Putting any Google service connected to your account as a recovery method for your Google account seems like a problem to me. I don't know why the author didn't get any alternative recovery options if they had those configured like they said, but this is a good reason to only enter external services as any kind of contact or recovery mechanism.
Worryingly, after the whole ordeal the author still seems to choose to rely on their Google account now as much as before this all happened. It's kind of a miracle they got through to Google in the first place and it definitely won't happen again; it worries me that this post doesn't end with "and that's why I split my life across separate dedicated services". It feels like the author learned This One Cool Trick instead of the underlying lesson, which is that Google (or Apple, or Microsoft, or any big provider) cannot be trusted to not randomly cut you off without warning.
Unfortunately even doing everything right is no guarantee. I have Google accounts that Google will not let me into even though I have the correct password because it requires a connection from the same network as past logins, which are in places I no longer live. I've read accounts from others in the identical situation.
My answer to this is that I've completely moved off of Google except for an account I use for YouTube/Maps access that I could painlessly lose.
> I have Google accounts that Google will not let me into even though I have the correct password because it requires a connection from the same network as past logins
I don't get how that can possibly be a requirement. I mean, it's trivial to dream up a scenario where it is 100% legit to be in this situation.
I loathe these kinds of security measures that make up literally impossible tasks for some people.
There should always be a break-glass. That break-glass should not be tied to a piece of hardware. That's why I don't use 2FA unless there are break-glass OTP, or I can use a generic authenticator. Authy, for example, allows me to install 2FA on my phones and desktop - no need to worry about losing my phone meaning I can't get into my accounts.
My bank on the other hand, uses Symantec VIP, which has no backup or break-glass. So my bank (the only one offering 2FA) is 1FA.
I kind of hope she reached that conclusion but just didn't include that in the post. In particular having your primary phone and email tied to Google is just a bad idea, period. They do not care. They do not have the capacity to care, by design.
I propose Google Human™, a new service that gets you in contact with a Google support person, where you pay a rate of $5.00/mo to get premium Human™ support services, so you can get back into your account without having to yell over social media in an outrage and 'escalate' your issue to Google employees over Hackernews or Twitter.
This isn't really a story about missing access to human tech support at Google so much as it is a story about Account Recovery, The Hardest Problem In Authentication. Anything Google did to make it take just a day or two to recover a totally locked account would be abused ceaselessly to take over people's accounts.
There are no good answers here. A lot of things that work as one-offs or rarities will stop working if everyone does them. If there's a FCC form you can file that short-circuits Google's current process, and it becomes popular, that form is going to stop working. Restoring your access to a locked account is simply less important than ensuring strangers can't "restore" access to your account.
Obviously, one good change Google could make here would be to refuse to accept Google Voice numbers as an authentication factor.
There have been complaints after complaints about people being locked out of accounts, and there are no easy ways to recover - often no way at all.
To say that the paid support you're paying for can't help you access the service you're paying for, that's a bit rich.
> Restoring your access to a locked account is simply less important than ensuring strangers can't "restore" access to your account.
That's a false dichotomy. If you can pay, say, $200, and get 30 minutes with a tech who has access to your email and can go through a manual, interactive process to verify you are who you say you are - for example, if you can prove you hold the credit card that's been used to pay for Google One for the past couple of years - well, these "strangers" are going to have to work REALLY hard to "restore" their access to your account. Probably well more than $200 and more than it costs to install a keylogger and sniff your password anyway.
If I needed to, I could physically walk to my bank and they would unlock my bank account on the spot. That also seems like an excellent protection against people getting their account hacked from overseas. No Indian call center is going to show up in person inside the US to recover your account, so those people that do show up have a high likelihood of being the correct person. Google could also require people to show their ID card and sign a copy of it so that if an account is maliciously reset this way, the original account owner can subpoena them to get the ID card copy that the scammer used.
It's not rocket science. All banks can do it. It's just a tiny bit more expensive than saying "fuck you" to 0.1% of your customers.
AWS has a decent (corporate) solution to this. They simply outsource account recovery and user attestation to the state and the finance industry. You stake money on a financial medallion (a contractual instrument that's a guarantee of sorts). Presumably you will get sued and armed men will come after you if you commit fraud. It doesn't scale well outside of the big cities but it could be a viable option for Google.
Most civilized countries have strong authentication methods which are behind easy and cheap APIs for Google and others to use if they really care about restoring access.
