from Hacker News

Ask HN: Gmail account security

by caseyf7 on 1/23/22, 10:15 PM with 774 comments

I have a gmail account that I rarely use, but I know the password. I enter it correctly and get the following message:

You’re trying to sign in on a device Google doesn’t recognize, and we don’t have enough information to verify that it’s you. For your protection, you can’t sign in here right now. Try again from a device or location where you’ve signed in before.

Even if I get the code from the recovery email account, it won't work. Is this the AI hell Google throws you into if you get a new phone and computer in the same year? Has anyone else on HN run into this and found a solution?

by steelframe on 1/24/22, 3:53 AM
Once upon a time I worked at Google.
I returned to Austin to visit old friends and took the opportunity to visit the Google office there. The Googlers sitting around me were primarily corporate sales.
They weren't getting any corporate sales calls at all as far as I could tell, but there was one extremely irate user who was locked out of their GMail account and was repeatedly calling them because they were the only human beings at Google the user was able to get in touch with, via something like "Press 3 for Corporate Sales." Of course these poor Google corporate sales people had absolutely no way to help this user even if they wanted to. Google literally did not have any GMail account phone support (at least at the time).
I could hear the poor guy screaming through their headsets about how he paid Google something for some service and was entitled to phone support and he demanded someone help him, but they just kept saying, "This is corporate sales. We do not offer consumer account support. If you want support, please visit the Google Support Forums at www dot..."
After they hung up on him 3 or 4 times, eventually a manager got on the phone and told him (between his screams), "Look, you're not getting any phone support because it doesn't exist. There's nowhere for us to transfer you. There's nobody who can call you back about this. Your only option is to search the forums for an answer to your problem. I am going to terminate this call now. Sir, I'm going to terminate this call. No, we can't help you. Nobody at Google can help you. I am terminating this call now. We asked you to stop calling this number. Do not call us again. <click>"
I'd frequently tell my co-workers, "If you're not paying for it, you're the product." That experience underscored that notion for me.
by parhamn on 1/23/22, 11:02 PM
They also do this thing now where they block [1] smaller browsers (even ones using the latest version of chromium) under the guise of security. According to their docs they're fighting MITMs by generally disallowing any browser they can't identify (so the big few).
If you're not on a whitelisted browser by Google, you can't log in (effectively, use) any of their properties.
This feels very anti-competitive to me. Notably all the whitelisted browsers are either theirs (Chrome) or sell them their search traffic. I'm building a browser for research [2] and have to frequently find workarounds. I'm not quite sure who I'd contact to get on said whitelist either...
[1] https://imgur.com/a/DASVkhl (here is the issue in the Vim browser and Min browser)
[2] https://synth.app
by Andrew_nenakhov on 1/23/22, 10:44 PM
Had this. It was telling me to try again 'later'. Ok, i did 'try later' every day for three weeks, and they didn't let me in. Using the very same IP address as I used to always access it, no less.
Then, I gave up, moved all my services to another email account, and after 2 or 3 months tried logging in, and it suddenly allowed me to log in.
Needless to say, I will never again use gmail for critically important things.
by anter on 1/23/22, 10:51 PM
Yep, have had that issue for over a year now, I am completely unable to access my old gmail account despite having the password, recovery email and everything else.
Just says "you can’t sign in" and that's it: https://i.imgur.com/4YrElkJ.png
by jscheel on 1/24/22, 3:07 AM
Not, Google, but I'm having sort of the same problem with Facebook. My church has a Facebook account that we used to set up our public page years ago. We assigned editors to the page, then promptly never used that account again. Fast forward to this year, and I need to add a new editor, which only the page admin can do. I reset the password on the church's facebook account (it was lost years ago), but when I log in, it says it doesn't recognize my location and it needs me to get codes from a list of trusted contacts (a list that I'm fairly certain we never set up). When any of those trusted contacts go to the page it lists, Facebook tells them they aren't trusted contacts. I have tried to get Facebook to respond to me in every single possible way. I have gone through all of their help pages, talked to their bot until it said it would forward my message to a human that could help, sent emails to every address I could find, reported the page and account on every form I could, hit up Meta on other social media, and even reached out to Oculus support and offered to buy a headset if I needed one for them to be able to help me get access back to the account. The only response I've gotten is from Oculus telling me they can't do anything. That's it. No other responses at all. I swear it would be easier to answer one of the 37 recruiters that have reached out to me, interviewed for a position, gotten hired, and then fixed it myself.
by supermatou on 1/23/22, 11:09 PM
Yep, and it was even more aggravating.
> have three gmail accounts
> primary, name.surname@gmail.com
> secondary, name.surname.purchases@gmail.com
> tertiary, name.surname.work@gmail.com
> secondary and tertiary have primary as a recovery address
> log in/out once a week in 2nd and 3rd
> last August, try to log into name.surname.work
> "Password is incorrect"
> WTH?! of course it's correct.
> try several times, Google blocks me ("temporarily")
> next day, try again, no dice.
> OK, the hell with this: let's reset the password
> "what's the last password you remember?" duh, the last and only password is the one I already gave you, you stupid machine.
> "we need additional verification; input the recovery address" Finally! type my main address
> mail from Google arrives pronto, code in it
> type code in verification field
> new mail from Google: "Thank you for verifying your mail address" [my primary one?!] Based on the information provided, we cannot ascertain that [tertiary account] belongs to you"
This has been happening since. A few weeks ago, secondary account went down too, yielding the same error OP got.
Note: a) I have been using the same IP and the same machine to log into those accounts for many years; there is no other device or location where I've signed in before! b) primary account has multiple (4) Yubikeys associated with it, so it should be clear I'm a real person and not a bot.
I'm currently in panic mode: if my main account goes down, it will take a huge part of my life with it, from banks to government stuff.
by armchairhacker on 1/23/22, 11:05 PM
This is because most people use Gmail for basically all their online accounts: if you don't directly login to the site via Gmail, you can use your account to change your password. Imagine the damage which can be done if a malicious user breaks into someone's Gmail, if not your own, then the average person who uses the same password everywhere and trusts Gmail with everything.
Not defending the practice at all. It shows we as a society and Google in particular need better security if they are flat-out locking people out of their Gmail accounts and others are still being compromised (I know they are). I honestly support Google forcing people to use recovery addresses and 2-factor authentication but I don't support them making the recovery authentication not work and providing literally no options for a legitimate user.
I think the best you can do right now is complain on HN and Twitter and you'll probably get your account back. In the future, maybe if you have a YubiKey or stronger form of 2FA Google won't lock you out, because obviously if someone can authenticate with a YubiKey they are practically guaranteed to be the real person.
by jacekm on 1/23/22, 11:14 PM
Things I can recommend in your situation, which helped me in the past, in no particular order:
* log into other gmail account (with a long history) using Chrome without any addons, log out and then immediately try logging into the primary account (ideally google should ask you if you want to add another account)
* log in from the same location. I once spent two years abroad, and could not log in to one of my accounts. I regained access only after returning to my home country
* if you are working in an organization that owns an IP range, try logging in from work, i.e. do not use publicly available ISP.
You'll get best results if you can combine two or more of these points. Unfortunately even following this advice you are not guaranteed to be successful...
For the future reference, the only prevention that I know which works 100% times is using YubiKey for 2FA. 2FA with TOTP codes often helps unlocking the account, but I had cases where even the codes did not help.
by AshamedCaptain on 1/23/22, 11:07 PM
One day I logged in to my Amazon account from a different country. Mind you, I have 2FA/OTP enabled in my account, and I entered it correctly. They also made me click on a link they sent via email to "verify my login".
A couple hours later my account was blocked due to "suspicious login(s)" (i.e. mine), and the order I placed cancelled. They had me wait 24h until I could contact someone at support that could unblock it. He told he was going to disable 2FA (?) and send me a code that I could use to change my password.
