Tell HN: Locked out of Gmail account even after right password, recovery email
My mom got locked out of her 10yr gmail account. She doesn't have access to the phone number she added for 2FA. This is after she has the right password and also has access to the recovery email.
This basically locked her out of her whole online life because for all other social accounts she uses sign in with Google.
There is no human support, and their support website says if you cannot recover the account, create a new one.
318 comments
[ 3.1 ms ] story [ 282 ms ] threadHow about if somebody can't afford and don't want to use Apple? Just not use smartphones? We're at the point where government services (at least here in EU) require you to use smartphone unless you provide written document that for some reason you are unable to.
I've always been "don't like it don't use it" guy and that's a clear and simple argument but it doesn't work in the context of where we are currently. Just the fact that govs and banks only provide you google play services and app store apps which they often require you to use is enough of a problem.
However I have been using the same mail hoster without troubles for the past 10 years.
I've certainly had nerve racking moments where my login has been flagged as unusual and I wasn't sure if it would let me in (and I'm completely locked out of my childhood account though it's not been used in over 10 years)
It's a good feature for those with the password "password" but if you've used a strong single use password it just gets in the way
Whenever these posts hit HN there is some people going "well if they don't do this then a lot of accounts will get hacked" - fine! Fucking make my account vulnerable if I want it to, the chances I get hacked are probably still 10x lower than getting locked out by Google's shit AI crap "protecting" accounts. And well if it does happen, those same people can at least have their "told you so" moment. Fucking bullshit.
If I get hacked, it's on me. Google can even add a "you can't sue us for damages" clause in their Terms (which they probably already have) - just don't lock me out of my own freaking account.
In Canada, banks have this for things like e-transfers and preventing suspicious transactions. However, when people acknowledge the warnings and still go ahead anyway, they cry bloody murder and the bank ends up refunding people for fraudulent activity the people explicitly authorized after being warned.
2FA is a great thing and I think everyone should use it.
With that said, I don't want 2FA on my alternate/testing/dev accounts. I simply don't want demo accounts linked to my phone number. I'd like to opt-out of "standard security" (MFA) and accept the risks on non-primary accounts.
I had a similar story with my own accounts.
It's just lost forever, luckily I had many others, and didn't associate my whole life to any single account or provider, nor used social sign in, so it was not life altering, just a bit of work.
But selfishly, I hope those kind of story get published more and more so that people finally realized that what we told them not to do the for the last 20 years was not just for the sake of it.
People don't listen to preventive talks. We see that with cyber security, climate change, and so on.
They only start to move when they get hurt.
I wished people would have listened to us when we advised not to give everything to GAFAM, not to put everything online, and not everything on one provider. And certainly not to trust them with being on your side.
So they wouldn't have to get hurt.
But this is not how we, as a specie, learn. We need to get hurt.
So make sure a lot of people know about this. Not just in the hope to get the account back, but because maybe more people will listen this time.
For Facebook, I’m currently completely locked out. I have the right username and password, but the email accounts I used to create the Facebook account are disabled now, being university accounts.
At one point, Facebook wanted my credit card or driver’s license as proof to tenable the account, which I wasn’t comfortable with. Then it got paired down to three randomly chosen connections that I needed to contact outside of Facebook. Once chosen by Facebook, these contacts cannot be changed. For me, it included a deceased person and two people I haven't even seen since high school. Now, it just wants to validate the email addresses with no other options.
So now what? Nothing in my control ever went wrong. I know my account, I am the person, and I have the username and password. It would be nice to be able to just call a number with a human on the other line to verify that it is me.
We've entered the era of "death by scale". We and the government allow these companies to treat customers and people as statistical entities. They don't give a shit if their products either flat out don't work or ruin a customer's life for "only" x percent if x is small enough.
For gmail, have several addresses, with redirections to each others, use imap, don't use social sign it.
I also never use social sign in for anything other than using my GitHub account for certain things.
I rarely needed to ask for support, but every time FastMail response was by an actual humans, not by a tincans.
Do people use custom domain names to get around the fact of switching email providers? Aren’t there rejection/filter issues when using custom domain names?
I agree that in b), it sucks that once chosen, the 3 people cannot be change (although I kinda see the security angle of it), but what else would you want Facebook to do if you lost access to your email?
