Would be interested in knowing how they bypassed 2 factor authentication, assuming you had that enabled.
Unfortunately, it's a tough situation since for all Google or we know you could be the hacker trying to get into the account and hard for them to verify who you are, since if the hacker was able to steal person's phone to bypass 2 factor authentication, they may also have access to a copy of your drivers license or ID to send to google in an attempt to verify they are you.
While far from ideal, assuming you don't have a close friend to contact google for you via their google apps admin account, you could create a new trial google admin account and then contact google through that mentioning your situation of your other account. While they will still have to find a way to verify who you are at least you'll reach a real person.
My mistake was that I didn't enable 2 factor authentication.
I contacted them and offered to supply a copy of my password and driver license, they said the only way is to go through the dysfunctional online method to recover the password.
I did create another account, they still send the link to cancel the request to the original account!!!
Except that now Google has my phone number linked to my identity too. I know this is not everyone's use case, but for those of us that care deeply about privacy, that's not a good alternative.
If that's not a good counterpoint, my phone/SMS service sucks when I'm traveling abroad, which is exactly when Google thinks I'm not me.
I wish Google supported TOTP like Github does, without asking for a phone number.
Yes, they do, but there's no way to set it up without giving your phone number first. Whenever I enter into the 2FV options, I have to give a phone number, no alternative. I have no idea why. Sorry I wasn't clear enough.
My guess is that you can eventually enable that, but not at first. When I click on the "get started" button, I get "Step 1: Set up your phone", with no alternative button in sight.
If you didn't enable 2FA, how on earth is Google or anyone for that matter able to verify it's you that owns the email address? Anyone at any time could claim they were hacked, and it's not like they require a drivers license ID when you register.
Honestly I'm not sure what Google can do here that (a) doesn't require them to now individually support users ($$$) or (b) doesn't open them up to thousands of erroneous claims.
I would prefer a system where I can pay $100 to Google to get a competent human to look at the case versus now where I can hope I have a friend of a friend to make enough noise to get someone's attention.
SMS-based 2FA is really "security through obscurity". It's "good enough" (generously said) if you happen to not piss anyone off or be someone's target. Otherwise, not so much. I don't think enabling SMS-based 2FA will pose any problem for China to hack back into OPM for instance, and yet I think that's one of their "fixes" right now.
Google's Authenticator is also useless as now Gmail allows you to bypass the Authenticator when you can't authenticate with it for whatever reason, and go straight to using SMS 2FA instead, which brings us back to point one.
Unfortunately, it's a tough situation since for all Google or we know you could be the hacker trying to get into the account and hard for them to verify who you are, since if the hacker was able to steal person's phone to bypass 2 factor authentication, they may also have access to a copy of your drivers license or ID to send to google in an attempt to verify they are you.
While far from ideal, assuming you don't have a close friend to contact google for you via their google apps admin account, you could create a new trial google admin account and then contact google through that mentioning your situation of your other account. While they will still have to find a way to verify who you are at least you'll reach a real person.