Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Google hacked account
203 points by hmoghnie on June 30, 2015 | hide | past | favorite | 157 comments
Despite Google boasting of hiring the best engineers. Their system give us mortals hope that our applications are not so bad after all. Let me explain the pain I am going through to recover my hacked gmail account. First, there is no way to talk to someone, their responses are canned, and to top it off, they send you to a link to submit a password request.

So far not a problem, but the email you get back after sending the password reset request contains a link to a page that allows you to cancel the request (not sure the genius who had this idea). Now that the email is hacked, the hacker can read the emails and click to cancel the recovery process. And the vicious cycle continues.

What to do?




Try posting to Hacker News in the hope someone with some authority deigns to intervene. It helps if you a high-profile blogger or known industry luminary.

The prospects for the rest of us are fairly bleak.


> The prospects for the rest of us are fairly bleak

Mostly because if changing ownership of a Gmail account were as simple as "Post to Hacker News and complain," it'd be an obvious and exploitable security gap.


That idea, if extended, could be rather entertaining.

"White House Gov Account Hacked, Please Help"


Obviously it shouldn't be as simple as "someone complained, so turn over control."

However, us normal plebes should be able to get some competent human on the phone and talk to him about what's going on.

I'd hop through lots of hoops to recover my google account, but without getting a human's attention I can't do anything.


I don't quite follow.

I don't expect it to be easy to change ownership of an account - but there has to be a secure process that one can follow in the event. I'd be happy to pay for it. It's the fear that if the worst happened you would quite simply be unable to contact anyone that concerns me


will try, thx


If they are automatically clicking these links you may be able to spoof an E-mail that looks similar to the password reset request but have the cancel link actually log them out.

Going to this URL logs you out on Gmail: https://accounts.google.com/Logout?service=mail&continue=htt...

This might not work, but it's probably worth a try.


It did work for me a when I clicked from here on HN!


Yes, and this can be done in a CSRF attack on a web page like superlogout.com (don't go there if you don't want to be logged out of 20+ websites).


This is nice :) Certainly helpful when using a public machine. Heck .. make that the homepage on browser-launch on public machines and guest accounts.


Wow, I'm surprised so many of these still work...


If your account is part of Google Apps for Education, or some other managed Google Apps account, you should contact your Google Apps admin. If it's just a normal Google account, I'm not sure there's much more that you can do.

Email is the most sought after account. All the password reset requests to your Bank, Twitter, Facebook, etc. are delivered to your email account. So when someone steals your email account, they've stolen all the others too. Go change those accounts to use your new email (if you can).


you are absolutely right.


I agree that Google's help services are lacking. I never got my account back years ago. But this sounds fishy to me.

It's equally likely that you are trying to hack someone else's account as trying to recover your own. There's nothing wrong with the password reset process.

However, isn't there a process for when you suspect your account has been compromised? Have you even tried that? Are you even sure that your account has been compromised, or you just can't remember your password?

I like that us hackers are happy to help, and happy to commiserate with the failings of big corporations, but I think it's worthwhile to be a bit sceptical.

Edit: I'll add that the claim that the reset requests are going to the original account and being cancelled is fishy. We have verification in this thread that this in fact does not happen, and presumably the OP can't access the account to make a truthful counter claim.


You had two step verification, or not?

I'm hoping you'll say no, because my feeling of security comes from the fact I've enabled TSV.


What kind of two factor authentication? TOTP codes don't protect you against e.g. phishing. A MITM can request codes and forward them (since they are time-based).

Get a U2F key. They work with Google accounts and provide much better protection against phishing (the phishing site does not have the key handle and cannot initiate the challenge-response as a result):

https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...


> What kind of two factor authentication? TOTP codes don't protect you against e.g. phishing.

Sure it does. TOTP codes are only good for X seconds and most phishing scammers merely collect the information to use much later (I have seen the source behind the actual phishing sites).

I have yet to hear of a story of someone's account being compromised while using TOTP (knock on wood).

