Ask HN: How do I get my Google account back?

[j4tech]

A couple of days back, after I logged in to my gmail account, a security message flashed that someone had logged into my account and I was prompted to change the password or confirm that it was me who logged in. This was during a time when I had to replace my fried router twice within the span of 2 days (one that I rented immediately from my internet service provider on the same day my router died and then with brand new router that I bought a day later). I presumed that the security message was because of new IP addresses that must have been assigned. While I was initially able to log in to my accounts after replacing both the routers, on subsequent logins, I started getting a message that google was not able to ascertain that the email accounts really belonged to me. I managed to use my recovery email on 2 of my accounts and was able to gain access. However, after I entered a recovery email on the email account that displayed the security alert, google refused to accept that the account belongs to me. I have had this account, where I have my whole digital life, ever since goggle offered one. Unfortunately I did not have a phone number associated with this account. My understanding is I would have been able to recover my account, If I had one.

Is there a way I can recover my account? I have started changing the email id’s at various business and agencies where I have used this Id. Is there anything else I need to do?

[sigmoid10]

>Unfortunately I did not have a phone number associated with this account. My understanding is I would have been able to recover my account, If I had one.

It boggles my mind how people can have their entire life tied to this service and not connect a phone number, especially since google regularly warns you during login that this can happen if you don't add your number. They even ask to confirm every now and then in case your number changed and you forgot to update it. If you're worried about giving them your number for data privacy reasons, you should not have used their service for your whole life's activities anyway.

[zorked]

That's a mistake I will never make again. Your phone number is insecure - but even if wasn't, you are setting yourself up for losing your account forever if you ever forget to transfer all your 2FA numbers, or if the phone company decides they want to cancel your contract, or potentially if you lose your SIM card, or even if whatever SMS gateway doesn't like your number for whatever reason.

Literally, you are giving your account to the phone company.

I'm more convinced by the printed security codes. I have encrypted copies in several storage providers, and that includes publicly-accessible copies. I have a copy in my safe, I have some in my family's safe in a different country. No phone company involved.

[jatgoodwin]

I recently discovered the printed codes aren't particularly reliable and google will still ask for another authentication method. I managed to get into my account by driving to a wifi google recognized as "home" and being connected to that after the codes weren't enough. I too assumed they were some sort of master key but they're just an extra method and google's security blackbox can decide its not enough.

[cube00]

This is the frustrating thing about Google's security. You record the printed codes and expect to be able to use them and then you're let down when it comes to the crunch because there are bonus extra steps.

It's a similar story with the "recovery email address" they let you add to your account. You'd expect that if you have access to that recovery email you'd be able to gain access but no, there are cases where Google refuses to send any recovery email because "we can't verify this account belongs to you at this time" so no recovery email for you.

This would all be fine if they didn't enforce we have to have 2FA enabled and then refuse to provide support even when you're a paid up member. [1]

[1]: https://news.ycombinator.com/item?id=31073302

[dazc]

Not just Google, anytime I have had to rely on a printed back-up code it hasn't worked. Anyone who thinks they are safe because they have back-up codes for any account, think again.

[anothernewdude]

Same is true of the phone method too. They ignored the fact that I had my second factor. I have no idea what google were thinking.

Now I use paid email services.

[timattrn]

Use a 2fa app with backups, or one that syncs to different devices (e.g. authy). It's distributed TFA. The phone number is not very secure, so I don't think it should be a part of TFA. I therefore agree that it is unwise to allow Google to use it for this. I also have a fake dob on my phone account to make Sim porting harder, but you can't trust that you have control over your phone number.

[theshrike79]

1Password also has a distributed TOTP system.

[syshum]

Bitwarden Family / Pro / Enterprise also has the ability to Setup TOTP based MFA which is then synced to other devices

I use both Authy and Bitwarden

[entropie]

> you are setting yourself up for losing your account forever if you ever forget to transfer all your 2FA numbers, or if the phone company decides they want to cancel your contract, or potentially if you lose your SIM card, or even if whatever SMS gateway doesn't like your number for whatever reason

Its the same with your address, what if your landlord randomly decides to kick you or your house burns down? Where I live my mobile number is very secure and will not change until I fuck up very hard. And in this case I have multiple other backups (printed codes, rescue number).

[jjav]

> Its the same with your address, what if your landlord randomly decides to kick you or your house burns down?

Not the same at all, you can just go to the post office and file a forwarding address and all is well.

Phone numbers are very ephemeral. I have many phone numbers associted with many older accounts, like one from an office phone from a company that doesn't even exist anymore. Learning from those lessons, I go out of my way to never associate a phone number with anything anymore, it's just asking for future pain.

[arcbyte]

Then I can go to the post office and talk to a human who will happily confirm who I am (maybe they even know me personally) and can forward my mail anywhere I want.

[josephcsible]

This is victim blaming. If you have the correct credentials to an account, Google should never say "we're not letting you log in anyway, and there's literally nothing you can do about it".

[DoItToMe81]

Phone numbers are not a magic cure-all-ills pill, either. My phone plan became outdated and my number wound up being cancelled, which means my old work email now no longer can be accessed.

If Google actually gave options to its users instead of babying them and pressuring them to give up all their personal info (like EVERY OTHER EMAIL PROVIDER), this would not have been a problem. Google clearly cannot be trusted with anything of value.