The code was sent via SMS.
They think that someone who has just my SIM card (or a clone, FFS) is more trustworthy than someone who has my password, 2FA token, and email address.
These companies take user security as a joke, or as pure theater.
by moralestapia on 1/24/22, 1:35 AM
Google is absolute trash now compared to what it was.
Most accurate search engine is now almost useless even for VERBATIM queries; queries that took milliseconds earlier (they even built a product around that, Google Instant), now take 2-3 seconds on average.
Best email service, now feels clunky and slow plus the spam algorithm not only stopped working, but is now working backwards.
Everything just worked and it was simple to grasp and to work with, now we have issues everywhere with their draconian 2FA among other "wise" decisions in the name of "security".
All this while on Android, basic stuff like calling 911 so you don't die is not possible because of all the other "features" they keep adding to the platform, see: https://news.ycombinator.com/item?id=29492884
by exolymph on 1/23/22, 10:41 PM
Wasn't aware of this, but can't say I'm surprised.
Personally, I'm still happy with Fastmail, which uses customer subscriptions fees to fund a professional support department, as well as contributing to email-related FOSS. (Among other things, obviously.)
by alanh on 1/24/22, 12:57 AM
Reminder: Google paid for an ad campaign with this gist: A father creates a Gmail account for his daughter when she is born, and sends her important photos and mementos as she grows up. Sweet. Reality: At least one person tried this in real life, and the child's account was automatically deleted without recourse.
https://tech.slashdot.org/story/11/12/18/2046221/why-google-...
by js2 on 1/23/22, 11:30 PM
Edit: I just got back in! I had to give a real phone # for the SMS step. It pretended to accept a Google Voice # but would never send a code and I just got stuck in the loop I describe below. I've now closed the account. Oh, the irony...
Yup, I've got an old gmail account that Google won't let me into. First I get:
"This device isn’t recognized. For your security, Google wants to make sure it’s really you."
With options for "Confirm your recovery email" and "Get a verification code at <elided recovery email>."
Regardless of which I choose, it then asks me for a phone # for an SMS code. So I give it one, just to get:
"Unavailable because of too many failed attempts. Try again in a few hours."
Except, "a few hours" is a lie. I last tried this weeks ago. I get a "Try another way" option which prompts me "Enter the last password you remember using with this Google Account." at which point I'm at a dead end because this account only ever had one password.
The best part is that shortly after going through this exercise I get an email to the recovery address:
"Sign-in attempt was blocked. Someone just used your password to try to sign in to your account. Google blocked them, but you should check what happened."
With a "Check Activity" button that takes me right back to the Google sign page...
Buttle? Tuttle?
The irony in all of this is that I'd forgotten about the account until Google sent an "new terms of service" email to the recovery email address and decided I wanted to close the account. But I can't login to do so.
Anyway, I switched my primary email away to Fastmail years ago and I'm still happy with that decision.
by voisin on 1/23/22, 11:25 PM
Nearly every interaction I have had with Google in the last two years makes me think the company has devolved into warring factions that cannot communicate let alone coordinate for the betterment of their users. Do they not eat their own cooking, or how do they manage to make everything so dysfunctional?

by sercand on 1/24/22, 6:30 AM

Google added one of my employee's LinkedIn account address as our LinkedIn URL to our company Google business profile. We have contacted google support about this to change URL to our own but we got response like following:

    I understand that you are referring to an incorrect LinkedIn profile which is visible under your business profile in Google. Please be informed that information from social profiles are collected by automated algorithms.

    There's no way to manually remove these social profiles from our end. This is something which is driven by Google’s algorithm, based on the visibility, ranking, web presence, etc. of the particular business page. We at Google do not have any manual control over this.

Google and its algorithms are going bad and they have no control over it. It is getting ridiculous.

by dfdz on 1/23/22, 11:12 PM
Just FYI there is a solution to this: enroll your gmail account in the advanced protection program
https://landing.google.com/advancedprotection/
When you login you are required to use a security key (like Yubi key) but it removes all the annoying emails and texts with codes, IP filtering, login AI, etc
by dTal on 1/24/22, 1:22 AM
Hit this over XMas. Dad got a new fire stick. Wanted to use the YouTube app. Wanted to sign in to YouTube for channel subscriptions. Had a GMail account he'd not used in years. Tried to recover it with the whole send-a-code-to-secondary-email rigmarole. Google went to the trouble of sending a code, but upon successful entry decided that it just wasn't good enough. Maddening. Gmail account gone forever. Can't sign up for a new one because "phone number used too many times". Fuck me I guess, guess we'll have to use one of the unofficial YouTube apps that do client-side subscriptions and incidentally block ads.
by pkulak on 1/24/22, 12:41 AM
It’s this kind of thing that has had me moving most everything off Google over the last 6 months. It’s just not safe for me to have 20 years of photos, emails and documents in the hands of a company that may cut me loose at any moment. After decades of slowly moving my life to “the cloud”, I bought a Synology nas, and now all my stuff lives in my own house (though backed up externally, of course).
by ncann on 1/23/22, 10:38 PM
Same here, I got an email to my main mail account saying Google has blocked a login attempt to another old Gmail account of mine that I haven't used for a long time (the old account has the new account listed as the recovery email). So I tried to log in to that old account, and got the same message to "try again later". I tried a few more times over the next few weeks but always the same message. So even with the correct password and access to the recovery email I still can't log in to the old account, and there's no way to get around it. I just gave up.
by Frost1x on 1/24/22, 3:45 AM
From my experience, as a non-Apple user, they are the absolute worst. I bought a family member an iPad for Christmas. They had an Apple account associated with their iPhone. They forgot their password. No big deal, I'll just reset their password.
Ha! We have to wait 24 hours after wrestling through the page, I leave my holiday visit in 36 hours, that's fine we have time I say to myself. A little odd but whatever, the account itself has no payment or important data associated with it really. 24 hours pass and the recovery page then suggests 14 days for recovery. What?!?! Why!?! (I mean, I get why, sort of, but I've done highly secure work that has less/shorter security processes than a consumer phone account). Apple says there's nothing they can do.
That's fine, well just create a new email and account for them I say to myself for their iPad annoying and yet another account for them to remember, lose the password, and deal with but whatever. Ok new email, new Apple account, sign in and perfect. Now I just need to disassociate the phone with the account its locked out of and switch it to the new Apple account to make syncing things a bit easier between devices. Wait, I can't do this until I recover the account to sign in to then log out of in the device. Wow. Again, I understand the security model here, but wow, a consumer device? Insanity.
by NoPie on 1/23/22, 10:40 PM
I stopped using gmail. I pay for my own domain (approx $10 per year and subscribe a hosting service that costs about $4/month). The total cost is not much different from a paid google email which is about $50/year.
If I happened to forget/lose all passwords (lost laptop, burned house etc.), I would probably need to deal with the hosting company who would try to identify me with my credit card or some other way (phone number, mailing a letter to my physical address on file). Nothing is absolutely secure but I think it is secure enough for me while I also have fair good chances to recover my lost access. I am not a big target to scammers anyway.
by harshalizee on 1/23/22, 11:29 PM
Google/Gmail is a nightmare to use for me as someone who travels overseas to visit family. Logging into Gmail from a different device is a harrowing experience. SMS 2FA doesn't work with many providers even with international roaming turned on. So you're dead in the water and face a potential account ban that can never be recovered.
Years ago, I had my account suspended when I was implementing an Adsense integration into a site for no discernible reason. I have too many ancient financial institution's login tied up to my primary email. That was the last time I signed up for anything related to Google. At my workplace, I'm a strong advocate against the Google ecosystem. A few of us fought hard to keep our cloud systems away from Google and move to Azure. I've seen similar sentiments from quite a few devs in the last few years.
by mekoka on 1/24/22, 1:33 AM
Those of us who move around quite often can attest to how frustrating the security of online services has gotten.