But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP. So I would wager that TOTP is pretty safe to use.


Sure it does. TOTP codes are only good for X seconds

Not seconds, usually a minute:

https://tools.ietf.org/html/rfc6238#page-6

(This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.)

and most phishing scammers merely collect the information to use much later

Right. It's probably still profitable to do things in this manner because most people do not use any second factor. That does not change the fact that TOTP is extremely vulnerable to phishing. Most people here could probably a code that does this live in an hour or so.

But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP.

Yes, because TOTP adds good security against other attacks, such as password leaks, since every site has its own shared secret.


> Not seconds, usually a minute:

Almost every service I use is 30 seconds - including Google's [1]. Even in the RFC you linked it says 30 seconds.

> This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.

That is the downside of TOTP. If your clock isn't in sync with the server's then you may never have a valid OTP. However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid. I didn't do that for my source code hosting service - but it makes sense in case the user hit enter right after the 30 second window. I suppose HOTP is supposed to solve the timing problem.

> That does not change the fact that TOTP is extremely vulnerable to phishing.

This doesn't make sense - TOTP isn't any more vulnerable than the password itself. You still need my password. And even if you phished that - by the time you would attempt to access my account the TOTP would be invalid. The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.

[1] - https://github.com/google/google-authenticator/wiki


However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid.

Hence one minute. This is also why I referred to the RFC.

The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.

Why? It's no problem to make a phishing site that requests the password and the TOTP code and uses these credentials immediately.


I love my Yubikey! I use it with all my Google accounts.


Any benefit to Yubikey over Authenticator? EDIT: good points here: https://bitcointalk.org/index.php?topic=159444.0


This is old. They old Yubikeys with HOTP provided some advantages over authenticator, but new Yubikeys provide U2F which is much more resilient against phishing attacks.

https://www.yubico.com/applications/fido/

Moreover, U2F does not present itself as a USB keyboard (which had security implications on X11, since every application can listen in on keyboard events.)


So what happens when you lose that?


You can associate multiple U2F keys with one Google account. Buy two, put one in a safe. They only cost ~15 Euro a pop.


"You had two step verification, or not?"

Upvoted you but...

A company offers a free service. "Your aunt" does know know or understand the need for "two step verification" nor do almost certainly a large percentage of people using gmail.

This idea that companies resolve themselves of all responsibility to provide reasonable customer support for a free product with such wide adoption is ridiculous. Google derives benefit from the relationship regardless of the fact that the service is free.


The fact that "your aunt" can access the Internet at all without some moral equivalent of a driver's license is testament to the fact that our societies have balanced the freedom of information made available by accessing the Internet with the individual's responsibility to understand the basics of the tools of accessing said Internet.

... and stories such as this are the consequence we shall have for taking the Libertarian solution. Not that I disagree with the solution taken! I just have a hard time swallowing the argument that it's always the provider's responsibility to account for total user ignorance at all times. A solution has been provided for this attack vector, and if the end-user chooses not to use it then perhaps at some point the onus is on the end-user.

(Or perhaps Google should just make 2FA mandatory for everyone, "your aunt" included).


>"Your aunt" does know know or understand the need for "two step verification"

I wonder more and more if we need to make it mandatory in some form, but maybe more formal. Like you can use your phone, but also here is a plastic, officially-sealed set of codes we'll mail to you at a verified address just in case.


>>> officially-sealed set of codes we'll mail to you at a verified address just in case.

And then people would start crying ... "google now wants to know your home address .... "


Yea but technical strong people like yourself are always able to handle themselves better in all aspects of computing.

This is why you end up fixing your aunts printer. And why you have a more secure e-mail account than her. And why you can handle backing up your photos.... etc

It's not Google's fault entirely.


"but technical strong people like yourself"

I like the sound of that. I actually have run my own mail servers since the mid 90's [1] but I am more of a business guy who knows computers than a strong technical guy the way that I see it. I don't use gmail (for anything important I do use it for unimportant things) I don't like the idea of my mail sitting on their servers.