[j4tech]

I totally agree with you. That was a mistake on my part . I had my number on the account a few months back.But my thinking was similar to what @orblivion posted below

"Because I've been warned by security conscious people never to use phone number as a 2FA because it's so insecure, and using it as a recovery option seems to create an even weaker link.". I happened to read so many articles in the recent past of SIM Swapping, that I was afraid to use my cellphone number as 2FA and removed it from my gmail account. What with Google being evil and all

[davidmitchell2]

> Because I've been warned by security conscious people never to use phone number

Sadly you read only one part of the warning from security conscious people. The main part is to get U2F/FIDO key or use QR-code/authenticator. The same security conscious people use Fdroid/AndOTP where you can export all your 2FA codes.

There NO reason to say if I shatter my phone. Yes, you can also print recovery codes and keep it at home.

[orblivion]

We're not talking about 2FA, we're talking about account recovery. I do have my authenticator app set up. Can I use it to prove myself if Google thinks somebody stole my account?

[davidmitchell2]

Yes, I just tested it with one my accounts that has NO recovery email address/phone. ONLY U2F key.

Select forgot password; the it asks Insert U2F Key. Then recovered. Yes, it may be that if one loses U2F key in Metro it is dangerous but some risk is always there. (i.e) how many times have you lost your key in your life? If more than one per year then keep one U2F at work and one at home.

[orblivion]

Cool I'll look into it, thank you.

[orblivion]

Because I've been warned by security conscious people never to use phone number as a 2FA because it's so insecure, and using it as a recovery option seems to create an even weaker link. If that's somehow not true, I haven't gotten around to figuring out why that is because I only have so much time for this shit.

[UncleMeat]

Security conscious? Or security expert?

SIM-swaps are easy but do not scale. This means that they don't actually affect a lot of people. The improvement in security posture from SMS 2FA to TOTP is actually fairly small, because both lose to phishing and phishing is orders of magnitude more common that SIM-swaps or malware that steals SMS codes.

As a solo recovery option, it is indeed a more meaningful risk. But we also observe that people just lose their accounts all the time if they don't have a phone-based recovery option so I do understand why the option is offered.

[Daedren]

Google allows for various kinds of 2FA, not just SMS. You can use a hardware key or even Google apps installed on other trusted devices.

[orblivion]

Great, can I use a hardware key (or authenticator app, in my case) if I get locked out of my account like the person who posted this question? That's my point.

To be clear, 2FA != account recovery.

[Froedlich]

Not for all accounts. After several years, they started strongly recommending an SMS verification, then finally locked my account when I couldn't provide them one. [I have SMS turned off by my cellular provider] Every year or so I'll see if I can get back in. Sometimes I'm presented with a non-SMS option, but once I work through that, they go right back to insisting on SMS.

I only used that account for communicating with one friend, [our mail hosts were blocking each other in some kind of spam war tit-for-tat] now deceased, so it was no great loss to lose the account, but rather annoying that they pretend harvesting phone numbers is some type of "authentication."

[hackmiester]

But if you don’t remove your phone number then the insecure option is still present.

[ttybird2]

"especially since google regularly warns you during login that this can happen if you don't add your number"

All of this is so that they can mine phone numbers for older accounts. Now they require a phone number by default.

It makes sense to add a way to recover access to your account if you fear that you may forget your password. It makes no sense to give google your phone number just in case they may out of nowhere decide that you look suspicious (for using firefox? moving to another country? something else?) and reject authenticating you despite being able to enter your password correctly.

"you should not have used their service for your whole life's activities anyway"

You should not do that in general as Google is extremely unreliable. I had given them my phone number for my account but this did not help. I posted about it at https://news.ycombinator.com/item?id=30544030 a few months ago.

[tzs]

> It makes sense to add a way to recover access to your account if you fear that you may forget your password. It makes no sense to give google your phone number just in case they may out of nowhere decide that you look suspicious (for using firefox? moving to another country? something else?) and reject authenticating you despite being able to enter your password correctly.

Why should the reason you need to recover the account matter?

If the account is important to you, wouldn't losing it be equally bad regardless of whether you lost it because you forgot your password or you lost it because Google did something annoying?

[ttybird2]

I meant in terms of what google may need to prove that it is you.

[j4tech]

I was NEVER prompted for a phone number or given a warning that I will not be able to access my account if I didnt have one. (Maybe because i already had one on the account and removed it?. Not sure). However, off and on , google would prompt me for my recovery email and I had no problem accessing my account using that.

[kkfx]

It boggles my mind how people can have their digital life under third party computers ONLY. I was a GMail user, since when it was beta/invite only, but I always have had local copy of anything in usable formats...

It might sound rude, but people have to learn a thing: only things you really own are yours, the rest might be there or not, might be good or bad, but it remain something ephemeral, not to be trusted for anything. And that's why we MUST stop connected-devices to fill our life from cars to home doors: we do not really own them and we should.

[tjoff]

At the end of the day, they won't trust that the phone number you provided actually is you anyway.

[malka]

yep. If google artificial idiot has decided "guuuh even with your password, your token, and access to your recovery mail I cannot be 140% sure its you, better to lock anyone out of your account forever", your account is toast.