I don't understand why it can't just ask me questions about my account. It's not like I'm resetting my password. It was Facebook that randomly decided it needs to send an email, something it never did for the longest time.
And if FB stole it, congrats, you are rich off the settlement.
You don't need to host the email servers yourself. Many email hosting services will let you use our own domain with them.
If you want to use an email hosting service that does not directly support using your own domain, many domain registrars include free email forwarding so you can forward mail sent to your domain to your address at your email host, although there might be problems with sending from your domain if you use the forwarding approach [note 1].
It might at first seem that this is just pushing the problem back a little. Instead of the problem being losing your account at a mail hosting service like Gmail, you now have to worry about losing your domain.
The big difference is that a domain registration is a lot more passive. With a Gmail or other mail hosting account it is something you are actively using. Content you generate goes through it. Content other people generate goes through it to you. That gives all kinds of opportunities to trigger false positives on their automated anti-abuse systems.
With a domain you register it and designate name servers and periodically pay to keep it from expiring. Most registrars include basic name service so you don't have to deal with finding a name service provider. Once you've set up name service to designate your email host as handling your domain, or set up forwarding if that's what you are doing, you pretty much don't have to touch anything there and content to/from you doesn't go through those systems so there is simply much less opportunity for something to trigger some sort of automated anti-abuse systems.
Pick you domain and registrar carefully. Don't pick a domain name that is close to some trademark. Pick a top level of .com or .net or maybe your country's top level if you are going to want to send email from that domain [note 2]. Pick a registrar that is not in some country likely to do things that get your country to put sanctions on it.
[note 1] You might not have enough control over the headers on outgoing mail to be able to send a mail that doesn't look like a forgery attempt. For email addresses that you will just need for receiving things the forward approach should be fine, which will cover email needed for account recovery in most cases.
[note 2] The newer top level domains that are available for general use have been pounced upon by large numbers of spammers, to the point that having an email address in them can make it very difficult to get through spam filters. Spammers are all over .com and .net too of course, but that's also where most of the non-spammers are too. With the newer top levels the spammers jump on in large numbers from the start and so from the point of view of a random email receiver those domains are mostly spam.
Although, I have not used any of my domains with email services.
I've seen a lot of mention of Gandi on HN, mostly favorable.
You had multiple reasonable options to recover, declined them and now complain that "Nothing in my control ever went wrong". This annoys me so much
TLDR: I actually recovered my old university email address, and Facebook refuses to send a code to that email and has now removed it as an option.
For most users, it’s not a bit of work, but a life changer (as in this case, right). Most sites only allow G and f SSI, and that’s it. Quick registration is a killer feature and it’s a shame that it is not a part of the tech stack at much lower level than google/site integration. It’s almost 20 years of mass-internet and it still sucks at account registration.
Alternative idea: If you're really desperate, you could even try to dig up the phone number owner's address and show up at their door or something and explain it that way. (Note I'm not recommending these per se; I'm just pointing out what's possible. Obviously be very careful to consider everything before doing such a thing.)
If not, another one I was thinking was asking them to meet at their local police department and looping in an officer into the story or something. Different things work for different folks so they'd have to get creative to find the right solution.
Oh wait, I believe these are called notary offices in meatspace!
(tangent: at some point I thought that maybe notaries could sign one's PGP key instead of relying on rare/non-existent signing parties)
Just add sneaking into their bedroom at night to grab their phone.
Raiders of the lost GMAIL-(Account).
that's what the green bubbles are for
Just kidding - but seriously this has been done before and your advice is sound.
It is a super bad idea for anyone to give out 2FA codes, they could easily found your email associated with a specific number from a security leak and attempt to steal it.
You'd trust the current owner of the phone number to be honest (because you are contacting them), not the other way around.
Or pay a hacker to do a sim swap.
SMS 2FA is ridiculous
You could just block access and say "come back in 28 days". In the meantime, warning SMS and email messages could be sent to the account contact alerting them of a possible takeover attempt with a link to disavow the attempt.
Banks dont permanently lock you out of your account/card if you forget the PIN.
Basically (& sadly), you're comparing blueberry waffles to the moon. I blame the English usage of "account" for both situations, even though there's very little similarity between a bank "account" and a Gmail "account".
Or is this situation basically "there should be a cure for cancer...but since there is not, here are a whole bunch of laborious things which you need to seriously consider doing, to reduce your risk of dying from cancer..."?