It can get even worse if you provide a phone number for "added security" and find yourself in a different country with a different phone. I've witnessed a few fellow travelers getting locked out of accounts because they couldn't access the SMS sent to their home phone number and the app was ignoring the code sent via email. Yahoo, Amazon, Gmail. I've even seen someone unable to use their Airbnb account for this very reason, which is odd considering that the service caters to travelers (that was 6 years ago, so maybe things have changed).
If you travel and change phone numbers often, avoid giving it for security if you can.
by mrslave on 1/23/22, 11:06 PM
I stopped using it too. The email service isn't that great (minimizing email in general), Google can be a pain to use for reasons already mentioned, and at the time there was a small swing against surveillance capitalism.
Anti-patterns in registration are annoying too. A recent example from Twitter: "sign up with phone or email" (defaults to phone); click email (colleague insists on only using phone for work); register with email only. 2 minutes later: "give us your phone number to unlock your account." Crazy.
by enobrev on 1/24/22, 12:53 AM
This reminds me of a story from a couple years ago (pre-covid). I dropped my brand new phone before my case arrived in the mail and cracked the screen. We were on our way to the movie theater and so I decided to drop off my phone to get it fixed before the movie and then we would pick it up on the way home. Perfect plan!
Except I bought the tickets through an app and now I didn't have that app. Nor did I know the password, because I use a pw manager. The person at the booth said I could use the confirmation email, so I tried on my wife's phone. It wouldn't let me log in to gmail from her phone no matter what I tried.
Different browsers, desktop mode, etc. There was no getting in. We were about to miss the start of the movie so I just went ahead and bought two more tickets and got a refund later.
by golem14 on 1/23/22, 10:48 PM
That doesn't help OP now, but I found it helpful to enable 2FA with Google Authenticator, and keep emergency backup codes in a safe place. It's slightly more hassle, but there are less 'soft AI' barriers between you and your successful login.
I'd also suggest not to rely on a phone number as 2nd factor, it's not that super safe.
by greatgib on 1/24/22, 5:29 AM
What piss me off the most with Gmail and google things like meet, is that if you are on Android, there is no way to login in a single app: Gmail, meet or even a third party email app without associating your Google account to the whole phone.
This is really annoying. Sometimes I have to join corporate meeting from my personal email account on my personal phone, because if I would like to login with my pro one, all my personal phone will be associated and controllable by the company.
by _tom_ on 1/23/22, 11:18 PM
I lost a google account that I had a recovery number set on.
Google used it, verified it, then said it wasn't enough, and there went an email account I had used for years.
No way to recover.
by C4K3 on 1/23/22, 11:39 PM
One site I've found particularly annoying in this regard is ebay. I'll log in, enter a 2FA code (both SMS and email), do whatever I need to, and then 30 minutes later I'll get an email saying my password has been reset because of suspicious activity. ("your eBay account has been secured because your login information may have been used without your permission") This has happened several times now. At least they haven't canceled any of my orders or anything.
by IvanK_net on 1/24/22, 12:12 AM
I think we, "people", pushed companies to do this.
There are billions of people creating various accounts. Hundreds of thousands of them had a weak password, or told their password to someone, etc, and their data leaked. There were so many news about "data leaks" and "security issues" in the past 20 years, and each time, a company was blamed, never a user.
We even made laws, where letting people log in with only a password can be illegal.
by davemtl on 1/23/22, 10:52 PM
Once again this shows that we're at the mercy of the giant AI machine. For fear of having my data locked into Google, I migrated to my own domain and e-mail hosting elsewhere. I'm still at the mercy of the hosting and domain registrar at that point, but at least they have phone numbers I can call to get support and talk to a human.
Offline backups is a must at this point.
by aesyondu on 1/24/22, 6:46 AM
It would be interesting if this becomes a monthly hackernews post like the monthly hiring, where people with problems with their Google or Facebook or "insert Tech Giant here" account with intentionally no human customer support, would post their account problems and whatnot.
It would never happen of course, but it would be interesting.
by kmetan on 1/23/22, 11:00 PM
I have solved this couple of months ago:
1) dont try to login couple of weeks (this was recommended on multiple boards)
2) try again with the recovery email
My problem was a) I didn't log in during the previous 12 months b) I moved to another country.
Only when I connected via vpn to the country of my previous residence, I got in. Took me more then 4 months to figure this out...
by missingcolours on 1/24/22, 1:23 AM
Glad to see others are also frustrated with Google's extremely excessive "security" gimmicks.
The one that I run into sometimes: in order to do "Find My Phone" for my wife's phone, I try to sign in as her. In order to 2FA authenticate, I need to press yes on her (lost) phone, or answer a phone call or text on her (lost) phone. What exactly is the point of a find phone feature that requires you to have the phone?
Apple doesn't have this issue BTW; they have some 2FA stuff but Find My iPhone is excluded so you can use it if your phone is missing.
by 2bitencryption on 1/23/22, 10:49 PM
Oh god, have you had the M.C. Escher-esque experience of trying to sign in to an email account, and it hits you with a two-factor-auth prompt that sent the code to another email address?
Imagine the insanity if the email account that received the code in turn asks for a code sent a code to the first one.
by newsbinator on 1/23/22, 10:36 PM
This happened to me. It was impossible to access my gMail account, knowing my username/password/recovery email/all recovery codes... until I returned to my home country / home address. Then gMail let me in.
by blibble on 1/23/22, 10:50 PM
I had this exact same problem... I was logging in on the same IP address I've used for 10 years
I only managed to solve it by digging out an old phone that was still signed into the Google account... if I had factory reset that then I suspect I would have lost it forever
this experience is one of the many reasons I've dumped Google wherever possible
by foxfluff on 1/24/22, 9:51 AM
Anecdotally, getting arbitrarily blocked and locked out of your stuff is the single biggest practical security today problem today for me (maybe it isn't for non-technical users who reuse weak passwords, install catpicture.jpeg.exes and random software from the internet, log in using public computers or other people's PCs..).
I don't believe I've ever had passwords compromised. The only time I know I had malware was when I was a kid and installed a runescape autominer.. I've had some close calls with software vulnerabilities (I patched opensmtpd mere hours before bots started attacking it), but that's rare. haveibeenpwned only shows involvement in the last.fm compromise, which is a no biggie since I wasn't 1) using the service any more 2) using the same password with other services 3) using that email address with anything worth caring about.
By contrast, I've been burned by service providers blocking me many many times. They call this security but how is the equivalent of "we decided to take all your mail and not deliver it to you, and changed the locks to your apartment so nobody can get in" security? It's security in the same sense as "we decided to burn all your money so nobody can steal it, hope you're happy."
As a consequence, I've tried to cut out as many services and third parties out of my life as I can. It's an uphill fight though, and most services are hell bent on adding points of failure. E.g. where my bank before supported OTPs (in addition to login & password), now they require a phone too. It's probably not a matter of if but when I get bitten by this; I've had a Samsung Xcover physically break.
I think any notion of security should include secure access for the relevant party. If you can't access your stuff, security has failed (unless it can be demonstrated that there was an active attack going on and the only way to prevent it was to block everyone.. which these overzealous blocking systems in place can't demonstrate).
by dynamohk on 1/23/22, 11:25 PM
Password reset functions for most providers often make 2FA hardware/software tokens useless. They fall back to email/sms to reset forgotten password/tokens. I guess it’s usability for majority over security that would lock out users.
by gitowiec on 1/23/22, 10:53 PM
Some similar thing happen to me. Gmail login page says that I need to acknowledge that me is me and it forces me to change password... I occasionally get this message on screen when I change countries with VPN. I need to use VPN different countries because this is required by my work (development of streaming services). I get so much annoyed. Recently I spent Christmas in Norway (not the country of my origin) and that happened again. I had to access Gmail to check in the flight so I was forced to change the password. This is ridiculous!
by throwaway55852 on 1/24/22, 10:18 AM
This is a long shot, but if you have a spare Android phone lying around consider doing a factory reset on it and signing in with that account during the initial setup.