[jjav]

> It boggles my mind how people can have their entire life tied to this service and not connect a phone number

This is blaming the victim instead of the ham-fisted limitations imposed by google.

There is no justifiable reason for google (or any of the cloud companies) to be imposing their arbitrary account locks on users.

I should be able to configure my gmail account with a setting that says never ever require anything other than my password to access it, because I know my password is strong and well protected. I don't want any of these misbehaving AI detections locking up my account for reasons that I don't want.

If someone else want to configure their account with these trip hazards, more power to them, but it's not ok for these cloud companies to impose it.

Another reason why I mostly self-host everything, but for less technical people who are not able to do so it's a huge problem. Let's not blame the victim.

[anothernewdude]

I've tried to reset my password previously. Having a number associated didn't really help me.

[donthellbanme]

Some people can't afford a a smart phone, and rely just on a landline, sometimes one phone for an entire home.

We need a federal law that two factor authencation needs to work on landlines.

The technology is there. It's not expensive either.

[mindslight]

Why not a law that prohibits companies making people jump through any of these arbitrary hoops in the name of "security" to begin with? Authentication requirements should be straightforwardly understandable, future-predictable, and fully changeable by the user. Not opaque, always changing, and top-down set by the company for their version of "security". This goes doubly when there is no customer service to sort things out with.

PS stop validating their top-down model by referring to SMS nags as "2FA". It's snake oil for the corporate motive of demanding identifying information.

[MrPatan]

I can't help the OP, but I can help you, gmail user reading this:

This WILL happen to you. Get your own domain and set up email through it ASAP. Use some free one, use a paid one (I like fastmail), but get it done now. Then migrate all your accounts to it.

[dmd]

I really really want to do this but am stuck on Gmail because of their spam filtering.

Is there ANY other provider that does spam filtering that actually works? I tried Fastmail, but I receive so much spam (>600 per day vs. ~20 non-spam per day) that only Gmail's spam filtering is good enough. I've tried others (like Fastmail) and typically ~50/day get through their spam filters, vs. at Gmail where on a typical day 1-2 get through.

(Why do I get so much spam? Because I've been using the same email address, never hiding it at all even on Usenet, for 25 years.)

I would pay a lot of money - like I'd be willing to pay 4x what Fastmail charges - to get off Gmail, but apparently nobody else can do spam filtering.

[mbirth]

Get a domain. Then get an email provider that allows unlimited aliases (I'm using German UberSpace).

Then start setting up unique email addresses for each service, e.g. ycombinator.com-abcd@yourdomain.com . The "abcd" part should be random for each service so it's impossible to guess your other email addresses.

I also use yearly throwaway addresses, e.g. 2022abcd@yourdomain.com, for when I need an email address without having the means to create a new alias first. (I then change that later.)

Should spam starting to appear, you'll know exactly which service "got hacked" (i.e. sold your email address) and can just disable that alias and create one with different random letters. Also when deleting an account somewhere, just also delete the alias and you won't get any mails about signing up again.

It takes a bit of discipline but it gives you lots of control over your inbox.

[kettleballroll]

I've done the same, but apparently no one ever sells my email. Did your effort ever pay off?

[mbirth]

Yes, various times. Mostly LinkedIn and a few other services that vanished but seemingly sold their userdata. And 2 or 3 times I've got spam before the company announced that they got hacked.

[cube00]

Paid off for me. Very satisfying busting a company selling my address and bringing to their privacy officer's attention as to why I'll never be a customer of theirs again.

[nerdzero]

I've been doing this for years and have had maybe 4 addresses compromised out of a couple hundred.

[malka]

same here. I was expecting a lot more re-selling of my email adress to be honest.

[moreira]

I'm sure you're aware, but if not, Fastmail trains a spam filter based on your email[0], and after you train it, it -does- get better. It just takes time. I haven't had my address for as long as you (only 15 years or so), but I have been just as nonchalant about sharing it openly. I get plenty of spam, but it's all sorted automatically now, and I don't miss Gmail.

[0]: https://www.fastmail.help/hc/en-us/articles/1500000278142

[dmd]

Yeah, well aware. It's not the inputs, it's the algorithm, it seems.

[zaphodq42]

Fastmail's spam filter is great if you are willing to put some minor effort. Read this: https://www.fastmail.help/hc/en-us/articles/1500000278142-Im...

Fastmail works great for me. I do not miss any emails as junk nor do i get any junk in my inbox because of using the methods explained in the link above.

Controlling your own email address is the way to go. It takes consistent effort to migrate but worth it when it is done.

[jjav]

> (Why do I get so much spam? Because I've been using the same email address, never hiding it at all even on Usenet, for 25 years.)

I've had my same email for about as long as you (maybe 1-2 years more), never hiding it at all including Usenet.

> I really really want to do this but am stuck on Gmail because of their spam filtering.

gmail spam filtering isn't very good. Lots of false positives which is far worse than the occasional false negative. I have a gmail-hosted account for work and it's very annoying.

I host my own email infrastructure and spam isn't a problem. With a bayesian filter trained on my content, I rarely see any spam. Maybe like 1-2 per month? I don't keep track, it's very rare. And no false positives ever.