Too bad low-level support workers cannot do anything. All they will be able to do is read the AI-auto-generated text to you and answer your questions by reading from the prepared responses. You pay for having a human read to you what the computer system produced. For supporters to be cheap and exchangeable (for the business) they are bound to executing the prepared algorithm and script without option to deviate. Often they cannot even access relevant information about you, never mind updating anything in the database.
To get someone able to actually make decisions, especially when they are against a measure the system automatically put in place following its programmed or AI-.derived rules, you need to go at least two levels higher. Even "managers" often - usually? - only have digression within pre-determined possibilities and scenarios.
100% true.
What to say to get escalated to these levels?
In situations like this I asked to escalate it but was denied. Said there was 'nothing they could do' and parroted the relevant sections to ad nauseum.
What I find funny is that low level support at Google can't do anything at all to help you, unless it's a low level Google Ads rep. Then they ask for carte blanche access to make any and all changes to your Ads account to 'help you'.
It all comes down to which direction, and how much, the money is flowing with them.
This has so much extortion potential I'm surprised all the major tech companies aren't doing it and milking it for all it's worth. It's amazing they have left this cash on the table for this long.
Google One comes with phone, chat, or email support in 23 languages. Hit the support button and they call you within minutes, which is a support system on par with Bloomberg terminals. $1.99/month.
Didnt know this - I was gonna subscribe potentially to GSuite for personal stuff but I guess I already have official support. Probably will just stick with that then!
edit: As people are pointing out below, however, is there no way to use Google One support if you are locked out of your account?
When I was a Google employee, I helped a friend go through their account lockout issue. It was because they used MFA to a phone number, but later changed their phone number, which made them unable to login. He tried so many times that some velocity threshold was hit, further limiting the possibilities.
My friend needed to respond to some interview scheduling, so, it was a stressful situation.
Part of the problem was that it was hard for my friend to find a way to create a support ticket. He did in the end and got in a line of communication via an alternate email.
There were many miscommunications from both my friend and the support agent. While Account Recovery or even basic identification are hard to navigate for technically-minded folks, it's even more challenging for non-technical folks, including the support agent.
In the end, I got in touch with the support person, helped translate what they wanted to know to my friend, and likewise, translated what my friend was saying in a way that the support person could understand.
I don't think I was able to see the support ticket itself, because of PII restrictions. In the end, my friend was able to restore service. I doubt he'd have been able to without my support in time to respond to the interview scheduling.
This was more or less my exact same scenario as well. MFA with an old phone number makes account recovery from Google about close to impossible. I had a friend who worked at Google that was able to create a support ticket for me. Before talking to my friend, every single customer service support rep more or less confirmed that I was completely SOL.
It is the reason why I have transitioned from Google.
I'm thinking of doing this and I haven't yet figured out how to migrate all the accounts I have associated with my GMail account. Do you have any suggestion/tips for a fellow potential immigratnt? :)
I moved to Tutanota and what I did is forward all my Gmail emails to my Tutanota email. It made it much easier to switch because I could immediately start using Tutanota and then migrate my accounts overtime to eventually delete Google completely.
Nope. As the article says... contact the FTC to port the phone number since they (or their supplier) are in violation of law... get response within a day and number ported within 30 days.
1. (Optional) Register a domain (So if you need to migrate in the future, you don't need to change your email address!)
2. Sign up for paid service somewhere else. Paid email services are extremely cheap, and worth it to have a phone number where you can call a real human person.
* If you wish to continue using the Gmail interface, skip step 3 *
3. Forward Gmail to the new account.
4. As you see messages you want coming to your Gmail account, switch them to your new account.
5. (Optional) If you really like the Gmail interface, use IMAP/SMTP to check your email in Gmail, even though it's really coming from/to your external account!
It's really easy to get away from GMail, and definitely worth it.
Just do it! You'll have to choose anyway if you are one of the many folk here who use(d) a grandfathered free Google workspace plan with your own domain: it ends on June 1st, or thereabouts, and you'll be shunted into a paid plan (although there seems to be a waiting list for a free plan).
I did it last week. I signed up for Fastmail, followed their excellent documentation, and now only have a mandatory (new) Google account for a few apps in the Play Store that are not available anywhere else (but nothing paid). If I lose access to my Google account, I lose nothing.
My Fastmail migration basically went like this:
* Clean up mailbox, truncate mailing list folders.
* Copy mail to Fastmail using their importer.
* Change domain settings at your domain host (changing MX-records and a bunch of others); mail now goes to Fastmail.
* Set up mail and calendars in Thunderbird on Ubuntu and K-9 Mail on GrapheneOS.