[1] Actually if you include non internet mail dates back to the mid 80's on a Unix system V.


How do you deal with spam when self hosting?


I don't filter any spam at all.

I have found it helpful and have done deals with people that would normally be considered spammers. Wish I could provide details but let's just say that some people who spam actually are legitimate buyers of certain products or services and respond quite well to reply emails.

How much spam do I get and have to go through? Easily 3000 messages per day. You will have to trust me when I say I have not regretted not doing any filtering in terms of what I do [1]

[1] And no I do not sell a product or service to spammers...


I self-host my own mail server, and deal with spam amazingly well. I deal with it so well that I'm able to have "old school" public mailing lists that don't require registration in order to post.

There are various options for dealing with spam, if you're doing it by yourself.

My number one defense is a simple DNS check. SMTP servers that do not have valid and matching forward and reverse DNS are almost always spammers, with very little false positive identification. Spammers almost never have a server whose reverse DNS address is a domain name that resolves back to the same IP. Most of the time when spammers do have such a thing is when they compromise someone else's (e.g. Yahoo or whatever).

After that, it's a few DNS-based checks of black-listing databases.

Then some pieces of custom logic in the Exim configuration.

Of course, SPF: if the apparent sender's domain publishes an SPF record, I check it to see whether the server connecting is authorized to handle mail for that sender.

Finally, I also have scripts that monitor the mail server's log and implement IP banning (like fail2ban but home brewed). For instance, if the server reports suspicious SMTP commands, this will be ferreted out of the log in real-time and turned into an iptables-based ban that stays in effect for some time.

Oh, plus I have geographic banning in effect. Periodically, I download the latest IP netblock list from ARIN and other autonomous systems and block certain parts of the world (e.g. China) from connecting to my port 25.


spamassasin, or like me, dspam.


second this! Hope it's a no


> So far not a problem, but the email you get back after sending the password reset request contains a link to a page that allows you to cancel the request (not sure the genius who had this idea)

Did you set the recovery email the same as the main email? Cause I only get password reset to the recovery email.

If you used the same address for recovery email, then it defeats the whole purpose


no i set another email. but still both emails will get the link.


This is not correct. Or at least, it should not be AFAIK.

I actually just tried it on an account I own, and it does not send the email to both addresses, only to the recovery email address.

If that is really happening to you, that sounds like a bug to me.


Is the person that hacked the account just sitting there waiting for emails to come in and hopefully can click the "Cancel Request" before you can reset the password?


If you make a habit of hacking Gmail accounts, it's probably not hard to make a bot that does it for you.


Would be interested in knowing how they bypassed 2 factor authentication, assuming you had that enabled.

Unfortunately, it's a tough situation since for all Google or we know you could be the hacker trying to get into the account and hard for them to verify who you are, since if the hacker was able to steal person's phone to bypass 2 factor authentication, they may also have access to a copy of your drivers license or ID to send to google in an attempt to verify they are you.

While far from ideal, assuming you don't have a close friend to contact google for you via their google apps admin account, you could create a new trial google admin account and then contact google through that mentioning your situation of your other account. While they will still have to find a way to verify who you are at least you'll reach a real person.


My mistake was that I didn't enable 2 factor authentication. I contacted them and offered to supply a copy of my password and driver license, they said the only way is to go through the dysfunctional online method to recover the password.

I did create another account, they still send the link to cancel the request to the original account!!!


  My mistake was that I didn't enable 2 factor authentication.
Kind of aggressive calling out Google's engineers when you couldn't bother protecting yourself with their free and easy to use security mechanisms.


Except that now Google has my phone number linked to my identity too. I know this is not everyone's use case, but for those of us that care deeply about privacy, that's not a good alternative.

If that's not a good counterpoint, my phone/SMS service sucks when I'm traveling abroad, which is exactly when Google thinks I'm not me.

I wish Google supported TOTP like Github does, without asking for a phone number.