[ajb]

You can use Gmail with your own domain, and download all the email via IMAP/POP, or forward it all to another account. That way you get the functionality but not the dependency. This is the safest way to set up any cloud email account, even if you decide to move from Gmail to a different one.

[dmd]

I already do that - my domain is actually hosted at Dreamhost, and then mail is forwarded to Gmail.

[Froedlich]

> but apparently nobody else can do spam filtering. . I've experienced the opposite; I had to abandon one paid mail host because they turned their spam filtering up to "Thunderstruck!" I was getting about every third message on mailing lists, and other mail seemed to be about 50/50. They had drunk the Kool-Aid from whoever sold them the software, and claimed they couldn't whitelist or turn it off per-account, and I should be grateful that half of my legitimate mail was going into the bit bucket.

[kettleballroll]

I always assumed spam filtering is a solved problem, imnevernhad any issues with eg protonmail once I've trained it on a significant body (eg all my current spam). Im curious, how many positive/negative samples have you used/how much time have you given the system to adapt?

[dmd]

The last time I gave it a serious try, back in 2019, I gave it ~120000 non-spam samples (several years of real emails) and ~25000 spam samples (1 month of spam).

After that it was getting about 5% false-positive (so 1 in 20 real emails went to spam) and about 3% false-negative. For me, 3% false negative means 25 spams to inbox a day.

Gmail gives me about 0.5% false positive (1 in 200) and 0.01% false negatives.

[resonious]

Doesn't this just move your single-point-of-failure over to the service you bought your domain name from?

I suppose NameCheap and friends may be less likely to irrevocably lock you out than Google. And perhaps even if you are "locked out", your ownership of the domain will expire and then you can just buy it again from another registry... So perhaps you're right, but I wonder if there are any other reasons or caveats.

[josephcsible]

> your ownership of the domain will expire and then you can just buy it again from another registry

Aren't there predatory rent-seeking companies that camp domain expiration lists, buy them all, and then hold them ransom for tens of thousands of dollars or more?

[zinekeller]

> Doesn't this just move your single-point-of-failure over to the service you bought your domain name from?

Unfortunately this is very long but this has saved my butt countless times.

Everyone hates it, but it'll be better to know these definitions. TLD means top-level domain, the .com on ycombinator.com. Registry means the company operating the specific TLD, for example Verisign operates .com and .net. Registrar are those that handle registration, like Namecheap. Registrant is you or your company. gTLD are "generic" TLDs, .com, .net, and even those newfangled ones like .xyz and .dev. ccTLDs are two-letter (exceptions apply) TLDs attached to a sovereign nation or territory (like .uk for UK and .gg for Guernsey, a UK dependency), and from time-to-time includes (all US) .gov, .mil and .edu. For the purposes of this discussion, TLDs like .wales and .scot are gTLDs and not ccTLDs, but there are IDN ccTLDs like .рф and .中国. .int is a special TLD not generally considered as gTLD nor a ccTLD, and .arpa is a special technical TLD for internet maintenance. ICANN generally has jurisdiction over gTLDs, countries (usually governments or independent organisations int that country) control ccTLDs.

First: use only a registrar listed on ICANN: https://www.icann.org/en/accredited-registrars, preferably one that those clearly has presence in your country of citizenship/residence. Domain resellers (without ICANN accreditation) go bust nearly everyday and recourse is hard if you decide to go to a reseller, but an ICANN-accredited registrar is required to send who owns their domain to a trusted independent ICANN-approved third party (formally called an escrow, usually DENIC unless you're in China then it's CNNIC). This is not applicable to ccTLDs, especially those with restricted registration (like .cn, .kr and .jp), but ICANN accreditation means that they have a baseline to follow. This will only work if you provide complete and accurate WHOIS information, but if you're using a registrar which has a privacy service the information sent to the escrow is the real contact info and not the one that's redacted at your WHOIS. If you decline to provide real information unfortunately you have no recourse if something bad happens as it relies on you being contacted, even if it's through postal service.

Second: are your registrar accredited by the specific registry? For .com, .net, .name and some others, Verisign is the registry (the one operating the specific TLD): https://www.verisign.com/en_US/domain-names/domain-registrar..., and for .org it's https://thenew.org/org-people/work-with-us/find-a-registrar/. Newfangled gTLDs are required to serve a page at nic.tld (like https://nic.xyz or https://nic.dev). Unfortunately, it's hard to find who is the registry for your ccTLDs. Wikipedia might help though, for example .uk has information here: https://en.wikipedia.org/wiki/%2Euk and for .gg here: https://en.wikipedia.org/wiki/%2Egg.

Third: if considering a ccTLD, only use a one connected to your citizenship or residence, unless you treat it as disposable. I'm not kidding here. If you're using .io, prepare to migrate due to this: https://en.wikipedia.org/wiki/Chagos_Archipelago_sovereignty.... Notion is stupid to use Somalia's and this happened: https://news.ycombinator.com/item?id=26113444.

[duskwuff]

> ccTLDs are two-letter (exceptions apply)

ccTLDs are two letters by definition. Other geographic TLDs like .cat, .wales, or .london are not ccTLDs.

.gov, .mil, and .edu are not considered ccTLDs or gTLDs. They're technically in another category entirely: "sponsored TLDs".