My situation was somewhat different. I had a rarely-used account with no recovery email/phone. When I entered the password correctly using a web browser, I was asked to provide a (new) phone number so I could be sent a verification code before continuing. I didn't want to provide a phone number, so I tried to log in with that account during the initial setup of a freshly-reset Android phone and it worked (allowing me to add a recovery email).
I'm curious if this strategy helps in your case. (You mentioned getting a new phone, but I assume you are signing in on that phone after it has been set up, which may be different to signing in during the initial setup.)
By the way, in your reply to a comment on 2-factor authentication (https://news.ycombinator.com/item?id=30051366) you said you had a recovery account. There is a difference between enabling Google's "2-Step Verification" and having a plain recovery email/phone (though from other comments it sounds like you can get locked out even with 2FA, and not all 2FA methods are equal).
P.S. If you want to allow people to contact you privately, consider adding some contact details to your HN profile.
by kvhdude on 1/24/22, 1:05 AM
I had a different problem. On my wife's account she started receiving someone else's emails. Initially we suspected that her email was wrongly(typo) used in registration at various sites. But increasingly we noticed that the conversations in the mails were ongoing, implying continued usage of her address. We suspected her email was hacked and changed password, that didnt help. Eventually she had to abandon that email. The problem with free mail service is that the support you get is what you pay for.
by WithinReason on 1/23/22, 11:24 PM
This is your daily reminder to Gmail users to set up automatic email forwarding to a secondary (free) address.
I recommend ProtonMail, you can set emails to autodelete after X time so you never fill your quota.
by CRConrad on 1/24/22, 6:55 PM
The only rules of thumb I can come up with are these:
1) Log in on everything now and then (hm, maybe gotta so that myself soon); and perhaps even more important,
2) When getting a new device / phone number / email address, log in to everything from the new one before getting rid of the old one. That way, you can jump back to the old and confirm the validity of the new. Then set up the new phone number for 2FA / email as your backup address / recognised login device... Only then can you dispose of the old.
by einpoklum on 1/23/22, 11:04 PM
Immediate solution to try: Use a mail client to access your mailbox with IMAP or POP3; GMail may be more tolerant that way.
Long-term solution: Stop using Google. Why? Not just because of this type of shenanigans, but because Google spies on you:
* It keeps a copy of all of your correspondence, even if you delete it.
* (Rephrased) The US National Security Agency (NSA) has gotten access to much of your correspondence, by tapping links between Google's data center; it may still have such access today and Google's extent of collaboration with this is not known for certain (to me anyway).
* It uses your correspondence and other information about you allow commercial companies to manipulate you with advertisement.
(The NSA part was verified by Edward Snowden's revelations, several years back; see: https://www.washingtonpost.com/world/national-security/nsa-i... for example)
Now, no third-party mail service is perfectly safe; but you should want one which is at least somewhat-safe, and that doesn't treat you unfairly.
I won't make specific recommendations, but I've personally had decent experience with ProtonMail (Switzerland) and gmx.com (Germany).
by exodust on 1/24/22, 6:08 AM
Recently signed up to mailbox.org after losing one of my longtime Gmail accounts due to this Google nonsense.
I had correct password AND correct secret answer to my own secret question I set years ago, but was denied entry because of new device, or time sine last login or whatever.
The explanation it gave made no sense, sending me in circles with no recourse. So I decided enough is enough. Their system is broken. When a user has both password and secret answer, there is no reason to deny them at that point. Good riddance Gmail.
by gue7890dfg on 1/24/22, 6:57 AM
I have a theory:
It is impossible to have anonymous reliable email accounts nowadays.
Today a lot of data are collected. For those data to have any value they need to be quality data, so that they can be used. Many would think for AI, but what is more lucrative maybe is to sell them or services based on them to government intelligence in USA. Similarly, maybe government is also putting pressure that accounts of big providers are not mass used or hacked by adversaries. Google may have some hidden deals.
Starting with Facebook, Google, Microsoft as the biggest ones, you are forced by all means to have non-anonymous accounts. Google accounts measures point to one direction: tell them your identity. Make sure you are in that location, no VPN, tell them you phone number when you register an account, etc, so they know it is you for sure.
This makes it impossible to use Google, etc, anonymously. It is impossible to open any Google account, as I do not want to drop my VPN, or give them a phone number. I also have 2-3 accounts of Google open many years before, when these restriction were not so bad in place. I was relying on them for various things. I assume since a while, that I will loose access to those any moment and I am not using those much anymore.
by hsbauauvhabzb on 1/24/22, 2:25 AM
I regularly get security notifications for an account I’ve since lost the password to, the notifications go to my primary email, and this means a malicious actor has my password. I can’t login via account recovery, using my backup email, for the same reasons as described so I’m at a stalemate with some random malicious hacker and have no way of solving the issue, and no idea what’s actually in the account. Fuck you google.
by throwhauser on 1/23/22, 10:59 PM
I guess the takeaway here is that it might be better to de-google-ize yourself on your own initiative than to deal with having it done to you unexpectedly.
by pettycashstash2 on 1/23/22, 10:23 PM
I once forgot my gmail password. There was no way for me to recover it. Eventually I found it after 6 months, but it was a very difficult 6 months. bank emails, work emails, etc were in the google 7th circle of hell, and there was nothing I could do. I don't have any good advice for you really except is there a way you could vpn to a location closer to where you typically access gmail?
by osrec on 1/24/22, 4:36 AM
Why the heck is running a your own email server so complex?! I run my own email servers, as does my company, and they can be an absolute pain at times. Once you've got everything settled, they're okay, but still, they're unnecessarily fiddly things to get working.
It should be easier, much much easier. Then we can all stop relying on external providers for substandard email services.
by iszomer on 1/24/22, 5:49 AM
I've had this happen before with my OG GMail account -- the one when we needed an invite to sign up. Back in the day there were no "account security" beyond the username and password, not even 2FA, backup codes, security questions, etc.
At least Google doesn't recycle usernames unlike other services and account retention is trivially automatic if you use an Android phone.
by anshumankmr on 1/24/22, 7:48 AM
I was setting up my blog and using AppScript to automatically write add my new posts to Firebase. It is still a WIP, I granted the script the permissions I needed and somehow after that Google labelled my account on my main computer as suspicious (which I have been using for years). So whenever I switched from my personal computer to my office one, it used inform me someone suspicious tried to use my account and asked me to reset my password. This happened multiple times (and it isn't possible since I have set up 2FA and have a very complicated password). When I switched back to my personal computer, it once again used to ask me to reset my password. This became infuriating and after a while I just gave up and switched to Firefox completely (where I have not had the issue again).
*The script I wrote is a variation on the one I wrote while working at my company (where we use AppScript to sync some sync data to Firebase... the same issue never occurred for me while using my company's account)
by wruza on 1/24/22, 12:27 PM
Protip: log in to youtube with this account. (Or is it “log into”, “login to”, not sure)
Less reliable way: log out of all google, login to all of your “best” accounts, then login to this one. When you are logged in and google knows they were logged in at the same time before, restrictions get relaxed (there is sort of a “skip security” button, or a similar setup).
by grammarnazzzi on 1/23/22, 11:09 PM
You get what you pay for. Microsoft hotmail is pretty much the same.