The setting up part is easy. It's migrating user logins, subscriptions, and everything else tied to your GMail account that takes time and energy. Someone really aught to create a migrator app to get people off GMail and do the hard stuff.
I would love to do this - and it would be easy, as I'm already forwarding from my own domain and have been for 25 years - but I receive so much spam (>600 per day vs. ~20 non-spam per day) that only Gmail's spam filtering is good enough. I've tried others (like Fastmail) and typically ~50/day get through their spam filters, vs. at Gmail where on a typical day 1-2 get through.
As soon as anyone besides Gmail can successfully do spam filtering, I'm stuck with them.
(Why do I get so much spam? Because I've been using the same email address, never hiding it at all even on Usenet, for 25 years.)
Have you tried training a user-specific spam filter like bogofilter? You might need to save a few months of spam for training. I have a quite good false positive and negative rates.
I use gmail because it has this obscure addon thing that shows the number of unread emails in the favicon. Default gmail and all other email providers I have tried show the unread emails count in the title which is invisible on pinned tabs.
I have three email accounts outside of gmail that are forwarding to gmail so I can have a favicon counter. Those email accounts maintain their own copies of the emails. If gmail were to lock me out I would lose my favicon counter. I would need to get a new phone number to create a new account and set up the fowards to the new address.
Why do I insist on this convoluted setup? My previous email client was a firefox addon that showed me that counter and it made me read my emails. Every email account that doesn't follow this set up that I have has lots of unread emails.
I have a thunderbird instance with 140 unread emails open right now. I have 0 on gmail.
After reading stories like this, I've moved to "single purpose" accounts with Google. I have a youtube account, firebase account and a google analytics account, and all of them are seperate from one another. My hope here is if google shuts down a single account, I only loose access to what that account did.
I read somewhere on HN in the last couple months that Google is prone to banning/deleting accounts that it thinks are associated with accounts it bans, so I would not do this.
I even recall an article where the google developer account of a company was blocked because it got associated with the personal account of one of their old employees.
I think Google allows 3-4 accounts since it's common for families to all use Gmail, so they're lenient in that regard. Obviously, creating 10 accounts with 10 Twilio numbers would arouse suspicion and those accounts would be swiftly banned.
Hope you're running all the up-to-the-minute anti-fingerprinting you can find. For a long while any time I went to YouTube even in a private window they'd ask me to log in under my old Google account that I hadn't used on that computer for years. It was creepy as hell and I'm still not sure if they've stopped because they can no longer associate that account with that computer or if they're just confident enough now not to ask.
Considering how much our digital lives are interwoven with our real lives, who will be held responsible if someone takes their life in shear helplessness basis Google’s absolutely thoughtless and inhuman actions and unresponsiveness in the wake of them?
It might seem hyperbole but it isn’t. Who is to say it hasn’t already happened?
Readit News
Worryingly, after the whole ordeal the author still seems to choose to rely on their Google account now as much as before this all happened. It's kind of a miracle they got through to Google in the first place and it definitely won't happen again; it worries me that this post doesn't end with "and that's why I split my life across separate dedicated services". It feels like the author learned This One Cool Trick instead of the underlying lesson, which is that Google (or Apple, or Microsoft, or any big provider) cannot be trusted to not randomly cut you off without warning.
My answer to this is that I've completely moved off of Google except for an account I use for YouTube/Maps access that I could painlessly lose.
I don't get how that can possibly be a requirement. I mean, it's trivial to dream up a scenario where it is 100% legit to be in this situation.
What is wrong with Google?
There should always be a break-glass. That break-glass should not be tied to a piece of hardware. That's why I don't use 2FA unless there are break-glass OTP, or I can use a generic authenticator. Authy, for example, allows me to install 2FA on my phones and desktop - no need to worry about losing my phone meaning I can't get into my accounts.
My bank on the other hand, uses Symantec VIP, which has no backup or break-glass. So my bank (the only one offering 2FA) is 1FA.
There are no good answers here. A lot of things that work as one-offs or rarities will stop working if everyone does them. If there's a FCC form you can file that short-circuits Google's current process, and it becomes popular, that form is going to stop working. Restoring your access to a locked account is simply less important than ensuring strangers can't "restore" access to your account.
Obviously, one good change Google could make here would be to refuse to accept Google Voice numbers as an authentication factor.
There have been complaints after complaints about people being locked out of accounts, and there are no easy ways to recover - often no way at all.
To say that the paid support you're paying for can't help you access the service you're paying for, that's a bit rich.
