Ask HN: Help – Locked out of 10 years Gmail account
Due to the recent LastPass debacle, I decided to cycle my Gmail passwords. Boy that was a mistake!!
Gmail has decided that I can't log in with "just" my password. The new password is correct. It then asks me for my old password, which I put in correctly. Then it tells me I can't log in anyway. :(
Occasionally it will give me a QR code to scan. But I can't scan it on my phone, since my phone is logged out.
I can't log in to my recovery account, because (like a fool) I changed the passwords simultaneously. Now both are locked.
Somebody help! My account name is [redacted]@gmail.com (the recovery email should match my HN username). I'm locked out of a decade+ of correspondence, recovery, and historical data.
260 comments
[ 4.3 ms ] story [ 294 ms ] threadPlease let them know my recovery account (another gmail, FirstnameLastname) is also locked.
Edit: I'm back in to my recovery account!! Just enabled 2FA to avoid getting locked out again.
My main account is still locked, but it let me verify via my old password, new password, and recovery email code. The message says that they still need to verify more, but I should look for an email to login within 48 hours.
Fingers crossed!
Obviously I'm re-working my email solution as we speak... starting with backing up my Google data!
Lots of good recommendations in this thread. Learn from my mistakes. It can happen to you!!
This is definitely I (personally) wish we could do better, I feel embarrassed and very slightly partially responsible whenever I see our support failures making the front page of HN.
Edit: the closest solution is to try account recovery, which is what I was doing. :(
I don't want to "spam" the recovery form, since I suspect that will only make it worse.
Edit2: trying Gmail app and Google Authenticator now, to see if that makes a difference. Will update with progress.
Edit3: no dice. Gmail app just loops me to a message saying "Google couldn't verify that this account belongs to you." Clicking on Verify account just loops me back to the login. It doesn't even ask for my old password like before.
I feel sick to my stomach...
- Have you, by any chance, stored some google recovery codes somewhere ?
- Isn't there a "call me and read me a one-time six-figure code" option available in all the login/authenticate option Google provides ?
hope it helps
Trying to recover your account from your friend’s house in another country, or whatever, could be making it worse.
True, no mails no problems, it's a feature not a bug.
I used to think so when I used Gmail.
But switching to Fastmail, I no longer agree that it is "by far" the best. Now I think Gmail is only better by a slight margin, and this margin is so small that it does not justify the drawbacks: Potentially getting locked out with no recourse, certainly getting everything you receive scanned to deliver you the best possible ads, contribute to the email monopoly where the big players decide the protocols.
I find this opinion absurd. It is an e-mail client. Even if it did perform the tasks that an e-mail client needs to perform somewhat better than all other clients, the loss of autonomy makes it a terrible deal, even for non-technical users.
Are you in the EU? Google's DPO or your country's data protection authority might want to hear about it.
Are privacy guidelines in EU countries so well defined that they take terms such as "password for an online service" into their vocabulary?
Even though postfix brings me headaches sometimes, seeing issues people have with google seems as setting it up was a step in the right direction.
The spam filter just broke at some time in the last year. I get 1-2 obvious trash spam in my inbox every day. Literally things with a subject like "You _WON_ !! ** our give_away!"
It’s not just you. Their spam filtering has been broken in general for a while now. Not sure what’s going on. I wonder if the volume of spam has just hit some critical threshold where it costs too much to process every incoming message.
https://news.ycombinator.com/item?id=31782952
I wanted to switch from Google few times (always postponed it to a "next time"), but reading this today I realized how devastating it would be to get locked out. So in the next few days I will move away from Gmail.
This way there is little possibility of somehow being labeled as fraudulent.
A few months later it suddenly worked again, and I seized that opportunity to move permanently away from gmail. I was lucky. I do not want my access to my online identity to be governed by luck, however, so really advise anyone who will listen to make the move before this kind of sob story happens to them.
"It won't happen to me" - I thought that too, and no doubt so did the OP. Won't it? How much will it cost you if you're wrong?
It now costs me $50/yr to know it won't happen to me and I'm more than happy to pay a fair price for a good product, like I do for everything else.
The real protection is to get your own domain which Fastmail of course supports, so you can point it at a different email provider if worst comes to worst, like ajross's plausible proposition that:
"[...] I'd put the odds of Fastmail failing entirely as a business rather higher that those of any single user having an unresolvable 2FA glitch with a gmail account. In the world of real data and not anecdata, Big Tech is incredibly reliable."
Well that's funny, because I see a desperate post by a gmail user with an unresolvable 2FA glitch (except by screaming for help on tech-oriented forums hoping someone will notice) basically every week, and yet somehow Fastmail isn't out of business yet. And who knows how many "normies" without an HN/Twitter megaphone just silently lose access, weep a bit and give up?