People are trusted with their own keys to their apartments, cars and houses.
Will we ever trust people with their own keys to their social life?
WAIT
As an alternative, I read that other people print their password list from time to time, and put it in their actual safe or a bank's deposit box.
>She doesn't have access to the phone number she added for 2FA
Disclosure: I work at Google but not on anything related to this.
Anything that would get Google to update the 2FA phone number.
When I got locked out of my account I wrote (in pen and paper) to their GDPR team saying essentially "You don't have to give me my account back, but you do have to give me a dump of my emails".
After some back and forth (they told me to use Google Checkout, which I couldn't access because I was locked out) they decided that giving me the account back was easier, and they did.
Unfortunately I have seen similar and they never recovered access. It is just lost to the void that is Google support for their free services.
Yes I know it is the risk you run using a free service but I feel there should be some official process for a real human to get involved to get the account back. As you say you can lose access to your whole damn world these days.
It is crazy we have so many protections for your account getting hacked yet absolutely nothing to recover the same account should some automated system determine you are not you.
That is being very pedantic though as to OPs mother (and the vast majority) Gmail and the related Google services were 'free' in that she didn't enter her credit card details and pay a monthly/yearly fee like she does with Netflix.
Not having support for customers you make money on is despicable.
I fully agree with you there is an agreement that the user gets Gmail (or Google service) at zero monetary cost in exchange for them showing you ads and using your data however they see fit. And you can argue if that is 'free' or not but to the vast majority they see these things as free, rightly or wrongly.
Is 'free' the wrong adjective? Perhaps but it is what is used for a non-paid service.
> Not having support for customers you make money on is despicable.
I agree. Like I said it is crazy there is no real support process to get your account back when there are a lot of processes to keep your account safe.
If "no", is there good reason to believe that Google could manage to do that?
If "no", would it be okay for Google (a for-profit company, not a charity) to discontinue free GMail service (presumably with some warning, etc.), because it was not a viable business to be in?
Microsoft also offers chat support for outlook.com
I have not tried the support from microsoft but apple support have been helpful when I had a relative with problems accessing their account. That was not for a paid icloud account.
(Yes, I am familiar with the "nobody ever fired for buying IBM" aura that usually surrounds Google):
I'm not storing cookies when using GMail and at a time I regularly got those suspicious login type messages when the browser updated to a new version. At one point I had to click a link in the recovery email and enter the month when the account was created. Pretty much guessed several times until nothing worked. Tried again a day or a few later and got in again.
Sounds exactly like what someone named waitforit would say
Seriously?! Who comes up with these security questions? This is such a useless question, on the one hand it's insecure because it is a 1/12 chance of guessing right, but also who remembers what month they created an email account? I would venture a guess most people here couldn't even get the year right (I certainly couldn't). Seems the question is only useful to lock out the legitimate owner.
IIRC, they require both month and year, so there'd be a bit more guesswork involved. I added the exact creation date for all my Google accounts to my password manager when I learned about this verification method.
In another, non-Google case, Apple once demanded that I provide the answers to challenge questions for an account I didn't use often even though I had my username and password correct. To me, the challenge questions are something that should only ever be used to verify in the case that I don't know my password, and it took me three days of trying against the rate limit to get enough tries to figure out the spelling of the answer for one of my questions. What made it really ridiculous is that the only reason this account existed was to give me access to developer account that was actively billing my credit card that I couldn't access... at least with Apple there was a customer service representative who was willing to try to figure something out as they agreed that it was ridiculous that I was paying money for something I couldn't even log in to cancel (though she wasn't sure if she could actually do anything...).
Maybe hugely insecure but I enable google authenticator then put that recovery code and key everywhere I can.
Anyway, it's not possible to configure 2FA in the way we want. The Google prompts configuration says "To turn off Google prompts on a device, sign out of your Google Account on that device."
There's no way to enforce the Authenticator. Not even make it default.
For now I have removed every android I could from their logged-in-devices page and hope that suffices.
https://support.google.com/accounts/answer/7299973?hl=en
You can also add multiple phone numbers, I got two just in case I loose one for some reason. Like if I loose my mobile, I'd need to sign in to google to locate it and I can use another number (my wife) to get 2FA code. And I have authy with my google 2FA by default, you can have multiple devices as well.