> I wish Google supported TOTP like Github does... Goid nees, they do! They even have an app for it.

https://en.m.wikipedia.org/wiki/Google_Authenticator


Yes, they do, but there's no way to set it up without giving your phone number first. Whenever I enter into the 2FV options, I have to give a phone number, no alternative. I have no idea why. Sorry I wasn't clear enough.


And a PAM module!


Are you sure that's still the case?

This[1] would seem to indicate you can use a U2F device[2] as an alternative to providing a cell phone for verification.

[1] https://www.google.com/landing/2step/#tab=how-it-works

[2] http://googleonlinesecurity.blogspot.com/2014/10/strengtheni...


My guess is that you can eventually enable that, but not at first. When I click on the "get started" button, I get "Step 1: Set up your phone", with no alternative button in sight.


Does gmail support using a second email as the second factor? Hotmail does...


The entire account system does.


If you didn't enable 2FA, how on earth is Google or anyone for that matter able to verify it's you that owns the email address? Anyone at any time could claim they were hacked, and it's not like they require a drivers license ID when you register.

Honestly I'm not sure what Google can do here that (a) doesn't require them to now individually support users ($$$) or (b) doesn't open them up to thousands of erroneous claims.


I would prefer a system where I can pay $100 to Google to get a competent human to look at the case versus now where I can hope I have a friend of a friend to make enough noise to get someone's attention.


I think we all would, but the OP knew this when he registered! This is not a new revelation about Google support.


The password reset process bypasses 2 factor authentication (as of April of last year).


There are quite a few ways to get his SMS code if the hacker was targeting him:

http://www.zdnet.com/article/invasive-phone-tracking-new-ss7...

SMS-based 2FA is really "security through obscurity". It's "good enough" (generously said) if you happen to not piss anyone off or be someone's target. Otherwise, not so much. I don't think enabling SMS-based 2FA will pose any problem for China to hack back into OPM for instance, and yet I think that's one of their "fixes" right now.

Google's Authenticator is also useless as now Gmail allows you to bypass the Authenticator when you can't authenticate with it for whatever reason, and go straight to using SMS 2FA instead, which brings us back to point one.


The issue is that you're not Google's client. Maybe buy something from them (a large amount of ads), then try to get support?


This worked for me. My account was suspended in error years ago (Suspect logins or something), and the only way I got it back was by calling up an adwords representative and telling them I couldn't login to adwords and spend money until they unsuspend my email account.


That actually worked?


Yes. I had to fax them something (I forget what) to prove it was my email address. It took about a week to get it sorted.

I'd echo others though - Google is awful at support. They're awful at communication. They decide to shut down products at the drop of a hat without telling people. Avoid Google if you can.


If something I learned about this world is that money talks. Always.


Or a Google Apps for your Domain account. $5 a month, and you have full admin control over the account (and a payment channel backing it, so if someone does compromise the account, you can stop paying the bill to get Google's attention).


Remember: We're not Google's clients, we're Google's products


Only in the sense that I'm the "product" of broadcast television, terrestrial radio, and my local free alt-weekly.

Calling someone a "product" is a great way to make a flippant jab at a company but as far as a product is something a company produces, it's just not the case.

Google, like these other companies, produces useful (to many at least) services. The way they make money on this is by selling ad space or access to my eyeballs and earholes. So to claim that users are simply "product" is misleading at best. Their "product" for me is webmail, search, navigation, and file hosting. Their "product" for other companies is space where they can reach potential customers.

So in this sense, like countless other media and information companies, access is one of their products and information services make up their other products.


> Only in the sense that I'm the "product" of broadcast television

Well, yes you are. Some years ago, a CEO of french television said that his business was to sell "available brain time" to advertisers.


False dichotomy, and just a plainly dumb and lazy statement.

To sell to advertisers Google has to get people to use its search engine and other products. To do that it has to treat users like customers in that it would rather have them be happy than not happy, at least unless it costs them too much. This is precisely the relationship that other businesses have with their traditional, simple customers.


Perhaps it is lazy, but what is dumb about the OP's statement?? Personally, I would argue that starting a comment with something as inflammatory as you just did is truly dumb.