Reailize that what you call "security" isn't there to protect you. It protects Google's interests. Google wants to minimize the risk of hackers compromising any google service; and if doing so might destroy your livelihood, well, that's a risk Google is willing to take.
by windex on 1/24/22, 2:55 AM
I am going to try and avoid google from here on out. Far too much instability around the google services I use the most. It's unfortunate that I've used the gmail id for just about everything including taxes. I feel google is entering a phase where it will look at all of its services for cutting down on "freebies."
by Minor49er on 1/23/22, 11:34 PM
I have an account that I frequently sign into in an incognito session. Every time I do, Google emails the same account saying that it doesn't recognize the device. I've tried requesting that it remembers the device, but despite the browser and IP address staying the same, it doesn't seem to matter. Though it also appears that I can ignore these warnings entirely.
The biggest issue that I have is that I have an email account through my web hosting provider that isn't connected to Google. If I email anyone with a Gmail address, it gets rejected for being potential spam, despite not having any links or anything. Even if I respond to someone writing from a Gmail address, Google will reject it, saying that it was unsolicited since I was the one initiating the conversation, which is simply ridiculous. I usually end up logging into a separate Gmail account just to communicate with those users.
by SMVS on 1/24/22, 7:50 AM
I lost access to my primary Google account in this way, 10 years of mail and drive inaccessible, all sign Ins void, and I find Google hasn't supported account recovery for almost five years.
I'd set inactive account recovery, so if I died my brother would get access six months later. That didn't happen either. Google is a joke.
by alyandon on 1/24/22, 12:43 AM
I had an ancient Google account that I hadn't logged into in forever that put me into a similar recovery loop. I had the correct password for the account and it said I was logging in from a new device and asked for my recovery email. It sent a code to my recovery email account and I entered the code into the page.
So Google knew the following:
```
  1) I have the correct password to the Google account
  2) The recovery email address is valid and the code I entered matched
```
Despite that, after entering the code I received an error message stating essentially "Thank you for providing the correct code however we are still unable to verify your account". I then reached out to a contact within Google and they escalated the issue and the account access was restored for about a week or so before it went back into the same recovery loop. I gave up after that.
by tptacek on 1/23/22, 10:48 PM
I'm having a hard time getting my head wrapped around the idea of relying on Gmail (or any other online identity provider) without enabling 2-factor authentication. The best way to avoid this kind of "AI hell" is just to take control of your own account security and set up some additional factors.
by ajdoingnothing on 1/23/22, 10:54 PM
If there is one Google service I'd happily pay 10 bucks a month for (given that they would then provide proper support), it'd be gmail.... It'd be a nightmare for any gmail user when suddenly their account is blocked for no particular reason. This post is reminding me to look for alternatives.
by tpoacher on 1/23/22, 11:07 PM
I had a similar issue with outlook when I went to visit my parents in Cyprus (normally I live in the UK)
My main account gave me a similar message to yours; the only option was to approve this location via a link sent to my "nominated backup email".
Which, also refused to let me in for exactly the same reason. *facepalm*
by pllbnk on 1/24/22, 8:46 AM
I have a very similar issue where I enter my (correct) password, Google recognizes it but says they need some additional verification where they require one of my previous passwords to be entered. I don't know my previous password, so I am locked out of my account.
What's funny is I have another account to which the Gmail of the said locked account is connected, so I can send and receive emails by the locked account, but I cannot use it for any other purpose. It has been the trigger due to which I had switched my primary email to my own personal domain and a better service provider for a few bucks a month. It's painful and I'm still in progress of transferring all communications to the new domain, however it's totally worth it because I have a sense of actual control.
by 4cao on 1/24/22, 12:45 PM
Mirrors my experience.
I moved away from Gmail for most of my mail a while ago for privacy reasons, and in anticipation that something like this would happen eventually.
Not much later, I was locked out of a Gmail account I had for an extensively long time (created back when Gmail was still in beta and by invitation only).
I know the password, I know the recovery e-mail address, and have access to the recovery account, yet I'm not allowed to access the Gmail account or recover the password regardless. Go figure.
The account was used mainly for all kinds of registrations where I expected I might end up getting spammed but I definitely wasn't doing anything suspicious with it. I didn't bother too much trying to restore it but any attempts would have likely failed regardless.
by riidom on 1/24/22, 12:07 AM
I had a similar case, in one of my (lesser) gmail accounts. I took that as final warning and since then started to move away from google mail.
Currently, I use a posteo mail, which costs me 1€ (I believe) per month, for the important stuff. Mails which come as part of my webhosting package for most of the other stuff. And a free adress (web.de) as experiment, but it didn't turn out too bad so I keep it for unimportant stuff They just send ads as mail once a week. Calling this "mildly annoying" is exaggerated already.
Yea, so the takeaway (imo) is, leave the sinking ship before it sinks you. The process may take weeks or months if you proceed it relaxed (that's how I did it), so start before one of your important addresses gets hit.
by iamtedd on 1/24/22, 6:18 AM
Just yesterday, I got two 'Google' verification codes to my mobile number out of the blue. No number, so I've only got 'Google' as the sender to go on.
```
  * My password is very long and complicated and stored in a password manager
  * I don't use any device I don't own and can see the moment the SMS messages came
  * I have no other indication that I've been compromised
```
I'm thinking it's more likely that someone else added my phone number as a second factor to their account.
Google: Just one damn easy thing would give me more information about the situation and allow me to act appropriately: Have the email address associated with the verification code in the message.
by Guest19023892 on 1/24/22, 1:23 AM
I had this happen as well about 8 years ago. My Gmail account one day just said it couldn't log me in, even though my password was correct, and I was logging in from the same home address and browser as always. It said I needed to complete the security question to access my account. I didn't know the answer because I just set random letters and numbers for the security answer when configuring the account recovery, because I was confident in my password and backup system. Since I couldn't answer that question, and because Google has no support, I could never access that account again while knowing the password.
Fortunately this was a secondary email address, and my primary email was on my own domain.
by whoknew1122 on 1/24/22, 12:50 AM
As a security professional, this is something we deal with daily. Security is too lax? Why didn't you protect my data. Security is too strong? I can't easily access my data!
Can someone show me the Goldilocks zone for internet security? It's a moving target.
by ryguytilidie on 1/24/22, 4:16 AM
Not exactly what the OP is talking about, but I do consulting and have ~5 gmail accounts.
My FAVORITE feature ever is: "huh. You just woke up on a Tuesday and need to get to work? Well, we've logged you out of all your accounts and need you to log in again."
The worst.
by nocommandline on 1/24/22, 4:13 AM
I just had this experience yesterday! I entered the correct password, the right recovery email, even asked for a code to be sent to the recovery email address and entered it but Google still didn’t allow me log in.
I had the same experience last year with the gmail account I created for my app. I travelled and Google didn’t allow me login from my laptop (cos I was in a different country). Entered the code from my recovery account and still no show.
In both instances it asked for a phone number to send me a code. If it refused to accept the code from my recovery email, why would the one from a text message be different. Besides, I didn’t want to provide my phone number to gmail
by EamonnMR on 1/23/22, 10:55 PM
They're trying to deter you from using Gmail anonymously/as a burner email.
by IronWolve on 1/24/22, 4:32 AM
Google security allows you to use a titan key, but then still ignores it if you use an android phone, not the best security, since phones can get sim jacked. (common way to get your ecoins hacked, take over your phone.)
Defeats the purpose of a titan key and 2fa enabled.
There is no option to turn off android auth confirmation popups, so you have to de-activate all signed in google phones, and remove google account on your cell for more security and stop trolls from spamming you, if your phone number is public. People been asking google for years to fix this major fubar.
Google auth is designed by idiots, to be as easy as possible, but bad actors can abuse.
by Madmallard on 1/24/22, 1:09 AM
I dont recall the password of my old gmail account and I listed my current gmail account as the recovery email, and they still cannot recover the account for me. It makes absolutely zero sense. It just seems like entirely lazy.
by muthuraj57 on 1/24/22, 2:04 PM
Had similar issue before. My and my friends are traveling to a different city and one of my friend's mobile went missing during our trip. The contact we were about to stay in the city is in that mobile (saved in his Google Contact thankfully). When he tried to login his account in my mobile to access it, Google wouldn't let him. He had to use the secondary email he registered with email(which is from Yahoo) to send a verification code and use that to login to the Google account. He also forgot the password for the secondary mail id and finding that was another story.
by rkalla on 1/24/22, 1:44 AM
I understand how you end up here - after a decade or more of micro-optimizations down a pit of the newest/most advanced scam and take over techniques... but at some point you need to sit back, zoom out and look at collectively what you've created and see if you are catching a bit too much in the net.
