might be there or not, might be good or bad, but it remain something ephemeral, not to be trusted for anything. And that's why we MUST stop connected-devices to fill our life from cars to home doors: we do not really own them and we should.
To be clear, 2FA != account recovery.
I only used that account for communicating with one friend, [our mail hosts were blocking each other in some kind of spam war tit-for-tat] now deceased, so it was no great loss to lose the account, but rather annoying that they pretend harvesting phone numbers is some type of "authentication."
SIM-swaps are easy but do not scale. This means that they don't actually affect a lot of people. The improvement in security posture from SMS 2FA to TOTP is actually fairly small, because both lose to phishing and phishing is orders of magnitude more common that SIM-swaps or malware that steals SMS codes.
As a solo recovery option, it is indeed a more meaningful risk. But we also observe that people just lose their accounts all the time if they don't have a phone-based recovery option so I do understand why the option is offered.
"Because I've been warned by security conscious people never to use phone number as a 2FA because it's so insecure, and using it as a recovery option seems to create an even weaker link.". I happened to read so many articles in the recent past of SIM Swapping, that I was afraid to use my cellphone number as 2FA and removed it from my gmail account. What with Google being evil and all
Sadly you read only one part of the warning from security conscious people. The main part is to get U2F/FIDO key or use QR-code/authenticator. The same security conscious people use Fdroid/AndOTP where you can export all your 2FA codes.
There NO reason to say if I shatter my phone. Yes, you can also print recovery codes and keep it at home.
Select forgot password; the it asks Insert U2F Key. Then recovered. Yes, it may be that if one loses U2F key in Metro it is dangerous but some risk is always there. (i.e) how many times have you lost your key in your life? If more than one per year then keep one U2F at work and one at home.
Literally, you are giving your account to the phone company.
I'm more convinced by the printed security codes. I have encrypted copies in several storage providers, and that includes publicly-accessible copies. I have a copy in my safe, I have some in my family's safe in a different country. No phone company involved.
I use both Authy and Bitwarden
Its the same with your address, what if your landlord randomly decides to kick you or your house burns down? Where I live my mobile number is very secure and will not change until I fuck up very hard. And in this case I have multiple other backups (printed codes, rescue number).
Not the same at all, you can just go to the post office and file a forwarding address and all is well.
Phone numbers are very ephemeral. I have many phone numbers associted with many older accounts, like one from an office phone from a company that doesn't even exist anymore. Learning from those lessons, I go out of my way to never associate a phone number with anything anymore, it's just asking for future pain.
Now I use paid email services.
It's a similar story with the "recovery email address" they let you add to your account. You'd expect that if you have access to that recovery email you'd be able to gain access but no, there are cases where Google refuses to send any recovery email because "we can't verify this account belongs to you at this time" so no recovery email for you.
This would all be fine if they didn't enforce we have to have 2FA enabled and then refuse to provide support even when you're a paid up member. [1]
[1]: https://news.ycombinator.com/item?id=31073302
We need a federal law that two factor authencation needs to work on landlines.
The technology is there. It's not expensive either.
PS stop validating their top-down model by referring to SMS nags as "2FA". It's snake oil for the corporate motive of demanding identifying information.
All of this is so that they can mine phone numbers for older accounts. Now they require a phone number by default.
It makes sense to add a way to recover access to your account if you fear that you may forget your password. It makes no sense to give google your phone number just in case they may out of nowhere decide that you look suspicious (for using firefox? moving to another country? something else?) and reject authenticating you despite being able to enter your password correctly.
"you should not have used their service for your whole life's activities anyway"
You should not do that in general as Google is extremely unreliable. I had given them my phone number for my account but this did not help. I posted about it at https://news.ycombinator.com/item?id=30544030 a few months ago.
Why should the reason you need to recover the account matter?
If the account is important to you, wouldn't losing it be equally bad regardless of whether you lost it because you forgot your password or you lost it because Google did something annoying?
If Google actually gave options to its users instead of babying them and pressuring them to give up all their personal info (like EVERY OTHER EMAIL PROVIDER), this would not have been a problem. Google clearly cannot be trusted with anything of value.
This is blaming the victim instead of the ham-fisted limitations imposed by google.
There is no justifiable reason for google (or any of the cloud companies) to be imposing their arbitrary account locks on users.
I should be able to configure my gmail account with a setting that says never ever require anything other than my password to access it, because I know my password is strong and well protected. I don't want any of these misbehaving AI detections locking up my account for reasons that I don't want.
If someone else want to configure their account with these trip hazards, more power to them, but it's not ok for these cloud companies to impose it.
Another reason why I mostly self-host everything, but for less technical people who are not able to do so it's a huge problem. Let's not blame the victim.
It was amazing back in the 00's, but now it just seems toxic. Every service and such.
Apologies I can't provide any assistance to OP, but in the future you can setup one time codes to get back into your google account. They give you a print out of 10 codes which, optimally should last the lifetime of your account unless reset.
Google might have something similar too.
1. Verify if your router or router software that you installed in your PC is doing something fishy.
2. As long as you have a browser window with cookies - even new IP address should NOT matter. It should allow you. I am almost always working in cafes with different IPs it - just works.