Not necessarily. If you use Google Apps, you pay a monthly fee and are a client, with telephone support, no ads, etc.


What if you're a Google Apps or Drive customer?


Please stop repeating this intellectually lazy and false meme. Or go to reddit; platitudes that don't require critical thinking tend to do better there.


What is false or lazy about this? The service is free; Google makes money selling ads to users. Is this in dispute?

Pointing out that Google has little incentive to support it's users in a post about getting little support from Google seems very on-topic (but perhaps unoriginal) to me.


A loss of a user represents a loss of income for Google in both cases. The reason they have little incentive is because they don't get much per user, but that has nothing to do with where the money comes from.


Your best bet at stopping a false meme is to replace it with a better one. What do you recommend?


I would go with

> You're not Google's product, you're their supplier; one of their many millions of suppliers.

Their product is your personal information, which you supply to them in exchange for their services. The fact that you are one of many millions of suppliers (each dealing in microtransactions) means you don't have a lot of weight when you need to get help from them.


Catchy ;-)

The best counter to the lazy Google meme is to think of all the companies where you are indisputably the customer and you also get awful incompetent support.


Internet service providers? Every ISP I've ever used I had to navigate their awful customer service infrastructure on multiple occasions and none of them were what I would call competent.


What is lazy or false about it??


Someone hacked and deleted my gmail account back in 2008. And I wasn't able to create another with same name. It was like my life that time coz I had all my personal backups as mails in that one. Since then I keep a copy in my harddrive as well even when I have cloud account.


Unfortunately (because their services are quite good) google has no support staff. This is well known, and you should take it into account when using the services they offer.

It is not difficult to do without them.

Asking for help on HN or Reddit works sometimes, but if your business (or personal life for that matter) relies on their services you should really work towards being able to do without them.


simply untrue that google has zero support staff. a better statement would be they have an automated support process for free gmail accounts. they have support staff for many of their products, including the paid version of gmail.


It'd be nice if you could pay for per-incident support on their free Gmail.


Genuinely asking: is there a paid email provider roughly on par with Google's offerings in terms of usability and uptime? I'd consider switching.


If you need all the features of Gmail or Inbox, probably not. If you can get by with what IMAP has to offer, FastMail has been very solid for me. I pay about $50 a year for a single account, which can support lots (unlimited?) domains and addresses (both sending and receiving). The web UI is nice, and the iOS app is pretty good, too. They also blog a lot about what they are doing on the technical side, and seem really invested in the future of IMAP and open source. They have a serious focus on speed. Spam filtering I would say is like a B-, there are some really obvious things that seem to get through no matter how much I train it. Support staff has been helpful when I've needed it, though.

edit: just remembered they have a referral system, should you be interested: http://www.fastmail.com/?STKI=13352501


They are excellent! I had a feature request twice, it was implemented on their beta server within days. Their (standard-conforming) IMAP and Webmail is really fast (they cache recent stuff on SSDs). They have apps now for Android and iOS (basically wrappers around the web app with notification support, but they work well enough). They recently added CalDAV and CardDAV support.

On top of all of that, they actively contribute to open source projects such as Cyrus.


Thanks for the suggestion, I like what they're offering. I hadn't considered spam, probably because gmail is so good at it that I haven't thought about spam in years. Anyway, seems worth a shot.


I have heard it said that putting MailRoute in front of your Fastmail account, clears up the spam problem to the same degree that Google does.


I switched to fastmail almost two years ago and don't regret it a bit. I especially like having multiple domains at no additional cost.


Second this too! I've been with Fastmail since 2011 and their service is excellent.


Second. Fastmail.


Microsoft actually do a good job and you can always call someone who can actually do something. Never thought I'd say that.

However, I'm using an IMAP box on Gandi.net and a domain purchased elsewhere and that is it. I refuse to use any services tied to a single company any more.

This change has given me a lot of headspace for other things.