I feel like Risk underwriting at Finance/FinTech companies goes through something similar... the list of rules only ever gets longer/gets added to.. I don't know that anyoen rewinds the clock every 5 years and starts from a clean slate to build out a new model.
by ahnick on 1/23/22, 10:46 PM
So in theory if someone was to ever accidentally or intentionally reset the location info for where all gmail accounts have logged in from, then effectively everyone would be unable to access their gmail account?
by zeroimpl on 1/24/22, 1:18 AM
Same sort of problem. I have an account like that which was giving these messages and after trying a lot of things over few weeks I gave up.
Some long time later (year+) I retried and got in. I attempted to change the security settings, but it wouldn’t let me.
Some long time later again, I’m now locked out again.
This whole thing is ridiculous. I know the password, and have access to the account to which it forwards all emails. It should be obvious that their is no IP address which regularly uses this account, and that they are clearly locking out the account owner for no good reason.
by y3sh on 1/25/22, 2:14 PM
When my kids were born I created gmail accounts for them to save the name for when they become old enough to use it. This worked well when I did it from home, but for my last born I created his account *on the hospital wifi*, saved pass in 1pass. A couple years later I tried to login to his account from home and got thrown into this recovery hell. I visited that same hospital wing a year later to try "a prior location", but it didn't work.
As a result I unintentionally caused the very problem I was trying to prevent.
by 3np on 1/23/22, 10:56 PM
Happened to my grandma, who have had the same address for over 10 years. Was quite the ordeal to have her change over to a new adress once we decided it was meaningless to hope to regain access.
by itchyjunk on 1/24/22, 2:12 AM
This happened to me. I had half given up on my account since I didn't have a phone attached. Knowing my password and recovery email doesn't help. I emailed to some support email for google partnered people. I am not sure who I emailed but they responded that I was emailing the wrong person but they checked the status and it looked all good. I tried longing and it worked without any issue.
Edit: I was super happy to see a human response at that point and was very hopeful when I tried to sign in again.
by zuccs on 1/24/22, 4:14 AM
I actually found the solution to this last time I had it. I get it all the time on legacy G Suite accounts that are still hanging around that I never log in to.
I think it's this link: https://accounts.google.com/signin/recovery (don't go through the usual forgot email/password process on the login page or you get that stupid AI loop).
I think it helps to use Google Chrome too.
by octoberfranklin on 1/24/22, 4:07 AM
For over a decade I refused to give Google a phone number.
Eventually they locked me out and demanded that I verify my account via SMS using a landline telephone number I hadn't had access to in over 8 years.
Obviously since this was a landline, I could not possibly have given them this phone number for verification purposes and forgotten that I had done so. Evidently they scraped the phone number out of my email; I'd had PacBell e-bills emailed to that gmail address.
Google is unreliable.
by jerieljan on 1/24/22, 3:26 AM
I've had this problem too.
In terms of security, it's great, but it's terrible when you're going back to old, dormant accounts and have lost trusted devices.
Thankfully, it's not a problem if you've set recovery emails and 2FA options, but it is easy to forget if the accounts are set up for someone else who isn't checking often (like family members who only use their accounts rarely)
It really takes months for the lockout to clear up, and it sucks when it happens.
by dimsum4 on 1/24/22, 3:32 AM
I have a 80+ old father. The security controls Google has put in place, I much appreciate them because he keeps a fairly simple password (but not one that is susceptible to dictionary attacks) and he cannot remember multiple passwords. I have tried using a password manager for him but he finds them too complicated. While I understand the pain this causes, any changes should accommodate the security and convenience of the older demographic.
by jayzyone on 1/25/22, 2:00 AM
Google is not the only one. Amazon froze my account for suspicious activity. I had a fire and had to suddenly move leaving a delivery at locker also changing my address and password all on one day. I forgot to change the phone number, cause that phone died in the fire. I waited out my suspension, now I can't get into the account with my new phone. Top it all off I'm deaf and can't talk to customer service.
by empressplay on 1/24/22, 12:28 AM
If you've moved to a different country / region, use a VPN to access the account from the old location, then after that point the device will be okay
by gxs on 1/24/22, 5:40 AM
I realize I am a million years late to the party, but this is a good time to remind everyone to turn this “feature” off.
It’s buried deep in settings but it can be disabled.
The first time this happened to me I had to talk to an old employer to let me use my old laptop and sure enough it worked. I was very lucky.
I hate google at this point - or rather how big these trillion dollar tech companies are getting.
Would love a viable email alternative, but fast mail isn’t it.
by upbeat_general on 1/23/22, 11:21 PM
I had the same issue. I just gave up and came a while later with the same IP and eventually got through. It’s ridiculous that they both allow you to not setup 2FA and don’t let you in without whatever they deem required.
I eventually started using 1Password for all my backup google accounts to setup TOTP making it just as convenient as without 2FA. It was still a pain to have to wait and go through the process though.
by TheChaplain on 1/24/22, 6:20 AM
This is another reason why I recommend to use your own domain (from a 3rd party registrar).
If you can't, at least set a mail-forward to a different mailprovider (I have an old hotmail account) so if you get locked out, at least you can receive mails.
Use Google Takeout at least twice a year.
Another option would probably be to use Office365, I don think it's that expensive and I guess you would have the possibility of getting real support?
by isarat on 1/24/22, 6:00 AM
In the safety perspective, dormant accounts might be prone for exposed passwords (reused passwords, exposed via other services etc.) and easily an attacker can hijack your account. I had similar experience where a dormant apple account was hijacked and unable to recover. Apple also follows similar philosophies to sign in from a real device for recovery. Have you tried recovery options?
by zdw on 1/24/22, 3:30 AM
The most insane thing is is not being able to sign in with the kind of 2FA you want until after you've signed in with a phone number.
This also affects paid Google Workspace accounts, which has a setting on GW to disable phone-based auth...
So you're stuck. you can't have people sign into 2FA until they do it via phone... and they can't do it via phone by security policy...
Just nuts.
by pmlnr on 1/23/22, 11:28 PM
For critically important accounts, host it somewhere where you have the chance of talking to a human if things go boom.
Google is not one of these.
by smukherjee19 on 1/24/22, 7:52 AM
I wonder if paying up money for this Google Workspace Individual[0] will make me more immune to possible lockouts like this... Or is it just more sensible to jump to another paid email provider like Fastmail?
[0]: https://workspace.google.com/individual/
by atarian on 1/23/22, 11:26 PM
I've seen this a lot with incognito mode too. I think Google just deals a large penalty for "clean" devices.
by secondaryacct on 1/23/22, 10:46 PM
I always use the 2FA and whatever happens it seems to allow me back in. I would think this happens with a phone number too.
by tootahe45 on 1/24/22, 5:46 AM
Have a similar problem here,
I logged into my google account on a mobile emulator VM while testing some apps and have since deleted the VM. However, when i sign into my gmail acc it has 'tap yes on your android x device to confirm it's you' (which i deleted). I have recreated the exact emulator VM and the same thing happens..
by vorhemus on 1/24/22, 7:23 AM
Most big tech companies now use "conditional access" for their login with the hypothesis that this increases security. Even if it does, it leads to a drastic reduction in user-friendliness as OP has seen. It is like saying: The best way to prevent unauthorized access to our servers? Let's just turn it off!
by aimor on 1/24/22, 3:54 AM
Years ago, but just after Google purchased YouTube, I forgot my YouTube password so they emailed it to me in plaintext.