3. Please please verify your recovery email ID. Some times I have made the mistake of typing first.last@ instead of without dots. Send an email to your recovery ID to test.
Please get a 2FA U2F token.
2. I use firefox with cookie cleaner add-on that clears cookies the second I close the tab.
3. I have a paper copy of the account details and I am 100% sure of my recovery email. I got a Yubi key recently and plan to use that and authenticators on all my accounts.
3. At the end U2F is the proper solution, albeit late!
This WILL happen to you. Get your own domain and set up email through it ASAP. Use some free one, use a paid one (I like fastmail), but get it done now. Then migrate all your accounts to it.
Is there ANY other provider that does spam filtering that actually works? I tried Fastmail, but I receive so much spam (>600 per day vs. ~20 non-spam per day) that only Gmail's spam filtering is good enough. I've tried others (like Fastmail) and typically ~50/day get through their spam filters, vs. at Gmail where on a typical day 1-2 get through.
(Why do I get so much spam? Because I've been using the same email address, never hiding it at all even on Usenet, for 25 years.)
I would pay a lot of money - like I'd be willing to pay 4x what Fastmail charges - to get off Gmail, but apparently nobody else can do spam filtering.
[0]: https://www.fastmail.help/hc/en-us/articles/1500000278142
Then start setting up unique email addresses for each service, e.g. ycombinator.com-abcd@yourdomain.com . The "abcd" part should be random for each service so it's impossible to guess your other email addresses.
I also use yearly throwaway addresses, e.g. 2022abcd@yourdomain.com, for when I need an email address without having the means to create a new alias first. (I then change that later.)
Should spam starting to appear, you'll know exactly which service "got hacked" (i.e. sold your email address) and can just disable that alias and create one with different random letters. Also when deleting an account somewhere, just also delete the alias and you won't get any mails about signing up again.
It takes a bit of discipline but it gives you lots of control over your inbox.
Fastmail works great for me. I do not miss any emails as junk nor do i get any junk in my inbox because of using the methods explained in the link above.
Controlling your own email address is the way to go. It takes consistent effort to migrate but worth it when it is done.
After that it was getting about 5% false-positive (so 1 in 20 real emails went to spam) and about 3% false-negative. For me, 3% false negative means 25 spams to inbox a day.
Gmail gives me about 0.5% false positive (1 in 200) and 0.01% false negatives.
I've had my same email for about as long as you (maybe 1-2 years more), never hiding it at all including Usenet.
> I really really want to do this but am stuck on Gmail because of their spam filtering.
gmail spam filtering isn't very good. Lots of false positives which is far worse than the occasional false negative. I have a gmail-hosted account for work and it's very annoying.
I host my own email infrastructure and spam isn't a problem. With a bayesian filter trained on my content, I rarely see any spam. Maybe like 1-2 per month? I don't keep track, it's very rare. And no false positives ever.
I suppose NameCheap and friends may be less likely to irrevocably lock you out than Google. And perhaps even if you are "locked out", your ownership of the domain will expire and then you can just buy it again from another registry... So perhaps you're right, but I wonder if there are any other reasons or caveats.
Unfortunately this is very long but this has saved my butt countless times.
Everyone hates it, but it'll be better to know these definitions. TLD means top-level domain, the .com on ycombinator.com. Registry means the company operating the specific TLD, for example Verisign operates .com and .net. Registrar are those that handle registration, like Namecheap. Registrant is you or your company. gTLD are "generic" TLDs, .com, .net, and even those newfangled ones like .xyz and .dev. ccTLDs are two-letter (exceptions apply) TLDs attached to a sovereign nation or territory (like .uk for UK and .gg for Guernsey, a UK dependency), and from time-to-time includes (all US) .gov, .mil and .edu. For the purposes of this discussion, TLDs like .wales and .scot are gTLDs and not ccTLDs, but there are IDN ccTLDs like .рф and .中国. .int is a special TLD not generally considered as gTLD nor a ccTLD, and .arpa is a special technical TLD for internet maintenance. ICANN generally has jurisdiction over gTLDs, countries (usually governments or independent organisations int that country) control ccTLDs.
First: use only a registrar listed on ICANN: https://www.icann.org/en/accredited-registrars, preferably one that those clearly has presence in your country of citizenship/residence. Domain resellers (without ICANN accreditation) go bust nearly everyday and recourse is hard if you decide to go to a reseller, but an ICANN-accredited registrar is required to send who owns their domain to a trusted independent ICANN-approved third party (formally called an escrow, usually DENIC unless you're in China then it's CNNIC). This is not applicable to ccTLDs, especially those with restricted registration (like .cn, .kr and .jp), but ICANN accreditation means that they have a baseline to follow. This will only work if you provide complete and accurate WHOIS information, but if you're using a registrar which has a privacy service the information sent to the escrow is the real contact info and not the one that's redacted at your WHOIS. If you decline to provide real information unfortunately you have no recourse if something bad happens as it relies on you being contacted, even if it's through postal service.