> Restoring your access to a locked account is simply less important than ensuring strangers can't "restore" access to your account.
That's a false dichotomy. If you can pay, say, $200, and get 30 minutes with a tech who has access to your email and can go through a manual, interactive process to verify you are who you say you are - for example, if you can prove you hold the credit card that's been used to pay for Google One for the past couple of years - well, these "strangers" are going to have to work REALLY hard to "restore" their access to your account. Probably well more than $200 and more than it costs to install a keylogger and sniff your password anyway.
It's not rocket science. All banks can do it. It's just a tiny bit more expensive than saying "fuck you" to 0.1% of your customers.
To get someone able to actually make decisions, especially when they are against a measure the system automatically put in place following its programmed or AI-.derived rules, you need to go at least two levels higher. Even "managers" often - usually? - only have digression within pre-determined possibilities and scenarios.
It's going to be like this: https://twitter.com/cnbc/status/1447916881009127430
It all comes down to which direction, and how much, the money is flowing with them.
According to this article being a Google One member didn't help them.
edit: As people are pointing out below, however, is there no way to use Google One support if you are locked out of your account?
My friend needed to respond to some interview scheduling, so, it was a stressful situation.
Part of the problem was that it was hard for my friend to find a way to create a support ticket. He did in the end and got in a line of communication via an alternate email.
There were many miscommunications from both my friend and the support agent. While Account Recovery or even basic identification are hard to navigate for technically-minded folks, it's even more challenging for non-technical folks, including the support agent.
In the end, I got in touch with the support person, helped translate what they wanted to know to my friend, and likewise, translated what my friend was saying in a way that the support person could understand.
I don't think I was able to see the support ticket itself, because of PII restrictions. In the end, my friend was able to restore service. I doubt he'd have been able to without my support in time to respond to the interview scheduling.
It still took a couple of days.
It is the reason why I have transitioned from Google.
Also wouldn’t backup codes help in this scenario?
Given that I pay them money, I figure they’re at least somewhat invested in keeping me happy as a customer. Google clearly don’t give a shit.
1. (Optional) Register a domain (So if you need to migrate in the future, you don't need to change your email address!)
2. Sign up for paid service somewhere else. Paid email services are extremely cheap, and worth it to have a phone number where you can call a real human person.
* If you wish to continue using the Gmail interface, skip step 3 *
3. Forward Gmail to the new account.
4. As you see messages you want coming to your Gmail account, switch them to your new account.
5. (Optional) If you really like the Gmail interface, use IMAP/SMTP to check your email in Gmail, even though it's really coming from/to your external account!
It's really easy to get away from GMail, and definitely worth it.
1. If your registrar account is compromised, someone can redirect your mail at will.
2. If your payment lapses you might lose the entire domain.
3. If you die, it’s unlikely your family will understand how to maintain the system.
4. Some systems will classify your email as spam even with the right MX configuration (DMARC,DKIM etc)
I think the right choice is having a paid relationship with a mail provider that’s been in the business a long time, and use their domain.
I did it last week. I signed up for Fastmail, followed their excellent documentation, and now only have a mandatory (new) Google account for a few apps in the Play Store that are not available anywhere else (but nothing paid). If I lose access to my Google account, I lose nothing.
My Fastmail migration basically went like this:
* Clean up mailbox, truncate mailing list folders.
* Copy mail to Fastmail using their importer.
* Change domain settings at your domain host (changing MX-records and a bunch of others); mail now goes to Fastmail.
* Set up mail and calendars in Thunderbird on Ubuntu and K-9 Mail on GrapheneOS.
As soon as anyone besides Gmail can successfully do spam filtering, I'm stuck with them.
(Why do I get so much spam? Because I've been using the same email address, never hiding it at all even on Usenet, for 25 years.)
[0] http://gmvault.org/
I have three email accounts outside of gmail that are forwarding to gmail so I can have a favicon counter. Those email accounts maintain their own copies of the emails. If gmail were to lock me out I would lose my favicon counter. I would need to get a new phone number to create a new account and set up the fowards to the new address.
Why do I insist on this convoluted setup? My previous email client was a firefox addon that showed me that counter and it made me read my emails. Every email account that doesn't follow this set up that I have has lots of unread emails.
I have a thunderbird instance with 140 unread emails open right now. I have 0 on gmail.
https://news.ycombinator.com/item?id=30855065
Deleted Comment
It might seem hyperbole but it isn’t. Who is to say it hasn’t already happened?