> First: use only a registrar listed on ICANN […] Second: are your registrar accredited by the specific registry?

Both of these are guaranteed to be true by the governance structure of gTLD domain registries -- a gTLD registry cannot provide services to registrars which don't have accreditation.

> Domain resellers (without ICANN accreditation) go bust nearly everyday and recourse is hard if you decide to go to a reseller

This is not true. Resellers can "go bust", but the registrar of record (that is, the "real" registrar that's being resold) has the customer's contact information and can continue to offer registration services. In fact, they're obligated to do so.

[zinekeller]

> ccTLDs are two letters by definition

You forgot IDN ccTLDs that are indeed not two letters.

[account-5]

I have Gmail accounts but none of them are for anything critical or important. I create a new one with every android device I get.

Google lost my trust for anything more than a random account I need (Google makes you need) for using an android device when years ago they made me provide a DOB, and I misstyped it putting the current year instead of my birth year in.

Next thing I know my account was locked because I was too young to have one. At the time I was able to contact them but had to provide ID and confirm a credit card for age verification. I reluctantly did this because at the time I had important stuff in that account. After that I moved anything critical to a trustworthy service that isn't selling my data to advertiser and shut the account down.

I'm glad I did because things have got worse since. Now I don't use any Google service, with a few exceptions.

[elorant]

This is all nice, but you're not answering the freaking question. I'm tired of this line of reasoning in here. Someone asks something specific, and then everybody jumps in to tell his/her story which while informative, doesn't solve the initial issue.

Please, for fuck's sake. Stay on the topic.

[account-5]

Oh the irony.

[0des]

they're not wrong. it's a very reddit way of communicating. people criticize then get right to story time. when youre in this situation, you couldnt give a fuck less about someones tangential testimonial.

[account-5]

Please see my previous comment. I'm not on Reddit nor did I criticise anyone. Unfortunately I can't remove the original offending comment to assuage the butthurt, even if I don't agree that talking about my experience with Google in a thread about OPs experience with Google is off topic. This comment is though, but ironically as a reply to a comment demanding things be kept on topic that moves things further from the topic.

[0des]

You're doing too much

[davidmitchell2]

> presumed that the security message was because of new IP addresses that must have been assigned. While I was initially able to log in to my accounts after replacing both the routers, o

1. Verify if your router or router software that you installed in your PC is doing something fishy.

2. As long as you have a browser window with cookies - even new IP address should NOT matter. It should allow you. I am almost always working in cafes with different IPs it - just works.

3. Please please verify your recovery email ID. Some times I have made the mistake of typing first.last@ instead of without dots. Send an email to your recovery ID to test.

Please get a 2FA U2F token.

[zelphirkalt]

Installing any software for using a router on your PC already sounds fishy for me. Routers should not require any software being put on a PC.

[j4tech]

I should have been a more clear. I flashed Merlin firmware on the new router. Not on my laptop.

[davidmitchell2]

Many providers do it... sadly

[syshum]

I have never had one actually require it, often the installers will claim that but back in the day I would just say "sure here is my linux machine have fun installing your windows software on it" and magically they did not need to install anything any more....

[davidmitchell2]

But as one can imagine people (99% are on Windows) do it in haste...

[j4tech]

1. My new Asus RT AX86U had Merlin installed on it. I disconnected this router after I started getting security alerts and switched to using the router provided by my Service provider.

2. I use firefox with cookie cleaner add-on that clears cookies the second I close the tab.

3. I have a paper copy of the account details and I am 100% sure of my recovery email. I got a Yubi key recently and plan to use that and authenticators on all my accounts.

[davidmitchell2]

2. Instead of that use separate firefox profiles - one exclusively of Gmail. Another for casual browsing. If you clear cookies all the time then it seems like you are logging in so many times per day. This could be a warning sign of hacked account - for google. (i.e) do not do unusual things.

3. At the end U2F is the proper solution, albeit late!

[j4tech]

Good point @davidmitchell2. I will do that.

[davidmitchell2]

I therefore have one for facebook, slack and so on (i.e) for every major company when I login. Then one is for just browsing.

[thetinguy]

Google, Microsoft, and Apple all use previously authenticated ips as a signal for their account recovery processes.

[AnonC]

> Unfortunately I did not have a phone number associated with this account. My understanding is I would have been able to recover my account, If I had one.

This is not true, in my experience. Having a phone number verified and linked to the account as a recovery number may help, but it does not always mean that you’d be able to recover the account. I recently had trouble with one of my Gmail accounts where I successfully changed my password and linked a phone number, but it wouldn’t allow me to login again or allow me to go through the recovery process.

As more stories of such casualties come up, one can only hope that more people stop using Gmail (it seems to me that this is what Google really wants).

Good luck, and I hope you’re able to get back into your account and/or move to a reliable provider.

[j4tech]

Thank you. I was wondering if having my own domain would be a better option...

[davidmitchell2]

Get an account with iCloud and forward all mails as backup to iCloud

[flycatcha]

Do you know anyone who works at Google (or have a friend of a friend)? Employees have an internal tool called help my friend to assist with situations like this.

[j4tech]

I am reaching out to my friends to find out if they know any one at google.