Also worth a try is to pay for Google One. Rumor on the streets says that paid members have a better chance at bending the ear of a human customer service representative. It may be worth the extra few bucks per year.
2 years ago, I tried logging into the account, and google told me I needed to verify an SMS message due to logging in from a new location (I had logged into this account from Canada before).
I tried calling the old phone number, but it's disconnected. So unless I want to move back to the U.S. to try to get that same phone number again, I probably won't be able to access this account until someone gets that phone number, and I manage to talk them into passing along the authentication message
Once you are the dominant provider of something that is nearing life-essential utility status, you should provide support and escalation routes, and you should be accountable.
Here is an EU article warning about it.
[0]: https://www.enisa.europa.eu/publications/countering-sim-swap...
[1]: https://de.wikipedia.org/wiki/SIM-Swapping
This probably doesn't prevent SIM swapping entirely, but you will need to also steal the other SIM card you're swapping the number to.
A phone number used for this purpose would definitely identify a person, and so qualify as personal information.
Yes
Article 22 of the GDPR. Essentially it sates that if automated decision making occurs, you must be able to appeal to a human.
https://www.gdpr-toolkit.co.uk/individuals-rights/the-rights...
This is aside from common law, which might give some protection in that entities managing your goods (and maybe your data?), even voluntarily, have a have a duty of care to keep them safe.
...Only to find that you can't transfer ownership of a Google Doc from a Gmail account to a Workspace account because "security."
So at this point we have docs scattered across all kinds of Google accounts and domains which is the least secure thing I could imagine, great job Google.
100% in support of regulating the pants off of this company as well as evaluating alternatives to them.
But are you sure about this problem? If you create Shared drives in a Google workspace, they take ownership of anything I move into it (after dismissing a warninge explaining what will happen), even if I take files in folders shared to me from someone else's gmail account
(The ownership model of drive was indeed terrible before they implemented the shared/team drives.)
But in essence: Share the files, make a copy once shared, delete the shared file and only the copy exists.
Better though: Don't use Google Drive for business critical docs if you're not a very high spend Google customer able to talk with an account manager. If you're a small/hobby user or individual, keep critical docs offline as well as online. Just consider it part of your business continuity plan.
I'm not saying Google is great: what I'm saying is that once you pay even for the smallest business suite, you get to get actual people on the phone who are there to help you.
I set up a business account in one country and then moved to another country. Several years later I need to re-enter credit card info. It doesn't let me now because my billing address is now from a different country. Google's only solution? Create a new google account.
Right now Google is not asking information that would allow them to really verify my identity. Not sure if people would like Google to start demanding that kind of information, like personal identity code (for countries where it is available), passport numbers, home addresses etc.
Without strong identity checks, the system is prone to fraud. Black hats can either social e engineer their way around the support agents or use leaked personal data to impersonate people to gain access to their accounts.
Once it will be understood, losing xx-years accounts wouldn't be a problem.
I know this is controversial idea, but the more I see cases like that, the more I am sure about it
Problem is the "society" around us (for lack of a better word) treats IT services as something reliable, see how more and more countries go digital/electronic only when it comes to payments or relationship with the government.
Until everyone can agree on a better system, your e-mail is your online identity across countless websites. This makes losing your e-mail (with no customer support to regain access) a huge vulnerability in everyone's personal life.
I would go even further and demand regulators to define standards to enable migration or self hosting.
I have a google account made in 2004 (it is nearly 18 years old) and some time ago youtube started to ask me to verify my age by sending my ID or using a credit card.
I think it was a "bug" on their side, since a google search showed a lot of other people complaining about this -> verify your age.. on a 15+ year old youtube account.
Why can't they offer identity verification as an option? It's not exactly difficult to do technically.
How to do this exactly? Do you want Google to be proving who people are by fingerprints, irises? Google has never gotten into this business. There would be so many issues. And is collecting biometric info an absolute bulletproof way to verify identity? And doesn't have pitfalls compared to current system?
Then how about just ID documents? Who would provide the locations to verify these documents? How many hundreds of types of documents would be suitable to prove identity? And thousands of locations would be necessary to serve everyone. Would they be honest / absolutely trustworthy?