Maybe 10 years ago I experienced forgotten Gmail password hell when a family member forgot their password and was never able to recover the account.
Can't wait to see what the process is like another 10 years from now.
by lucb1e on 1/24/22, 1:10 AM
I had this in ~2014 at an event. It literally would not let me log in no matter what.
This did reinforce that running my own email server was a good idea. Like, what are you going to do if it actually is important? Call google support? I'd be surprised if they have a helpdesk with humans nowadays, let alone to fix some free account at 1am in the morning. Or even if you get to talk to a human, what are they going to do? Disable a security measure because a kind voice asks them to?
Google thought my IP address was in Russia (I was in Germany) and I guess that makes it suspicious? (Feels a bit odd that entire countries are basically banned. Not as if criminals can't use a VPS or VPN, it's security theater and seems insulting to everyone living there: they're all considered guilty until proven innocent.) I think I later checked and saw that there were no other active login sessions, so it knew that I could not possibly have done as it suggested. (Or maybe that was another instance of this problem, not sure anymore after 5+ years. I never forgot the lesson though...) The reason for logging in wasn't time-sensitive so I let it go for the four days of the event.
A related problem is that I have to clean up my inbox after logging into various services. Twitter was one of the first and I apparently got annoyed enough that I stopped using it subconsciously (I only later noticed that I had stopped checking Twitter and figured that the annoyance factor must be the reason). Like yeah you don't recognize my device, I don't want your "tweet" buttons across the web to track me so of course this appears as a new login device. What would be more suspicious is a login from a known device to this account, if the machine learning functions correctly...
by ranger_danger on 1/24/22, 5:38 AM
I've lost several paying business accounts to this problem because I never log in except when a credit card expires and then I need to update it with a new one. By that point I've moved or changed computers or ISPs or something and there's no way to 'identify' me anymore.
by rswail on 1/24/22, 2:08 AM
Lately I've noticed that Google wants me to "open the youtube app on your phone" even though I've configured 2FA. This is a work account, I have no interest in associating it to the youtube app on my phone.
My own email is with fastmail. They do what they do particularly well and are worth it.
by bananamerica on 1/24/22, 1:18 AM
Google has some kind of backup code that you can get.
It says so here https://support.google.com/accounts/answer/1187538?hl=en&co=...
Does it actually work?
by dannyw on 1/24/22, 1:05 AM
I signed into an old Gmail account of mine that had a bitcoin private key backup. After signing in successfully, I searched for "bitcoin private key" in Gmail.
Within a second and before the search completed, I was immediately kicked out of all active sessions, and my account was locked.
by eyelidlessness on 1/24/22, 3:21 AM
Another fun one (not Gmail but Google property): ReCAPTCHA will validate and re-CAPTCHA you infinitely if you’re using Private Relay. They could just, like, store a cookie… they already have (assume) permission to do it. But just green checkmark > same question forever.
by lucideer on 1/24/22, 2:32 PM
Had this same issue: thankfully managed eventually to regain access (by temporarily re-invigorating an old half-working phone) but have since moved all essentials off Google.
Absolutely outrageously dangerous system, no way I can trust that service with anything remotely essential again.
by ammonammonammon on 1/23/22, 11:17 PM
I find account security horribly bloated thanks to tools like Podesta and such lame password creators. If ppl would simply make good passwords this would not be an issue. Google, Amazon, Valve/Steam, blah blah blah… we almost don’t need passwords anymore.
by menage on 1/24/22, 6:47 AM
Last time I had to deal with Google's account recovery (10 years ago when my mom fell for a phishing scam) there was an option to pay a few dollars to get to talk to a real human in a customer service / operations department. Does that still exist?
by frozenlettuce on 1/24/22, 12:10 AM
I have this exact issue since I changed my phone number and forgot to update it in all my Google accounts. Now I can't access an account that has some adsense funds. Lesson learned: don't trust a company that doesn't have customer support.
by ericls on 1/23/22, 11:19 PM
Woo.. This happens to credit cards a lot, but in these cases, you can at least call the bank.
by hysan on 1/24/22, 6:08 AM
Yes, posted here about it too.[1] There is no solution. You are locked out forever once Google does this to you.
[1] https://news.ycombinator.com/item?id=21168834
by alanh on 1/24/22, 12:55 AM
Yes, this happened to me with a throwaway gmail address I once had. Correct name and (strong) password, BS about a different device. I never regained access. Luckily nothing of real value was lost.
My primary email account is on Fastmail these days, and I like them.
by LegitShady on 1/23/22, 11:43 PM
have old gmail account
no longer have associated phone number
Do have backup email (primary email).
Do have password.
Google doesn't care. Won't let me log in, won't send an email to the primary account for recovery, etc.
I've written it off. Essentially if I'm not paying someone for it, they don't care.
by anonymousiam on 1/24/22, 4:07 AM
Facebook is the same way. If you don't have their cookies, but know your account name and have the recovery email, you still cannot log in after resetting your password unless you are stupid enough to send them a copy of your photo ID.
by kasi_hasi on 1/24/22, 4:17 AM
The solution to these kinds of problems is obvious: Stop using any Google service. No more Gmail, Google Cloud, Google Docs, Google Drive, ... there are many alternatives.
I've pretty much completely degoogled my live and don't miss anything.
by ashtonkem on 1/24/22, 12:02 AM
It keeps locking out my printer for using LDAP. It's extremely annoying to go and re-check the "yes, allow 'insecure' access" every N months. I complain a lot in the box, but obviously nobody is reading them.
by mikotodomo on 1/24/22, 12:25 AM
They have calculated that overall, a non-negligible amount of users will be hacked unless they have their system the way it is. Sure some accounts will get locked out, but overall it's a net benefit. There are hidden variables.
by dmitrygr on 1/24/22, 12:34 AM
Your only option is a helpful googler who can fill out the internal "help recover an account" form. You this sucks. But having accounts stolen sucks too. I think Google is between a rock and a hard place here. But anyways, sucks.
-Xoogler
by perth on 1/24/22, 8:22 AM
Interesting question for you hn people. My email domain is my website domain and I just use Google’s email servers. If Google ever nuked my account is it trivial for services to resolve that my email pointed to a new provider?
by cmurf on 1/24/22, 3:14 AM
Every week my google workspace accounts kick me out on my laptop, and I have to log back in with a password. This never happens on my Android phone with those accounts. And also not on the laptop with my regular gmail account.
by tonymet on 1/23/22, 11:03 PM
I feel your pain. You’ll probably have better luck logging in if you add a hardware token or 2fa. most android phones have a built in hardware token, or you can buy a yubikey or the tokens from google (often on sale for $5)
by neogodless on 1/24/22, 12:32 AM
My 87 year old grandma's computer wouldn't boot. We set her up on a new laptop. But we couldn't remember her Gmail password. We never recovered her account, including any photos backed up to Google Photos.
by cinntaile on 1/23/22, 10:52 PM
It's especially annoying that you can't turn this nonsense off. I had this happen to me when I was abroad, obviously with no way to recover when I was abroad and I needed access to certain mails. Nice feature.
by YeBanKo on 1/24/22, 3:39 AM
Arguable email addresses now are more important, that phone numbers. Mobile carriers are legally required to allow you to port numbers. We need a legal framework that allows to have inalienable email addresses.
by eddieh on 1/24/22, 2:56 AM
Yup, I am effectively locked out of a few email addresses I rarely used as well. I haven’t found a solution. I just moved everything important off of Google and would never trust them with anything at all—ever.
by Groxx on 1/24/22, 5:16 AM
Yep. They're getting aggressive with 2FA too. More ways to lock you out of your account in opaque, unpredictable ways with no support whatsoever.