[iamevn]

former googler, I was never able to actually get my friend help through either this tool or trying to find help on various mailing lists. I didn't and probably should have tried memegen.

[RealStickman_]

Sometimes waiting a few days and trying again works. Seriously.

[can16358p]

Top this. Not happened with Google, but for Meta services it works. I was locked out of my Facebook and Instagram on different occasions. They just worked the next day.

Google might have something similar too.

[j4tech]

Keeping fingers crossed

[einpoklum]

> Is there a way I can recover my account?

I assume you tried contacting Google's online support and got nowhere. Try writing Google a _physical_ letter. Maybe even make it registered mail. In your letter, ask them sternly to make either the account or a dump of its contents available to you. Explain that, since it is of extremely importance for your personal and professional life, they must understand you will use any legal means at your disposal to obtain the data associated with that account. Also consider mentioning this situation is damaging your personal or professional life.

This may or may not solicit a response. If it does, then good, you've probably succeeded (unless it's a "taking under advisement" response). If not, contact a lawyer and check whether you can legally force them to give you access to your information. IANAL, but it stands to reason that you may be able to - either at their expense or at yours.

---

And I too will join the advice given by others: *A Google account is not under your control.* It is read by others, and can be blocked by others. You must back-up your emails and other content, rather than relying on its availability via Google. I would go as far as recommending avoiding a Google account altogether (I do).

[franzunix]

What email service are you using ?

[einpoklum]

I use gmx.com and riseup.net; but - I'm not saying you should follow my example (and riseup.net isn't even intended for general public use). I've heard protonmail is nice.

More importantly, though: I use POP3 and a proper mail client, so I don't rely on GMX for my old email to continue to exist. I also back it up one in a while along with my other personal file backups.

[fffdeeeev]

Wondering what people is using these days. Protonmail ? Hey ? Fastmail ?

[gpm]

I've had a pretty good experience so far with migadu.

[mnvrth]

(Disclaimer: I'm part of the crew building https://ente.io)

I hope someone at Google takes a look at this and uses their internal tool to help OP.

That said, this oft repeated story is one of the most compelling reasons why I think Google alternatives (like the one we're building) will catch on in the mainstream population. Not privacy. But the fact that we offer human support, whilst Google doesn't.

[davidmitchell2]

From: https://ente.io/privacy#account-data

> Data security is very important to ente, whether that is your personal information or any other data. That is why we publish our client-side browser and mobile app software and why we have provided information in this Policy on collection and storage of all data whether or not it is personal information.

How does this prove Data security?

> And what is this: our architecture has been reviewed by cryptographers and engineers from IBM Research, ETH Zurich, IIT Delhi, Google, Facebook, Amazon, Microsoft, ...

Any white-paper?

[mnvrth]

> How does this prove Data security?

You're right, that by itself doesn't prove data security. But what we try to do is follow the example of other privacy-first Google alternatives like DDG, Signal, and try to structure our organization/processes/code in a similar way.

> Any white-paper?

https://ente.io/architecture/

Not quite a white paper, but I feel https://ente.io/architecture/ covers the practical aspects of what we do in a human readable way (we wanted this page to be understandable by people with a non-cryptographic background, I'm just mentioning the intended audience, a few of our customers have reached out to us and have mentioned they found it useful too).

[domdomfanfare]

Why did your reply started with an advert?

[Nexxxeh]

Because disclosure is part of the culture here. If you're working for the competition or have some other relevant source of bias, it's polite and ethical to disclose that.

[4ggr0]

As much as I appreciate people like you doing new things, the same will happen to your project if it grows.

There will be a point that your service will simply have too many users to handle all of their requests in a satisfactory way.

If you disagree I'm interested why you think y'all can make it differently.

[mnvrth]

I agree, scaling support is a hard problem. But Google has set an extremely low bar, they've just given up, and they can just blatantly do that, because of their effective monopoly/duopoly.

I'm sure we (if not us specifically, some other project like us) can do better.

[tjoff]

Why?

If it is economically viable at small scale why wouldn't it be more so at a larger scale?

Google thinks their algorithms for suspicious activity is more important than their users data. Just removing access altogether.

[4ggr0]

> If it is economically viable at small scale why wouldn't it be more so at a larger scale?

Well, because of scaling. Let's say 1% of your users create a support request every month (no idea if this is way too high or too low). Trying to KISS.

If your service has 1000 users, that makes 10 support requests per month. One person can handle them alone, probably.

Google Drive alone has 1b users, but let's cut that by 50%, after all this is the number which Google reports themselves. Still, with half a biillion users you would suddenly receive 50 million requests. Let's be even more generous and say that these requests are opened over the span over a year, not month. That's still 4.5 million support requests per month.

Don't even know if my calculations serve any purpose, what I am trying to say is that the amount of users and support staff your service needs do not scale 1:1. At a certain point(no idea what the cut-off is) your service will create so many requests that it will become impossible to handle them all with care and humans. To add to this, the more users your service has, the bigger your infrastructure has to be, meaning that you need more people maintaining this infrastructure.

Maybe I am to pessimistic or whatever, could be. Just my 2cts.

[tyrfing]

How does your human support handle a user forgetting their password?

[davidmitchell2]

Assuming they have cryptography all data is lost.