Do you know how many people out there are waiting to try impersonating people by forging documents, given the money at stake, and how many outlets (that you'd have to employ as verification agents) would be susceptible to corruption to defraud people who'd relied on these documents as proof of their identity (and keys to their online accounts)? If you register with an identity document, and that becomes your method of proof, what if someone located in another country asserts that they're you with some different form of a document that says your name on it?
It's extremely complicated.
The fact is that Google is already in the business of authenticating identities and actually does so in circumstances where the law compels them to, but they have deemed it too expensive to do so in the context of recovering accounts, where they remain uncompelled.
As it stands, the GDPR compels Google to make a meaningful attempt to authenticate whether you are the legitimate account holder when you submit an SAR or Data Deletion Request. But, Google, under no circumstances will attempt to identify you if you fail or are deemed ineligible for their automated account recovery process, unless you are eligible for their "In cases of nepotism or media pressure" emergency account recovery procedure.
Your email is not your identity, and your particular email address is not a right. If Google has made available options to secure your email address, what exactly are you entitled to compel Google to do that does not conflict with the security decisions they've also made to protect your account from fraud?
Google seems to disagree https://developers.google.com/identity/gsi/web
The fact is that these corporations are not innocently providing simple little services that users might occasion to use for a bit of time and then freely put down; they provide services that grant them at times more power than nation states over the lives of individuals who are completely powerless to respond. Given that they wield power over a service which is not optional for most of their "clients", whether or not they meant to (they meant to), they are providing a public good. And if they are unwilling to do so in a way that aligns with the values of the citizens of ostensibly democratic nations, then the citizens of those nations should vote to either compel them to offer their services in alignment with the public good or have their property and right to conduct business in that nation seized.
And whether or not many are aware of it, this would not represent a sea-change in policy for any Western government that I know of. This would simply be the very late, but reasonable extension of more than a century of well-established legal precedent that already exists. For example, in the United States, we call corporations that are regulated in such a manner "Public Utilities", in Germany they are called "Öffentliches Versorgungsunternehmen" and in France they are called "Entreprises de Services Publics" and in Spanish they are called "Empresas de Servicios Públicos"
If banks can do it I don't see why Google can't. For many people, getting locked out of a Google account where they hold all their photos, connect to people via email, have their purchased Android apps, etc. is not much better than getting locked out of a bank account (depends on how much money on the account, I guess, but in many cases this is so).
Whereas your google email is known to many. What happens if some one photoshops a ID and says it is you?
Further more how should the ID prove I am the owner for john.doe@gmail?
Solutions like yubikeys and passkeys theoretically solve this problem, but open other problems: not least what if you lose the key or the device that the passkey is stored on? Then you're no longer you as far as the authenticating party (Google in this case) is concerned. What's more, whoever stole your phone is you as far as they care, because that's all they have to say who is who.
Your devices should require further authentication (password/biometrics) but is that a guarantee? Could Google or anyone else really guarantee that any client device connecting to their service is unhackable, bearing in mind that many of their users may be on cheaply made and fully out-of-support Android devices or Windows XP?
It's a really hard problem to solve.
Google at least have your past IP addresses which should allow law enforcment to identify you (at least narrow the question down to a handful of people who could all be asked if they have a claim to the account unless you only ever accessed it from public networks). Doing all that detective work is not going to be cheap but right now you don't even have the option to pay for it if your online account is worth a lot to you.
If roaming charges were high because there wasn't enough competition in the market then that's what the EU should have tackled. Otherwise high prices will just move on to other items on our phone bills and the whole thing becomes a game of whack-a-mole that the best connected special interest groups will always win.
Governments should regulate to make sure that markets actually work and that everybody has basic rights such as getting access to their own data after proving who they are.
Really, the people that don't are rare.
The Instagram/TikTok feeds of 20-25 y/o are full of these lists of European cities you can visit in a weekend with a low budget.
See also: Erasmus.
The people who benefit most are those who cross a border to go to work, those with family in a different country, and normal people taking advantage of the unsustainably low prices of intra-EU flights. Not really rich people.
I think your post is in poor taste.
Regulation has gone swimmingly, especially when you consider that roaming charges were completely arbitrary. It costs a carrier functionally nothing to forward traffic to another carrier, eçept for whatever price that carrier has set arbitrarly. Regulation has given me a 25 Gb data cap when travelling, greatly increasing the quality of my vacations, allowing me access to information, safety tips and travel-oriented services as a tourist.
