[andreasvc]

I imagine it goes like this:

1) attacker guesses your password or obtains it via phising.

2) attacker changes password, starts sending spam

3) google locks account

When you have arrived at 2), you have already lost the account for good, and 3) is only for damage control.

You should know that Google has no way to verify whether your account has been hacked, or whether you yourself are a spammer; therefore the best thing for them to do is just to lock the account.

[fauigerzigerk]

That's not the best thing to do, that's the most unimaginative thing to do.

I would do it this way:

1) Make sure that only the legitimate owner has access to the account by using previously entered contact data to ask him/her change the password.

2) Check if the suspicious behavior stops, which it will in most cases.

3) If it doesn't stop, put the account in read-only mode. If the kind of behavior may be an honest mistake, explain to the user what happened. Just take that risk, it's going to be worth it.

4) If it's a statistically active user with lots of regular looking data, let a human sort things out.

5) If the issue remains unclear, tell the user to download any data he wants to keep and notify him/her that the account will be closed.

[andreasvc]

Yes, that would be better for the user, but this is a free service, and Google has not much too gain from making the process more complicated (imaginative) and thus more error-prone. As a user you have the responsibility of keeping your password absolutely safe, if you do that (and better yet use 2-factor auth), nothing should go wrong.

Your option 1) boils down to adding more "passwords" by which the user can authenticate itself, so it's not a fundamentally better protection as they can be guessed by an attacker as well. Requiring a text message confirmation for password changes might be a better idea.

[fauigerzigerk]

All steps on my list are either fully automated or optional, so it doesn't cost them more.

Google has a lot to gain from people entrusting them with their data, that's why they provide a free email service in the first place.

It would be a mistake to think that trust is linear. You can't just treat a few people very badly without risking a major backlash against your business model.