That seems phishable. I wonder what method Microsoft uses to verify that I'm not calling in to steal someone's account.


They send you and email and you have to click through it.


Do they send an email to an address of the attacker's choosing?


No. There are several security questions they ask you.


Google Apps does have support staff. You can ring them. There is rarely any holding/queue time.



I have no idea about usability because I don't use the online interface, but Microsoft's Office 365 offerings are great for $5/mo. You also get unlimited OneDrive space.

It also comes with 10 minute turnaround time on phone support. You get a little popup asking if everything is okay and if you want to receive a call for support when you login to the admin interface.

I've been quite happy with it for the last three months.


I know HN frowns on "me too" responses but I am in the same boat. I'm heavily dependent on GMail right now and each time I see a story about someone having troubles on Google's non-charging (I hesitate to say "free") services I make a mental note to find a paid alternative, but never follow up.


To me-too your "me too", I switched to FastMail three years ago and haven't looked back.


I have my work e-mail on Zoho, but I haven't been able to free myself from Gmail... the inertia is too great (plus the integration to all the other Google services).

I do have two-factor authentication after a scare.


Google offers Gmail paid ($5/mo IIRC). With that you get support (among other benefits).


This actually happened to me a few years back and, eventually, they were very helpful.

The key for me was providing sufficient proof that the account really was mine and really had been hacked. I gave them as much information as I could remember/check:

* some contact names

* some tag names

* some recent thread subjects/recipients

* name of the person who first invited me to GMail back in the day

* details of any labs settings, theme etc

* mailing list subscriptions

I wish I could remember the email address I used to get in touch with them but, as I said, this was years ago now. I definitely found it somewhere publicly available, albeit buried somewhat.

HTH


Hm, I'd try timing the request so that it's the middle of the night wherever the thief lives. Try once assuming that he lives in America, once assuming Eastern Europe.


This may not be the quickest result, but the basic idea of just trying & trying & trying... until you eventually beat the hacker sounds almost like a game.


What if the hacker tells google that OP's other non-hacked email "has been hacked" and to please unlink it from the hacked account? :D


Game over :/


Unless they've scripted the process to open password reset emails and follow the cancel link.


I guess is all about: how can you prove you're not the hacker?


Location of past IPs used to access GMail

Knowledge about items on the inbox/address book

Location of devices used to access the account

Knowledge of past passwords

Not sending password reset emails to secondary emails that have just been added


If a human looks it would be trivial for me to do the legwork to prove I own the google account.

I've had more than one job that uses gmail in the office, including my current one. My boss's account is presumably authenticated and if I bugged him he would vouch for my identity.

I have correspondence with a bunch of people in my google account going back years. I could bug any number of them to vouch for me.

I've had, in the past, a few work accounts that used google, that mad my picture associated with it. I can do a google hangout to show that that is still my face.

I have a driver's license with my real name on it, which matches my google account.

I control the phone number associated with my google account.

. . . A hacker could compromise one or two of those, but it would be hard for him to get a majority of them, even if he had my phone and email in his control.


The right way for these companies to restore your account would be several of the contacts you've added long ago to verify that it is indeed you, in some way a machine can use, such as you signing in with your OLD credentials (which are kept around), filling out a form with their contact details (which were in the addressbook on the service and to which you have sent at least a few emails long ago) and them forwarding you the generated keys to your email by some method they choose to reach you -- only by collecting 4 or 5 of these keys could anyone unlock the account. Presumably you choose the people to whom you've reached out another way and explained how to tell you the code to activate your email.

This is like an alternative to two-factor communication. It can only be defeated by someone actually hacking your account and then convincing 3-4 of your close friends to send him the keys to your account when you start the dispute.

I'm a big fan of using information obtained easily and casually in the course of doing something productive (like often emailing someone) for good purposes.

PS: I have disclosed it publicly on this date so no patenting! :-)


Google provides some great services, but support is lacking.

I suggest, for the future: 1) use two factor authorization 2) use a separate email service because email is so important that you need the best support, etc. that you can get (I use Fastmail) 3) periodically download your Google data so if you ever need to set up a new Google account, you have some of your old context

I do still use GMail, but as a backup email.