Second: are your registrar accredited by the specific registry? For .com, .net, .name and some others, Verisign is the registry (the one operating the specific TLD): https://www.verisign.com/en_US/domain-names/domain-registrar..., and for .org it's https://thenew.org/org-people/work-with-us/find-a-registrar/. Newfangled gTLDs are required to serve a page at nic.tld (like https://nic.xyz or https://nic.dev). Unfortunately, it's hard to find who is the registry for your ccTLDs. Wikipedia might help though, for example .uk has information here: https://en.wikipedia.org/wiki/%2Euk and for .gg here: https://en.wikipedia.org/wiki/%2Egg.
Third: if considering a ccTLD, only use a one connected to your citizenship or residence, unless you treat it as disposable. I'm not kidding here. If you're using .io, prepare to migrate due to this: duskwuff ↗ > ccTLDs are two-letter (exceptions apply) zinekeller ↗ > ccTLDs are two letters by definition
ccTLDs are two letters by definition. Other geographic TLDs like .cat, .wales, or .london are not ccTLDs.
.gov, .mil, and .edu are not considered ccTLDs or gTLDs. They're technically in another category entirely: "sponsored TLDs".
> First: use only a registrar listed on ICANN […] Second: are your registrar accredited by the specific registry?
Both of these are guaranteed to be true by the governance structure of gTLD domain registries -- a gTLD registry cannot provide services to registrars which don't have accreditation.
> Domain resellers (without ICANN accreditation) go bust nearly everyday and recourse is hard if you decide to go to a reseller
This is not true. Resellers can "go bust", but the registrar of record (that is, the "real" registrar that's being resold) has the customer's contact information and can continue to offer registration services. In fact, they're obligated to do so.
You forgot IDN ccTLDs that are indeed not two letters.
Aren't there predatory rent-seeking companies that camp domain expiration lists, buy them all, and then hold them ransom for tens of thousands of dollars or more?
I hope someone at Google takes a look at this and uses their internal tool to help OP.
That said, this oft repeated story is one of the most compelling reasons why I think Google alternatives (like the one we're building) will catch on in the mainstream population. Not privacy. But the fact that we offer human support, whilst Google doesn't.
(at the end, people will complain at both ends - some want convenience and do not care if companies see data. Others want total encryption and do not care if lost.
> Data security is very important to ente, whether that is your personal information or any other data. That is why we publish our client-side browser and mobile app software and why we have provided information in this Policy on collection and storage of all data whether or not it is personal information.
How does this prove Data security?
> And what is this: our architecture has been reviewed by cryptographers and engineers from IBM Research, ETH Zurich, IIT Delhi, Google, Facebook, Amazon, Microsoft, ...
Any white-paper?
You're right, that by itself doesn't prove data security. But what we try to do is follow the example of other privacy-first Google alternatives like DDG, Signal, and try to structure our organization/processes/code in a similar way.
> Any white-paper?
https://ente.io/architecture/
Not quite a white paper, but I feel https://ente.io/architecture/ covers the practical aspects of what we do in a human readable way (we wanted this page to be understandable by people with a non-cryptographic background, I'm just mentioning the intended audience, a few of our customers have reached out to us and have mentioned they found it useful too).
There will be a point that your service will simply have too many users to handle all of their requests in a satisfactory way.
If you disagree I'm interested why you think y'all can make it differently.
I'm sure we (if not us specifically, some other project like us) can do better.
If it is economically viable at small scale why wouldn't it be more so at a larger scale?
Google thinks their algorithms for suspicious activity is more important than their users data. Just removing access altogether.
Well, because of scaling. Let's say 1% of your users create a support request every month (no idea if this is way too high or too low). Trying to KISS.
If your service has 1000 users, that makes 10 support requests per month. One person can handle them alone, probably.
Google Drive alone has 1b users, but let's cut that by 50%, after all this is the number which Google reports themselves. Still, with half a biillion users you would suddenly receive 50 million requests. Let's be even more generous and say that these requests are opened over the span over a year, not month. That's still 4.5 million support requests per month.
Don't even know if my calculations serve any purpose, what I am trying to say is that the amount of users and support staff your service needs do not scale 1:1. At a certain point(no idea what the cut-off is) your service will create so many requests that it will become impossible to handle them all with care and humans. To add to this, the more users your service has, the bigger your infrastructure has to be, meaning that you need more people maintaining this infrastructure.
Maybe I am to pessimistic or whatever, could be. Just my 2cts.
https://knowyourmeme.com/memes/thats-the-neat-part-you-dont
(couldn't resist. Sorry)
Google lost my trust for anything more than a random account I need (Google makes you need) for using an android device when years ago they made me provide a DOB, and I misstyped it putting the current year instead of my birth year in.
Next thing I know my account was locked because I was too young to have one. At the time I was able to contact them but had to provide ID and confirm a credit card for age verification. I reluctantly did this because at the time I had important stuff in that account. After that I moved anything critical to a trustworthy service that isn't selling my data to advertiser and shut the account down.
I'm glad I did because things have got worse since. Now I don't use any Google service, with a few exceptions.
Please, for fuck's sake. Stay on the topic.
Buy a custom domain, and use that for your important email this way you can never be locked out of your email....