I have no doubt that Google won't actually lose my email data, but if I can't access it and have no recourse then there's no difference in practise.
I have an alt gmail account that I used less frequently. 3.5 years ago I was abroad right after the first wave of COVID, and logging in from a new laptop (no longer have the old one). When I tried logging in with the correct password, it told me I needed to verify an SMS to an old phone number I haven't used in 10 years (7 at the time I suppose).
Every now and then I'll try logging in hoping they realize that the account is mine, since I have the password, and no one else is logging in (hopefully).
Unfortunately, nothing changes, I still get the requirement to verify with a second device, and I never configured a recovery email for that account.
One day I'm hoping someone will register the old phone number, and I'll be able to smooth talk them into passing the confirmation code to me.
For anyone reading this, do not rely on google services, you'll move cities, change your number, or as OP change your password and _you will get locked out_ with no recourse.
You are no fool. No doubt you are way above average intelligence. This so-called "security" ecosystem of Big-Tech is a dumpster fire of rotting clinical waste. Hope it doesn't spoil your holiday break - and for goodness sake make a New Year Resolution - to quit this madness forever.
“Do you want this account to be extra secure and for us to lock someone out of it with any activity deemed suspicious?”
And then when you don’t click that box they don’t arbitrarily lock your account. But they don’t. Because they’re a dumpster fire company.
For anyone else reading, I'll just say that we all know there are tradeoffs between security and usability and we can actually have a good-faith discussion about that if we want to.
I have never bought into this regressive corporate security model in which my desktop computer is supposedly less trusted than assorted web app accounts. Unless I've opted in to something different, knowing the password should grant basically full access to the account. If there are additional rules around changing the password or other sensitive meta tasks, then those need to be spelled out in a well defined manner, and not punted to some opaque fickle machine learning scheme based on IP addresses, browser vulnerabilities, phase of the moon, etc.
The lockouts are there because of how easy it is, without them, to compromise someone's email access. People leave their email password lying "in the open" all the time (for a very broad definition of "in the open" that includes things like "re-use it in another site that gets compromised, and use the same username on that site so a cross-site attack attempt is basically a free action for an attacker to take"). When a Gmail account is compromised, people lose everything digital because they've routed their entire digital security story through their Gmail and it's a trivial operation to harvest all that data once an attacker has access. So the damage to an individual is massive when a Gmail account is breached. And since Gmail doesn't actually know who a person is, correction of a breached account is extremely painful (consider, for every method Google might add to prove your identity to restore ownership of your account, how a malicious actor could use that approach to steal your account).
I've been on the receiving end of a Gmail lockout (cooked a phone on vacation while my OTPs were stored in an envelope at home), and it sucks. But it sucks less than having my whole digital life story (access to HN, access to every forum I'm on, access to every hosting service I work with, access to every bank account I own) compromised because that Gmail account is the receiving target for every "reset your password" flow of every service I operate with online, and I'm the average use case.
Thus, as long as the total number of hijacking+lockout decreases, it is a useful policy from the utilitarian perspective. Of course, hijacked people don't cry for help as much, and neither they blame Google as much.
People think a better customer service would somehow solve the lockout problem, but they need to understand that customer service has the same hijacking vs lockout problem, and they can only help if they have better identity verification methods available to them - e.g. if Google asked for government ID for opening a Google account, this would work - but if Google did that, people would scream. Without properly established identity verification methods, the customer service can't improve the precision and the recall. Thus, the current choice for the users is to use a better identity verification method - like security keys and using Advanced Protection, as non-phishable auth does not need complex and elaborate heuristic based protection, and set up a chain of recovery accounts, with all accounts using the security keys and/or Advanced Protection.
Why?
You go to your register and point your domain to another email provider, and you’re back in business.
All your previous emails are lost, aren't they? Even you have local backup of them somehow, they are not equivalent to emails saved to your server?
I've done that in the past, don't recommend it unless you have a real need and know what you're doing. It wasn't hard, but just extra work that I wasn't sure was worth it.
I don't know why we ever thought free email was a good idea. Of course Google doesn't care about a free email user. They're just another useless eater out of billions. And yet so many of us (me included, until switching) basically built our whole online existences around gmail.
Email is important. Important things are worth paying for. You have status and recourse if anything goes wrong. Gmail works until it suddenly doesn't and you are reduced to desperate moves like begging for relief on HN. Move away before that happens, and vote with your wallet for fair service for a fair price.
I pay $180/year for Google Workspace and Google still doesn’t care about me.