[tyrfing]

Exactly. Seems like poor support. "We're amazing because we'll put a human on the line to tell you that you're fucked and we can't do anything" doesn't seem like the status-quo-busting human support the "mainstream" wants.

[davidmitchell2]

That is what it means by encrypted data storage. Only the user has access. If they managed to see/recover your files then it is not encrypted.

(at the end, people will complain at both ends - some want convenience and do not care if companies see data. Others want total encryption and do not care if lost.

[YPPH]

I'm afraid I can't help you. I'm not sure whether Googlers here can either. I'd be surprised if they are allowed to modify user accounts outside the established processes.

I would recommend anyone who values their Google account, and who can afford it, to purchase two FIDO security keys and enroll in the Advanced Protection Program. [0]

Once you've done that, security warnings upon sign in go away. It would seem you can sign in on the least trustworthy IP address in the world, and Google will not bother you about it.

And your account essentially becomes intrusion proof, even from phishing attacks.

[0] https://landing.google.com/advancedprotection/

[smoothgrammer]

It's good, but a lot of integrations with Google do not work with advanced protection. Which results in me having 2 accounts, 1 primary and 1 secondary for whatever doesn't work with advanced protection. I've particularly found android tv to not play nice with advanced protection.

[SnowHill9902]

Is that program compatible with logging in to Gmail through the iPhone app?

[YPPH]

Yes, and you can also use the native Mail app.

https://support.google.com/accounts/answer/7539956#non-goog_...

[rootsudo]

Another signal to remove google your life.

It was amazing back in the 00's, but now it just seems toxic. Every service and such.

Apologies I can't provide any assistance to OP, but in the future you can setup one time codes to get back into your google account. They give you a print out of 10 codes which, optimally should last the lifetime of your account unless reset.

[pmlnr]

"That's the Neat Part, You Don't"

https://knowyourmeme.com/memes/thats-the-neat-part-you-dont

(couldn't resist. Sorry)

[mccorrinall]

Came here to post this :D

[mkbkn]

I had similar issue - I know the passwords, the recovery email but does not have a phone number associated with it. I can't login. Thankfully, that Google account has no important data.

Only thing you can try is to use the same device and browser and this time, use your mobile internet to access it (if not done already). This might have 1% extra chance of success but there's no guarantee.

Google's AI (or the engineer's brain) has decided that logging in with new routers is only the job of a scammer or a terrorist, hence you're logged out permanently.

I've moved 90% of my life away from Google. Perhaps you can try that as well.

[franzunix]

What email service are you using ? What about google photos replacement ? Thanks

[pmontra]

Not parent but:

Email, I'm using the POP3 and SMTP servers of the registrars of my domains. They also have IMAP and a web interface but I'm fine to look at my mail with K9 on my phone, delete the cruft and download the messages I need. You probably want IMAP and web mail.

Photos, I sync to my laptop with Syncthing and then backup as any other file. It means that I can look at all my photos only on my laptop because I don't sync between mobile devices. Occasionally I'd like to show a picture so old that's not even on the microSD card I passed along phones but nobody really care, telling the circumstances is always good enough.

[KSPAtlas]

Disroot and Next cloud.

[fauigerzigerk]

Unfortunately I don't have an answer for you. Maybe this page helps:

https://gmailaccountrecovery.blogspot.com

There's also a Google forum where you could ask:

https://support.google.com/accounts/community

[blocked_again]

I know someone who recovered their hacker YoutTube account(Google account) by contacting YouTube support on Twitter.

[Arnavion]

Maybe repost on Monday (US timezone) in the hope that some Google employee on this board sees it.

[franciscop]

I wonder if you are in Europe or somehow related? Would anyone know of any success case where you can GDPR them to receive all the data associated to you in this way? It's not "your account", but at least might give you your data back.

[Dayshine]

And an interesting follow-up: Would this not continue to apply in an ongoing basis?

Just because you've lost access doesn't mean your gmail doesn't continue to receive emails, and if those emails are considered personal data, what stops you continuing to send data access requests to help yourself migrate?

[Beta-7]

How fast does Google respond with your data? I know Facebook's data export took me at least a week last time I did it (back when they first announced it). Most service's email confirmation codes/links have an expiration timer that is pretty short. If Google were really malicious they would just make you wait a week, or more, until they "gather all your data" making it not possible to migrate your accounts.

What should be possible, though, is to migrate your account without access to your email. For example make the user save a special TOTP secret that will be used only for dangerous actions and not just for logging in.

[j4tech]

I live in US

[acqbu]

Not a week goes by without seeing a post like yours. You may simply need to come to terms with the fact that you may not be able to gain access to your account. Lesson learnt: Google is evil, stay away from it.

[kklisura]

> Lesson learnt: Google is evil, stay away from it.

I think it would be better to come up with and popularize a phrase similar to "not your keys, not your coins". Maybe something along: "not your server, not your data" or "not your hard-drive, not your data".

[photon-torpedo]

Another lesson: Keep your own copy of all files. Use takeout.google.com.

[josephcsible]

This is necessary but not sufficient to protect your digital life from complete devastation. In particular, remember that you still won't be able to receive any new emails.