I am going to start teaching free Internet security and privacy classes at my local library so I have been thinking a lot about these issues. Google, Facebook, Twitter, etc. provide really nice services, but it is important to consider privacy issues and have a plan for using these "free" services.


It's a free service. You get what you pay for.


I think it's more accurate to say that you don't get what you don't pay for. Did the folks who bought Worldcom stock get what they paid for? Enron? Bre-X?


If they're going to have cancel password change requests they also have to have cancel change of alternative email requests. That's the first thing a hacker changes.

Additionally, you have to track every change with a timestamp so that you can invalid everything that came AFTER the change you just reset. That will prevent a hacker from being able to screw with the account because the original email address will also be able to cancel future changes, no matter how many times the perpetrator did it.


Google sends the recovery information related emails on the recovery email address. So they won't be going to the account that is not accessible to you (I prefer to say that instead of hacked). And the link to cancel the request is indeed a good idea, because if someone else submits a password reset request, then you must be able to cancel it because you did not initiate it. Otherwise, you will end up losing your account to the real initiator of the request.


Adding to discussion: once I tried changing a corworker's gmail password just for fun (he was right beside me and doubted that I could) by just providing few ordinary information I knew about him (e-mail lists we were both subscribed to, e-mail from our boss, other coworkers, etc). Well, I was able to change his password to a completely new one. Very concerning, not sure if it still remains that easy.


A while back, I was chatting with someone on gTalk who I had pissed off in a forum. The next time I tried to sign in, my password has changed. I had to do the reset.. when I signed back in, no signs of foreign IP access was there.

My best guess: malware on the forum OR they exploited a vuln on Gmail.com similar to how hotmail.com & yahoo.com used to be very very vulnerable..



I would see if you can upgrade your gmail to a paid account and then contact their support. Free accounts get very little attention but paid accounts will get you to a real person eventually.


Great - but that only works if you have access to the account. Otherwise I could take over any account by simply paying? I guess Google is smarter than that.


I guess you just need to be faster than the person who hacked your account. Just before the cancel link is clicked you gotta make your move.

Yeah, and the cancel request was a total stroke of genius!


I imagine that Google would allow the "cancel request" to override recent password alterations to avoid accounts being taken over simply because the cracker moved faster than the owner once it was realised the Google account was cracked/accessed.

It may not be enough to run a password update before they act on the email. It also may not be physically possible if they have a script watching for such emails from Google and cancelling the request immediately, you'd then need to set up a faster method and/or receive the email before they did.


I'm assuming you've tried this: https://support.google.com/mail/answer/50270?hl=en&ref_topic....

On the other hand, it is a free service. If you'd have the business subscription, they do have a helpdesk you can contact by phone: https://www.google.com/work/apps/business/support/


Tried that, It will send me a link to the original hacked email with a link to cancel the request !!!!


It's not a free service, and it never has been. I pay them with my personal information and not with national currencies.


And, the loop continues. Can't they reset your gmail account. Yes they can ! Ask them explaining the problem.