I'm looking for a good alternative to the office suite, Microsoft has better customer service but not by much and it's not always easy to use cross platform(I wind up using Win, Mac, and Linux weekly and play with FreeBSD occasionally
It's so nice to have my Gmail only for Android and other Google services. It was a big relief.
https://developers.google.com/gmail/api/reference/rest/v1/Au...
google is good at spam filtering so those accounts became the accounts I give out to people publicly.
tl;dr: Fastmail custom spam filtering needs some time to actually do anything. Now no more 2 spam emails a year get through the filter.
In point of fact I'd put the odds of Fastmail failing entirely as a business rather higher that those of any single user having an unresolvable 2FA glitch with a gmail account. In the world of real data and not anecdata, Big Tech is incredibly reliable.
[1] Which seems great, btw. I'm actually looking at moving my vanity domain to them as I'm sick of chasing standards trying to host it myself. This is absolutely not a ding at Fastmail.
My point is just that there's no free lunch. Everything breaks, but on balance I'd trust Big Tech to get it right more than little companies like Fastmail or your domain registrar.
"I feel like" is, precisely, the anecdata fallacy at work! You feel that way because you see so many more reports of problems with the big providers. The truth, obviously, is that account management problems like this are present everywhere[1], but the email (or domain) market is dominated by a small handful of players. So you think the tiny ones are better than they are.
[1] Pointing out the pervasive complaints about domain registrars was supposed to drive this home. It's weird you think that somehow doesn't count. All bureaucracies mess up, it's not like email is a special kind of failure.
I think this misses the point. With Fastmail, if they mess up, I can still talk to a human. With Gmail there is no customer support to begin with so you're screwed whenever something goes wrong.
(I know I can set up manual filters. I prefer it to be done for me automatically.)
ok, we are different
How does Fastmail determine which ones are spam?
I used to love that automated categories and had 4 categories. One day I suddenly felt that that was too many and reduced it to two, "Primary" and "Updates" (similar to mail.live.com's "focused" and "other") and found it actually easier to manage my emails. Of course that is still two not one, but just want to say that you might also realize that you don't need so many categories.
Someone needs to lawyer up and make them pay through the nose for stealing access to individual’s personal data that doesn't even belong to them.
Until there is regulation, you’re probably going to be out of luck.
https://takeout.google.com
https://account.microsoft.com/privacy/download-data
As with all insurance you pay for what you want to risk. It didn’t hurt me much but I still went to daily offsite backups for my mailserver. The biggest gripe was standing up a new mailserver, make sure you keep your software up to date yall
It always seemed silly to me to have the server where your new mails get delivered be the same server as where your email archive lives.
I’ve been on the fence about migrating off Gmail, but after reading threads like this, I put a contingency plan in place. Backups of my Google account are done hourly, and I have a custom domain/workspace account so I can move the domain elsewhere if needed.
[1] https://www.cubebackup.com/
About 3 years later I was magically let back in, no idea why but I would try every few months and it just worked one day. Hope it doesn’t take that long for you.
I’m still locked out of my account. December 22nd was the expiration of the domain name I needed in order to unlock it, and it is now gobbled up by another squatting service (Bodi), so I will have to try again next year. They don’t even entertain my offers to buy it.
Let our losses be a lesson to people: get off of gmail asap. They do not care about you. They do not care about the harm they are doing, the memories they are sealing away. All they care about is making money off of your data.
Get off google now. As fast as you can.
1: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
I switched to posteo.net recently and have not looked back since, can only recommend a paid email provider. Different level of support and assurance when you are a paying customer.
Not all accounts seem to have this but I did. I do NOT have two-factor and eventually the "try another way" method offered to take me through the android code generation and it let me back in.
> *"Sign in With Backup Codes"*
https://support.google.com/accounts/answer/1187538?hl=en&co=...
But seriously, what's next? Switching to IE from Chrome? Back to MS Office from Docs? The more things change the more they stay the same...
I guess for certain things we backup to cloud and for others, we backup from cloud :D
Has lots of features, doesn't require a fast stable Internet connection, and there's no risk of losing your emails because $provider locked you out.
Plus if you have multiple email accounts, it's super convenient to get them all in one place.
Do you still have to fetch mail manually like a caveman or did they make it automatic yet? Does your mail sync between all your devices? I still think it's less likely to get banned from gmail than my local hdds to fail.
Uhh the whole discussion is about exactly this problem which you've decided won't happen to you because ... ?
Thunderbird rules and isn't going away, and makes things like blocking remote images easy (as opposed to gmail where you lose basic UX if you turn it off so most people don't).
What's more, gmail's basic features have really suffered in the last 10+ years. I search 20 years of email in Thunderbird faster and more efficiently than the bloatware POS gmail is now.
But best of all, I don't use gmail! I never have to worry about the nightmare scenarios presented here and nobody spies on my email (other than the NSA :) )
Oh -- physical backups rule too. From rotating through various drives my email is backed up at least 16 times over.