Sure, carriers have lost some income over this (not all, only on european travel) but they are massively profitable, and should be treated as a public utility already.
All of this falls apart if the goods/service is free... And one can't really argue Google is a monopoly with regards to email services (search and ads are quite separate).
So I doubt EU could do anything about it unless one uses paid services.
For example GDPR, right to be forgotten, cookie warnings etc show the EU is more than happy to pass regulations that impact ad-supported services.
The current regulations may be ineffective or poorly enforced - but it shows they're able and willing to pass laws.
Just because a service is free does not mean consumer protection and data protection laws (including GDPR) no longer apply.
Why would you think otherwise?
Closing that loop hole was valuable.
That was very true, but I think this is changing. Recent dealings with Facebook and the privacy regulations give some hope there.
> And one can't really argue Google is a monopoly with regards to email services
EU regulations do not care about monopolies. The main issue is abuse of dominant position, which Google definitely has. The mobile carriers is an appropriate comparison, I think. None of them has anything like a dominant position across the continent, but their collective behaviour was suboptimal and costly for the customers, which was a strong enough motivation for the EC to intervene. I can see a blanket regulation about the processes that need to be put in place to close or recover accounts. In the same way that these companies are required to have dedicated people for GDPR requests.
Also note that EU regulations are much less concerned about random customers than American laws. The EU framework is all about competition and how to preserve it, under the arguable belief that quantitatively increasing competition will benefit the final customers.
If you take deliverability to the average email account into account then they are not far from one.
It should also be noted that as soon as that regulation no longer applied (Brexit), high roaming charges were immediately brought back in to effect.
EU-style regulation works.
Rationale was that treating people from one EU country differently than from another was against the union. Imagine paying inter-state roaming in the US.
Companies will charge what they're allowed until either the market forces them to behave, or failing that, the government.
The only reliable alternative I see is requiring a government photo ID containing a permanent physical address on account creation. I wouldn’t want that, would you? And even then, some would manage to create impossible situations.
It sucks, really hard. No other way to paint it. I’m not arguing for Google here. Still, the user has responsibilities too. If you ignore an oil warning light on your car for too long, eventually the engine breaks.
The comparison falls flat though when you consider that you can pay money and get the car fixed and still have the car in the end.
The complaint is not "fix my self-inflicted problems for free for me", it is that there is no way to get anything fixed even if one is willing to pay and acknowledge it's one's own fault.
If this has happened (and I can think of a few other ways for this to all go wrong that involve less carelessness on the part of the account holder) it’s quite substantially more serious than having to pay to fix a car.
There are very real consequences to not having access to an e-mail account that reach far beyond the hassle of creating a new one. They reach far beyond even losing your current emails.
Google (and others) slick account creation funnels belie the seriousness of what you’re doing and the devastating consequences if anything goes wrong.
Regulation is needed urgently, but will only happen when enough famous-but-not-famous-enough-to-get-special-treatment people complain.
Given this requirement, free accounts will probably not be possible. If a person uses a free email account for critical transactions, what can one say? There’s a bigger issue here regarding our increasingly digital lives that needs more comprehensive change than regulation of some areas.
Paper mail delivery is guaranteed in most of the industrialized world, more or less. Email is increasingly used as an alternative but is entirely the recipients’ responsibility. Receiving paper mail costs nothing, that’s probably why so many people choose a free provider like Google.
Also, how would you solve the issue of identity verification in case a user loses means of access?
Google provides a way to "submit corrections", but there is no accountability, and these corrections might or might not get applied. In my case, they are sometimes applied: some phones will show the right location, and some will show the wrong one. Again, no accountability.
What solution could Google offer without creating a security backdoor? Google might not ever be sure as to the identity of the account holder.
Still mad about the lack of ability to provide proof of ownership, we had ample evidence which would have held up in court if required. But alas, google are worried about their immediate bottom line instead of their long term viability.
And if you work for government, please propose legislation which fixes these asshole ghost companies!
It certainly sucks, but in this case you lost your second factor, which is very different from the other flagged-as-suspicious-and-locked-out-permanently cases.
I fully sympathize and understand that the outcome is bad, but this is just a system working 100% as expected.
sucks because i have a bunch of memories locked in that account and can’t contact a human at FB.
Please check for me, because I'm in a similar situation but have been hesitant to try logging back in.
Might go do this now.