https://www.emniyetevdenevenakliyat.com https://www.kayserievdeneve-nakliyat.com https://www.kayserievdenevenakliyeciler.net https://www.kayseri-evdenevenakliyat.net Eşyalarınızın büyük olması asansörlü taşınma için engel teşkil etmez.Binanız pimapen pencere olduğu müddetçe eşya büyüklüğü önemsiz kalır.Çünkü pimapen pencereleri tamamen söküyoruz. Bir şehirden öteki bir şehre nakliyat işleriniz olduğunda size nakliyat için bir zaman veririz ve bu süre içinde nakliyat işleriniz tamamlanmış olur. şehirler arası taşımacılıkta kayseri evden eve Nakliyat kalitesini yaşamak için çok sayıda seçeneğiniz var. Taşınacak eşyanın cinsi büyüklüğü ne olursa olsun Türkiye’nin bütün illerine hizmet vermekteyiz… Eşya taşıttırmak isteyen müşterilerimize sunduğumuz hizmetler arasında asansörlü eşya taşımacılığı yanı sıra anahtar teslim evden eve taşımada sunuyoruz. Firmamız kayseri melikgazi de ofisimiz kayseri ve tum turkiye evden eve nakliyat bizim işimiz Asansörlü kayseri evden eve nakliyat hizmeti şimdilerde moda olup en iyi ve kaliteli taşınma için mükemmel çözüm.Kayseri evden eve nakliyat firma elemanları olarak hizmet veren arkadaşlarımız asansör ile yapılan işlerin daha kaliteli ve güvenilir olduğunu bizimle paylaştıktan sonra artık işlerimi bu kalitede olacaktır. https://www.nevsehirevdenevenakliye.com https://www.aksarayevdenevenakliyat.biz https://www.evdenevenakliyatc.net https://www.kayserievdenevenakliyat.biz https://www.hizmetevdeneve.com https://www.kayserievdenevenakliye.net http://nigdeevdeneve-nakliyat.com/ https://www.sivasevdenevenakliyat.biz https://www.yozgatevdeneve-nakliyat.com http://www.evdenevenakliyatciler.net/


if you get your account back i would look at setting up 2-Step Verification https://support.google.com/accounts/answer/180744?hl=en


Have you tried the forums? If so, could you point me to the post, please?


You can also receive a pin code via sms on your phone...


The hacker has modified that number too


Hacker != Guy who phished your password


Hi I'm a secret agent of sleepy town


For next time: pay for google apps.


Did you post on the gmail forums?


I'm a little baffled at the idea that the forums would be able to resolve this sort of thing.


MY AIM IS ALL INDIA RANK 1st in IIT JEE AND IChallange 95%MARKS IN BIHAR BOARD EXAMINTION IN 2016


edge case - scheduled for sprint # 5642


Cool


> What to do?

The first step would be to edit the title of your submission to begin with "Ask HN: hacked Google account, what to do?", since you're asking a question.

"Google hacked account" means, to an English speaker, that Google perpetrated hacking against some account somewhere (subject-verb-object, right?) E.g. Google people gained access to your bank account. I.e. your current submission title is clickbait.


Your nitpicking isn't helping anyone.


Nitpicking? I had no idea what this submission was even about. I thought maybe Google, the company, was hacked by outsiders. That was my best guess. Or even "Google hacked" could imply "Hacked by Google", I don't even know.

The current title is ambiguous at best; just plain misleading/sensational at worse - especially now reading that this is really about just one person losing access to their Gmail.

_____

EDIT: In case the title does get changed, the original title that I'm looking at right now is "Google hacked account". This is what I woke up to this morning --- http://i.imgur.com/vWJ41ck.png


It's just so not important.. from the content of the guys submission it strikes me that English may not be his first language.. he's here asking for help with a problem and the top response he gets is some ass berating him over the wording of his title.

But oh right, you woke up this morning and the sky was falling, all because you had to take an extra 30 seconds to actually read the fucking post


It didn't really sound like kazinator was berating in their reply. It actually sounded rather helpful. Please be more mindful when replying to people here. Less tendency to jump to vitriol would be helpful.


Did it occur to you that he might get more help, from people in the know, if the link actually indicated that he needed help?


It would be helpful to many who will misinterpret and be visiting now that the thread is on front page.


That's the least relevant thing you can tell someone with 130+ points and 60+ comments.


I visited because I misinterpreted the title and I think grandfather comment shows that it's not an exception.


With all due respect, your very misleading title gave the impression that Google security was hacked when in reality you were hacked either by social engineering, using a very weak password or not using 2 factor authentication.


I WANT TO CHAIRMAN OF GOOGLE


Hello,

I believe i can help.


Now that's just cruel.


they went full microsoft


Strangly hotmail does a better job here...


Exactly the opposite, Microsoft might have worse services but their support is excellent.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: