Tell HN: Need help, locked out of Google account with 10 years of personal data
The situation:
- Woke up today completely locked out
- Got "secure your account" message
- Set new password + recovery info but kept getting redirected to login
- Received "unusual activity" warning (around the time I was asleep)
- System asks for old phone number (lost in 2022)
- Have tried recovery dozens of times through g.co/recover
- Still have access to old recovery email but system never asks for it it
What I've tried:
- Using same devices and network as always (google pixel)
- Multiple recovery attempts with both old/new phone numbers
- Both old/new passwords (then never say which one they accept)
- Following all official Google recovery guides
I have so much of my life there:
- Primary email communications
- Password manager data
- Business documents and projects
- Personal documents
- Google Drive contents
- Contacts
- OAuth access to numerous services
- Years of irreplaceable data
I've exhausted all official channels and online resources. The thought of permanently losing access to this account is terrifying. Has anyone successfully recovered their account in a similar situation? Any Google employees or security experts who might be able to help?
This account represents my entire digital identity, and I'm desperate for any guidance or assistance.
123 comments
[ 4.0 ms ] story [ 214 ms ] threadSome people never learn?
I solved it by completely moving away from Google and services where I'm offered little control over verification settings. I remember I found the related settings in Google too restrictive at the time, and they seem to change requirements over time, thus making it too unpredictable for me. The "verify on old phone" really scared me away.
Personally, I pay for a service (email, data, password manager, etc). I also backup my data in multiple locations. It's a lot of work, but I don't really see an alternative at the moment.
Try cross-posting to Reddit as well
Even a small job that would backup emails and data to S3 and a hdd once a day would have saved me all this embarrassment. Hopefully starting with 2025 will have something to share with HN that is more positive.
For me that began with the necessity of providing a SMS-capable mobile phone number for recovery, which I won't ever give them.
They have alternative e-mails, fully verified, which were sufficient for opening that account.
Depending on where you are, that behaviour could even considered illegal, because they are weasle-wording around that necessity in their TOS, letting you make an account without that in earlier times, then changing that somewhere in their TOS later, which you have to agree to, or else...
But still just not explicitely stating that necessity when you're opening some account somewhere in googleverse right now, instead weasle-wording around in some of their fora, and censoring questions about that in there. No matter if in german, or english.
While having my full 'Ladungsfähige Adresse' ( https://de.wikipedia.org/wiki/Ladungsf%C3%A4hige_Anschrift ) with POTS/Landline for other reasons.
(Imagine endless stream of CENSORED cusswords here...)
edit: If any of your services require a SMS-capable mobile-phone to operate, even if only for authentication/recovery, then F....... say so loud and clear, right from the start, for every service, any place, anywhere, any time!
But that would be too obvious, innit?
After being locked out, given that box with options to restore.
Trying several, won't work. All leads to phone number, and not that obvious it has to be mobile, and SMS-capable.
Giving them the POTS/Landline, because even Amazon manages to give instant call-back on that. (In the middle of the night, very early morning even!)
Error like: 'This number has been tried too often.' WTF? That was the first time ever!
NOT this is no mobile-number, try that! Why do they even let me enter that, then? Why do they insist on SMS, while some voicerobot could sing some f...... code to me on that landline, which I could enter into some form?
Why can't I switch OFF all of that hypersensitive security crap in account settings, because I know it's suspicious, sometimes not logging in for weeks, or even months, without any former cookies, on different devices, from locactions far away, in different timezones, physically, while using VPNs, too?
Do I have to say daily where I am, like a good android-sheepl? Do I have to upload a whitelist of devices with identifiers in advance? Can I authenticate with the imprint of my glans penis on the sensor, then?
Less importantly: Since you know exactly what phone# is requested, try to contact it. Approach it in a way that doesn't alarm the renter and blocks you. Meanwhile, contact a real human in "telephone company" (maybe said # is free) and explain the situation: you want/need to PAY to get the phone number assigned to you (My telecom offers that service)
Human Is always the keyword
I already called the number, it seems it's not in use, called someone (he was selling "pretty" numbers online) to ask if it's possible to get it back and they said that there have been cases and it's currently in something they call "quarantine" and there may be complications as there are two operators involved, the original operator of the number and the one to which the number was ported to. I will follow up on Monday on that front.
Thank you.
You can just use the cheapest ones.
I wish this were still the case. Sadly, if you buy a domain and host your own email, you're going to get stuck in spam filters all the damn time. Your email address will feel broken, sending messages into the void.
The only email infrastructure services that are reasonably reliable belong to the likes of Google (Workspace), Microsoft (365), etc. Protonmail is reportedly okay, but my experience is that they still get spammed an awful lot.
There will be friction. We are trading convenience for security. Paid smaller provider with human support is more convenient and probably enough for most people.
Also, the own-domain-approach is for an important inbox. Read as: it is business related, it pays for itself. It also allows you to set up as many addresses as needed. The receiving inbox is the critical part of email here, because it is often part of your logins.
Regarding your outbox:
>you're going to get stuck in spam filters all the damn time. Your email address will feel broken, sending messages into the void. I try to remember this: Initially using forwarding. Send the message directly from your address to the recipient, and a ccc to a (more popular) forwarding address that sends the duplicate to the recipient, and starts with a clear: DO NOT REPLY TO THIS ADDRESS, and a "reply to" your own domain address. Your domain will eventually gain traction. This is a time investment to prevent a [another] catastrophe. Other mention this point as an "SMTP relay service", which is a much better.
Others also mention that domains can be seized, which sounds less likely than Google or Apple randomly blocking your account.
Failed Payments and other Domain management tasks, that's something I only know as much as any other passerby.
Edit: inbox vs outbox
Google is the Scorpion in the parable of the frog and the scorpion - it cannot help its nature.
https://en.m.wikipedia.org/wiki/The_Scorpion_and_the_Frog
You should always have backups, regardless of provider.
And note, I don't live in the US. I'm wondering about this question from a global perspective.
2. Use JMAP/IMAP or https://www.fastmail.help/hc/en-us/articles/360060590573-Dow... and keep a copy of all your mail locally.
Requires your own domain.
Just keep an extra. Don't put all your eggs in one basket.
We have a home media server. Our important data automatically backs new files to a secure folder in there once a week. If I can do it, anyone can. And it could be done easily to an external drive or something that you plug in once a month. Anything. Anything at all.
Most companies have backups. There's a reason they do that.
How do I spread this risk and make it manageable? I have to give them some email address and I fear losing access to my email. And yes, I can lose my email address even if I have my email on my own domain. There are many failure modes for losing domain names. So how do I manage this risk?
For gmail, you risk account lockout like OP is experiencing. You can mitigate the risk with more recovery options at account.google.com like backup codes.
For a service other than gmail, I think the risks of lockout without customer service to help might possibly be less., especially if its paid like fastmail. If you do pay you have the risk of not wanting to pay anymore, or forgetting to pay, and if you don't pay you also have the risk of the service going away. I suppose the service going away is ok.
I for one am pretty confident google will keep gmail running as well as possible, so I see other services as a bit more risk there.
If you own the domain, you have paid for it and risk someone stealing it or grabbing it when you forget to pay. You can mitigate the risk by choosing a registrar with good security, paying for a longer term or not forgetting, eg a quarterly reminder to review your domain names. You also need to be able to access your registrar account. You can choose registrars you get other services from, like AWS Route 53 if you use amazon for anything, or Cloudflare for VPN, and mitigate the risk of non-payment or non-access because access and payment will be done more frequently.
Using your own domain is also more moving parts, decisions, setup, etc. So you risk more things going wrong or fatigue over all the maintenance taking over. How you weigh the monetary and complexity cost of using a domain name for email compared to the upside of control, having a personal site at your own name, etc.
While the crowd here can maintain a domain, that’s not a realistic option for most average people. In practice, most people’s digital lives can be lost or reset simply by messing up their primary email account. With extremely limited recovery options, after a certain point at least.
And domains can be lost too. Missed payments, error in administrating the domain, government takedowns. Many failure modes exist for domains too. Nothing in the digital world is permanent! That's why I find it disturbing that so much of our digital identities are tied to our email addresses.
There are alternatives that do e-mail, cloud storage, contacts and calendars if you're prepared to research them. I won't post a list but mention some categories of options: there are companies offering similar products (fastmail, proton), you can sometimes rent managed next/owncloud/e-mail such as exchange from some suppliers, or you can self host some or part of your needs (e.g. I know people who tailscale to NAS drives). My google account is only used for paid-for android apps, for example. I'm one of the self-hosters (but I keep an eye on the managed offerings from local companies). I don't use tailscale as I can wireguard to my router, but tailscale works well when you just want stuff that plugs in and works. Synology NAS drives apparently can be tailscale endpoints.
Ultimately, I try to avoid Google as much as possible and to a lesser extent other large cloud providers. This stems from exactly the kind of incidents the OP faces, along with the usual concerns about ads/tracking (and specifically not contributing to this as a business model).
This is some of the most suspicious login activity imaginable. Nobody should be surprised if an account gets locked when you repeatedly try to access it from a new country and without your second factor.
"Google is the Scorpion in the parable of the frog and the scorpion - it cannot help its nature."
The scorpion is not malicious in the scorpion and the frog fable. So what's your point?
There's something broken in google's auth security system.
"Account disabled 'myemail@gmail.com', We noticed unusual activity in your Google Account and locked it to protect your information. Learn more" and a button "Try to restore".
And now I got: "Too many failed attempts, Unavailable because of too many failed attempts. Try again in a few hours.".
At least I got a new message.
It sounds like you have 2FA enabled so an account takeover is very unlikely. It sounds like you haven't violated the TOS in some egregious way, so actual ban is unlikely.
Most likely is there's some type of crazy cookie thing going on that is causing the auth system to vomit. It's shocking that this happens, but alas.
Maybe it's more "secure", but the situation is strikingly similar to a hacker changing your passwords.
So glad I switched to ProtonMail a long time ago and decentralize my data across different services. One's life should not be left in the hands of The Google.
I once recorded and made a GIF out of it :D :_D :_(
It is disturbing how much of our digital and physical life (utility accounts, medical insurance, etc. etc.) are tied to email addresses and these email addresses are something we can never ever truly own. If you are locked out of email, you are also locked out of at least half a dozen critical portals that send password resets, OTPs and all kinds of authentication fragments to your email address!
Most email addresses are on somebody else's domain and they can lock you out anytime. Even if you manage to set up your domain name, you are still renting the domain name from someone. One missed payment or you somehow mess up the admin work of your domain name or you lose your domain name for any reason (yes, it happens!), nobody in the world can reach your email address!
How did this happen? Weren't the old days of snailmail better? You could own a house or you could rent a house and get actual physical letters at your home. If you moved houses, you could have the new tenants of the old house forward mail to your new one until everything settled down.
Email addresses seem like good secondary mode of communication but I find it disturbing that all around the world, email addresses have become the primary mode of communcation and sometimes the only mode of communication!
Does anyone else feel extremely uncomfortable that so much of our critical digital and physical lives are tied to email addresses, things that we can never truly own and can be taken away from us anytime?
Thats not the cast with a GAFAM email account.
Can you or someone else share more about this? Do these laws work across countries? Can someone in Bhutan exercise their legal right to get back their .com or .org domain name? Must someone in Bhutan always buy a .bt domain name? I'd like to learn more about how the legal framework works and protects the customer from loss of their domain names?
I prepaid my domain name for 15 years.
You can transfert your domain out of a registrar.
Complete non-sequitur here, but that is one of the two inevitable things, according to Ben Franklin.
Yes, I’m talking about death.
So we should all make plans if there is actually worth anything preserving in posterity, plans that go beyond “just log in to my account” (which as OP shows is a huge PITA).
In a (maybe, maybe not) similar situation when a friend got a new phone, added sim card - then could not start the phone because google pass was not working.. (and he could not get 2fa of sms auth)
I suggested he go home where is already logged into gmail - and update account settings to allow additional methods of account recovery - bam - fixed.
That will get you back the contents of your account (emails, photos, etc).
You can also try submitting a right to rectification. They hold data about you (your account) but have incorrect data regarding ownership.
If either of those fails, you can escalate to the data protection authority in your jurisdiction.
It is likely to take several weeks though.
Honestly I don't mind waiting weeks to recover the contents of my account as long as I know that it's not lost forever. But all the FAQ and comments on the internet regarding similar scenarios have no good ending and people just giving up with no recourse.
I knew about Subject Access Request but didn't cross my mind I could use it in my current scenario. Thank you!
I lost a gmail years ago and only use it as a throwaway email client now. You get what you pay for.
Just because something can be a solution doesn't mean it should be.
It is in a way what makes a problem truly a problem. Otherwise, "problems" would all just be different ways of being ignorant of the better way.
If you're the average person and have gigabits of email, what are you supposed to do then?
Good for privacy too. It jas everything! Look through it an permanently delete what you don't want them to keeo.
Note that it is slightly lossy with respect to headers, times etc. Not ideal for anything legal related. For those print them off.
In order not to get caught up in the same thing again there are many good suggestions in the comments, all with some overhead/friction but 100% worth it if you ask me :D.
1. Starting a new 2-year contract
2. Paying a one-time fee for a preferred number (~150 EUR in my case)
Tip: Contact your local carrier to check if number recovery is possible, or if you can request a specific number for a new contract.
Currently pursuing Plan B: Submitted a Data Access Request [1] to Google in hopes of getting my data back.
[1]: https://support.google.com/policies/contact/sar
In my case Google refused working secondary e-mail link, secret word, current password - all of those. Probably just because my IP address changed. And my gmail and YouTube channel are now lost forever with no explanation. (I had no mobile number attached to it)
https://i.ibb.co/QdsKthf/markup-1000014882.png
That's just heresy for Google.
The only way I've ever been able to get decent support from googles help center is by calling and escelating the issue and then eventually getting to the right person via the email chain started following the call. Its a pain in the ass I know.
I *think* I ended up just having to get my phone replaced because it was the primary device that every other service relied on in the end for authentication(Google pixel & Google fi, Google TV, gmail, oauth, etc).
Also look in your recovery email for an email that contains a list of backup/recovery codes. I'm pretty sure they don't email these codes anymore and your prompted to write them down/save them elsewhere but worth checking.
Needless to say sibce then I do not use google for hardly anything other than the phone itself.
1) Incognito mode in Firefox 2) Use the same IP as before, or a private proxy with the same country and city as before 3) Goto Bing and search for gmail 4) Attempt to login 5) If asked to enter your full recovery email address - opt for this option 5) If you are then prompted for pva code use a fresh SIM which has same country code as the one you are in. 6) This might work
My #1 recommendation is to setup a passkey, and also set multiple security keys as the 2nd factor. All other authentication factors are subject to some form of heuristic defense.
Beyond that, a few optional things you can do in addition:
- Use Advanced Protection. - Use a platform that's more secure , which are iOS, ChromeOS and some android (e.g. Pixel), in general and especially during recovery attempt.