I'm very glad that I've already started moving my accounts off.
by diegolyanky on 1/24/22, 7:59 PM
That's because you tried to sing in using a cell phone which is listed into a black list. Maybe your mac address or imei is being rejected because it was used to do some illegal thing. Be careful...
by akkartik on 1/23/22, 10:46 PM
From 3 days ago: https://merveilles.town/@akkartik/107656797631193281
One less risk to worry about.
by Khaine on 1/24/22, 11:17 AM
gmail security is infuriating, particularly if you are off travelling the world. You enter your password correctly, you use MFA, and still google can be like nope no email for you. Its incredibly frustrating, and there is no recourse, no one you can call.
I get its trying to help protect people, but you know, if it creates friction for the user, you have fucked up. And google's automate everything is admirable, but where there are no feedback loops, it is worse than useless, as no-one knows something is broken and needs fixing.
by avodonosov on 1/24/22, 7:38 AM
From other user experience problems introduced by Google (what they did with Chrome address bar) I have impression some incompetent non-computer people are making thechnical decisions there.
by Havoc on 1/24/22, 12:43 AM
I’ve also noticed that google like logging me out regularly if I’m using more filtering tools (think pihole etc). The ridiculous part is I’m on a static IP…google damn well knows it’s me
by ksec on 1/24/22, 12:11 AM
Looking at all the Google, Amazon, PayPal and comments on many others, security UX is simply an unsolved problem.
I am wondering if YubiKey would have the same problem? Edit: Looks like not.
by ComodoHacker on 1/24/22, 6:57 AM
I've lost two Gmail accounts (like firstname.lastname@gmail.com) because of this. Now I'm using only nickname accounts and not tying them to anything important.
by _7kjo on 1/24/22, 3:02 AM
I’m in the same situation and have an account that I have a password to, but cannot login to for the same reasons.
Google is one of the companies I’d trust the least for anything critical.
by reactspa on 1/23/22, 10:46 PM
Previously on HN: https://news.ycombinator.com/item?id=29801850
by gkanai on 1/24/22, 3:17 AM
I have my own domain and use email with that domain.
I have a gmail account but only use it for mailing lists, ecommerce orders, etc. Relying on Gmail for everything is a bad, bad idea.
by johnnyApplePRNG on 1/24/22, 4:58 AM
Why was this title edited from the original (which was "Gmail account security is insane") as submit by caseyf7?
I understand editing titles to articles but self posts...???
by thaumasiotes on 1/23/22, 11:01 PM
I ran into the same problem and complained on HN a while ago.
In my case, I was able to access my email in an incognito tab, although that didn't seem to be a universal solution.
by 5ESS on 1/23/22, 10:55 PM
Try to login from a device that you used previously to login to other different accounts that you touched from the same device that was used to login previously.
by pixel_tracing on 1/23/22, 11:28 PM
You think that’s bad trying recovering a missing Microsoft outlook account. I have to wait on some verification and send my address previous addresses used, etc.
Good luck.
by fuzzy2 on 1/23/22, 10:46 PM
Just out of curiosity, do you have two-factor authentication set up? Or the Gmail app on a mobile device? Or do you really just have the recovery account?
by dusted on 1/24/22, 7:00 AM
Oh that is CREEPY.. means if I lose the devices I'm using to sign into google, I can't sign into google no more, even if I have the password.
by kart23 on 1/23/22, 11:14 PM
there needs to be some kind of law or regulation around this right? email has become as, if not more important as regular mail, and the government should be protecting access to it.
try sending it to your senator and local representative. I think the FTC would also be interested in this. if google won’t even give you support for the issue, that should really be addressed by the government imo.
by tadzikpk on 1/24/22, 12:57 AM
Use Che browser to mimic your usual device…
https://chebrowser.site/
by zoellner on 1/23/22, 11:22 PM
eBay blocks my account for suspicious activity every time I post something. Completely unusable for occasional use
by novok on 1/24/22, 12:22 AM
This is why you want your email to be your own domain, so even if you still use gmail, you can recover from that.
by joejohns on 1/24/22, 2:48 PM
Same exact thing happened to me, I tried reaching out for help in Google and yet, to no avail, nothing happened.
by ranuzz on 1/24/22, 3:24 AM
Happened to me too. Gmail asked for a valid phone number for verification though and after that it worked.
by qbasic_forever on 1/23/22, 11:08 PM
Turn off any adblockers or other things that might be manipulating your browser sessions, cookies, etc.
by endorphine on 1/24/22, 5:54 AM
This absurd struggle strongly reminds me of the themes in Kafka's novels: The Trial, The Castle.
by Delfino on 1/24/22, 5:55 AM
Yeah, living abroad I am constantly running into issues like this and it's quite frustrating.
by prafullss on 1/24/22, 6:56 AM
try to connect same network/wifi you have used to connect your device or native place where you have frequently used your device. you can open you Gmail id. If this not help you to fix , try to reset password in a Desktop/Laptop on chrome browser.
by prafullss on 1/24/22, 6:55 AM
try to connect same network/wifi you have used to connect your device or native place where you have frequently used your device. you can open you Gmail id. If this not help you to fix , try to reset password in a Desktop/Laptop on chrome browser
by nuker on 1/24/22, 9:16 AM
Apple Private Relay enters the chat
by whitesilhouette on 1/24/22, 12:56 AM
Only solution that works for me is to use my 8 digit backup codes. That works everytime.
by tlhighbaugh on 1/23/22, 11:06 PM
try user agent modification, it claims all this crap about wanting a device you signed in to before but in my humble experience using Linux + Firefox, all is fixed if I switch my user agent so it appears I am using Windows + Edge.
by throwawayboise on 1/24/22, 5:07 AM
Pretty sure if you have 2FA (Google Authenticator) set up this will never happen.
by ck2 on 1/24/22, 5:23 AM
btw if it helps, by "location" they mean the same ISP you used to create the account or last successfully used it
old accounts without a valid phone number attached to get a SMS code are pretty much screwed if you change ISPs
by nikolay on 1/24/22, 12:23 AM
We'll always be hostages of Google while we keep using their services.
by kadenwolff on 1/24/22, 3:54 AM
I had this happen recently as well, have not found a solution
by nathias on 1/23/22, 10:45 PM
I just accepted I can't get to that account anymore...
by Avamander on 1/23/22, 11:41 PM
eBay does the same shit, but they force a password reset on you instead.
Have to reset my password basically once a month because their heuristics are absolutely dogshit.
by kome on 1/24/22, 4:34 AM
I have/had the same experience with Dropbox.
by floatingatoll on 1/23/22, 10:39 PM
Try in Chrome with all extensions disabled?
by alexnewman on 1/24/22, 12:57 AM
Good news , CloudFlare does email routing
by izzytcp on 1/24/22, 2:41 AM
If you have a friend in the Feds, call them they give access to Feds immediately, zero requirements. Security is gone, poof. (sarcasm)
by mediumsmart on 1/24/22, 6:38 AM
alphabet just needs your account. You don’t have to access it. all is good.
by coldtea on 1/23/22, 10:58 PM
The faster we move from location/PINs sent to mobile, and other BS forms of 2FA the better...
by eyeball on 1/23/22, 11:10 PM
turn on their advanced protection features and it gets even more fun
by husamia on 1/24/22, 4:02 PM
is paying for Google One subscription give me any support?
by eitland on 1/24/22, 6:28 AM
If you live in EU or EEC I wonder if this isn't covered by GDPR?
Aren't companies required to have a way to get a manual review of anything an AI does?
And aren't they also to safeguard your data?
I'm not a GDPR expert but I know GDPR is a bit larger than many expect.
by pkilgore on 1/24/22, 1:36 AM
mailinabox.email
fastmail.com
if its that valuable to you, pay!
by mcantsin on 1/24/22, 9:27 AM
google is evil
by tester756 on 1/23/22, 11:05 PM
Security comes at the cost of comfort
You might not like it, but then you're free to disable this IIRC?