[SquidJack]

Google products doesn't come with support find some Gmail Product expert on LinkedIn and Message them they'll share some tips

[Vladimof]

Sometimes Google can add a phone number after the fact... I think that they check your identity with the phone companies' records.

[brailsafe]

Similar thing happened recently with my Amazon account. They said I can make a new one, and otherwise to get fucked.

[pindakaas]

This question pops up a lot on HN. From what I've read in similar posts, you'd have a hard time getting your account back even if you'd work at Google. Sadly, having your phone number not associated with the account will make recovery extra hard. To their credit, Google does provide multiple ways to set up account recovery (e.g., recovery codes).

[Hallucinaut]

Unfortunately this is not accurate advice as someone who has gone through the Kafkaesque recovery system under duress can attest, recovery codes, 2FA via authenticator, confirming via the recovery email address, "trying again after 48hours - 2 weeks", logging in from the same IP as linked accounts, etc. all fail to work if you lose your phone number (as I did with a prepay number once).

[pindakaas]

You shouldn't have set up email recovery using a prepaid phone number ;-). Although, to be fair, Google should have only used your backup recovery email (or whatever else you have set up and prefer to use).

[jasfi]

This is to prevent fraud and who knows how many other problems. Changing email ids is the best way forward. I've never seen anyone post about how they got a Google account back.

Note: I don't work at Google, but this is my logic. If there were cases of people getting hacked by social engineering of the account provider, can you imagine the backlash?

[kirykl]

This would itself be an ingenious phishing attempt, trying to hook a Google employee

[polski-g]

You could ask a lawyer about filing for an injunction to unlock the account

[syshum]

>Is there anything else I need to do?

Buy a custom domain, and use that for your important email this way you can never be locked out of your email....

[koreanguy]

try to twitter google with your issue, they listen better through twitter.

please remember to not use google mail for the future, anything important should not be offloaded to yahoo google Microsoft.

[Titan2189]

>> "I had to replace my fried router twice within the span of 2 days"

That should not cause your IP address to change. Either you have a static IP and always get that static IP assigned to your account (which you'd know as you'd likely pay for that). Or 'replacing the router' is just seen as 'connecting to the internet' from your ISP's point of view. So from Google's POV you're connecting from the regular region that your home connection always is from. I know it doesn't help, but I'm pretty sure whatever you're facing isn't because of your home router issues.

[OJFord]

ISP sees a new MAC address; it's perhaps quite likely that if you don't have a static IP it'd change on router replacement.

[sigmoid10]

Could also just be plain bad luck. Dynamic IPs are given out based on availability. So you could stick with one for months if you keep your connection active and then just happen to lose it during one of the moments you unplugged the router. To google this would seem like a static IP that suddenly changed.

[0des]

nope, this is a tried and true method i use to change my ip on non static service. I change the router mac address, flip the modem, and voila new IP

[sigmoid10]

Not necessarily. The fewer IPs in your ISP's dynamic pool, the bigger the chance that you will get the same one. In the extreme case when there's just one free address (I have seen this happen with some really shitty ISP) you'll 100% get the same one back.

[kevincox]

It absolutely could. I usually get a new IP when I reboot my router.

[Titan2189]

But that new IP is from the same pool of IP addresses your ISP owns, which are all geolocated to the same region. So for Google's fraud detection there'd be no difference.

[prmoustache]

If the main concern was not identity theft, I would just say consider it as a blessing and forget about google.

What I would do now is concentrate on right now is buy a new comouter and phone, swap the sim card to it, shutdown all other connected devices, change my main password manager password, the login on each service / account I have in my password manager and change the password, email address and credit card number (get a new one from your bank asap). The point is that anyone who own my email account now cannot login to them or do some social engineering using recepts found in old emails. More often than not acccount recovery support ask you to verify your identity by asking you the last 2 to 4 numbers of your credit card numbers...very often the very same numbers that are left in clear text in receipt, you may still have some in your email history.

Once done, do an offline backups of your other computers and wipe them all as well and factory reset your original smartphone.

Start now and already call you boss to take a day off if needed it will probably take you more than a day if you have hundreds of accounts.

A best practice should be to unsubscribe to any automatic newsletter and delete all mail that relate to an account so that someone who compromise our accounts cannot figure out which service we consume based on our email history. This is better kept locally without staying on the email servers. Most people don't do that because they want their email archive accessible from any device out of conveniency.

[j4tech]

I reached out to financial institutions where I have an account. In addition to changing the email id, I am exploring all possible means to ensure that the id of the person requesting an outbound transaction for the account is doubly verified. Unfortunately, risk management office is closed over the weekend.

Other tips on backups and phone/pc resets noted.

[dadarecit]

dude what the fuck, literally lmao

[adingus]

Buying new hardware might be slightly over the top but it's essentially my experience with losing a Gmail account. The hijacker was extremely fast trying to get into my Amazon, PayPal, bank, credit card accounts and trying to steal my identity. The whole situation was awful.

I was stupid and used poor security which made it easier for this person (who was also probably using data from the Equifax leak for social engineering). But I wouldn't fault someone for erring on the side of paranoia.

[0des]

credential recovery and account takeover is trivial, most people have automated that process. once the lock is popped, all value can be extracted, verified, and pivoted in moments.

[dadarecit]

How do you pivot value xd fr nu-hn is too hilarious for my health