> They’ve all basically hit the brick wall of Google suggesting that at their scale, nothing can be done about such “edge” cases.
The thing is that at scale your “edge” cases are still millions of people. Companies love the benefits that come from scale, like having a billion people use their service, but they never seem to be capable of handling the other parts that come with it :(
What I don't understand is why there isn't some kind of paid escalation option. I fully understand why they don't provide free human support for a billion unpaid users, but couldn't there be a $50 "OK, we will actually take a look at your issue" option? Surely that wouldn't be a money loser. Hell, you could outsource it.
It seems instead that they just don't even want to touch it.
If that actually becomes a paid service, it must legally bind Google to provide some formal results out of it, or people that paid can now sue Google for something like negligence. Then Google can't conveniently hide all the details about of why accounts got banned when people demand in court. It's a whole can of worm for Google for morsel amount of revenue.
This exists… if you know a googler. I got locked out of my 14ish year old account due to the AI deciding I was no longer the rightful owner even with TOTP codes, SMS, and printed backup codes. I asked a friend who works at Google, and there’s an internal form they can fill out to recover an account. I received a non-template response less than 30 minutes later with a link to reset my password.
Because it would look like "Google is holding my account hostage unless I pay them".
I can't believe I'm writing this, but this is where a middleman could help. Companies can pay a fixed subscription to become "Google Gold Partners" and get privileged access to tech support resources. Users with issues don't pay Google directly, they pay those companies to solve their issues with Google products. In this way Google is still incentivized to solve problems as quickly as possible.
Interestingly, many people already pay for Gmail (or rather Google one) for extra capacity. Yet, I'm pretty sure they get the same support experience. I think it's just not worth for them to change, given that everyone seems ok with the current approach (that lady and a few others obviously aren't, but I don't think they really even make a dent in Google's reputation)
100% this. It seems so obvious. If edge case escalation is uneconomical, price it so it's not.
I once lost a Google account because of their "the password is not enough, we'll randomly decide what is" policy. It's very unpleasant to get to that "make another account" page, and realise it's all gone.
I'd have happily paid money to go through identity verification and so on to get it back. Its sad they're just leaving this money on the table, hurting both themselves and their customers.
Because that can be seen as a money making opportunity by one of their executives in future and the number of accounts that would need support could rise.
The trick is regulation. A huge difference between the wildly profitable tech companies and most other large companies is that everyone else has to have customer service departments... large departments providing hundreds or thousands of jobs and salaries helping users with the product.
Very simply, Google and the like should be required by law to have customer service adequate to support user needs in every language they operate. Problem solved.
In the case of a free GMail account, the user who doesn't get the support they need can get a full refund.
In all seriousness, how does it even make sense to regulate expensive customer support for a free product?
If you do, you may not have any free products anymore. But perhaps we'd be better off having decent customer support with no free products.
As for paid products, it does make some sense to have some minimum customer support, but I'll be surprised if there's a proper way to word the legislation to achieve what we want it to achieve.
When Google was first starting, savvy techies were aware of aggressive sociopath companies (e.g., Microsoft), and also that Google would probably be very powerful.
Maybe Google had some of that savvy and that's why they instituted "Don't Be Evil".
With all the supposedly smart people and resources that Google has, you'd think they could somehow figure out how not to be the cause of marginalizing people while dismissing them as "edge cases".
Google seemed to change around the time they bought DoubleClick. That was around the time they stopped making anything new which was good, because they stopped making products which the people who worked there personally wanted to use and started making products which they needed to sell ads.
I’m sure that you don’t see people looking out for users for the simple reason that the money guys won and the way you get rewarded is by viewing your customers as cattle.
I have a very old account that I still use for some email forwards to my main account. Even though I can verify all the other requirements, since I haven’t logged into that account with a machine it recognizes that I still have, apparently I will never be able to log into the account. Literally nothing can be done because google would rather take the easy way to handle this.
I have an account that I made in 2005 that can't get past the circle of login nonsense even though I can provide verification codes when it emails the "backup account". What's the point of the secondary account if you can't use it to log in?
There are now email addresses of some friends from my youth (before I wised up and stopped letting my Google account hold important data) forever locked away where I can't get to them. I'd probably have to work at Google to have any chance at all of recovering.
I’ve (slowly) begun to make an archive of all my Google data so it will be less-awful should something ever happen. Your story scares the crap out of me because I (already) have an account that I’ll never be able to access again either - c’est la vie but it still stinks to know that a large part of my life is locked behind a metaphorical prison.
I have a similar story with a major ISP. I had their service 20 years ago but eventually switched to a different provider. They let me keep my email address, however, and I set it to auto forward to my new address. I have long since lost the ability to log into that original account, but it is still happily forwarding emails to this very day. They are always scams or junk. :P
Actually, there are opinions that Google exploits locked out accounts, to extract and sell all of its data (to include gov't organizations). It appears while the person still has access to the account, there are limits to how Google can exploit the data it contains.
When the account is locked out, after a set period of time, Google can do whatever it wants with such data without limitations. The number of locked out accounts, in which Google has and could totally and fully exploit, is likely staggering and beyond what many can imagine.
This answers a question I have idly wondered- if I have setup email forwarding, but get locked out of the account, will Google continue to forward the address? So, probably best to configure it while I can.
Given the difficulty people talk about recovering an account to which they've lost the password or recovery methods, it seems like Google ought to periodically ask you to verify that your recovery e-mail and phone number and 2FA device are still correct. It seems like that would basically solve the problem in most cases.
So I kind of find it strange that I use Google services extensively, and yet I can't recall ever receiving a reminder of that kind. But maybe other people are?
Since Google seems to anecdotally make it impossible to recover an account if you don't have access to your old phone number or another logged-in device, it seems like it should be a bit more proactive in ensuring things like a phone number are kept up-to-date?
Obviously that won't help when people don't touch an account for years, but it would help in cases like this story, where people actively use an account on a device for years but without ever having to regularly put in a password.
> it seems like Google ought to periodically ask you to verify that your recovery e-mail and phone number and 2FA device are still correct. It seems like that would basically solve the problem in most cases.
I get prompt to verify my recovery email ~once a year. You guys don't ?
I don't but Google might be able to figure out I'm active enough (e.g. it can tell I pick up on Google Voice calls at my recovery number, and am always logged in with lots of devices) that it doesn't bother.
So stories like this make me assume that Google isn't sending them out enough. But maybe it does? Then is there a question of people's responsibility if they ignore them?
The cynic in me suspects that they probably tried this and discovered that they will lose a percentage of logged-in accounts and how much that costs their revenues/bottom-lines.
Seriously though, even apple does this - where they periodically ask you for your pin/password on phones with fast biometric logins every 1-2 weeks as a memory refresher.
For google: I think they should do a memory refresher too. Once you've confirmed that you remember it, they can stop bugging you for some time. And if a logged-in user can't remember it, then don't log the user out, give them time to save important things.
I have several accounts and Google will only show remiders for those I barely log in. It even used to send reminder emails but that seemed to stop after I marked them as spam.
My wife lost her life’s email despite knowing the password. Google didn’t recognize the device, asked to verify using a phone she doesn’t have access to anymore. Despite knowing her login and controlling the recovery email, she couldn’t login. Everything was tied to her email. She lost access to many other accounts connected to the gmail as a well. Lost contacts, lost YouTube account, and on and on. It was honestly traumatic for her, and maddening because she has the password.
Do not use Google for email. Just pay $5/mo for an email service that won’t ruin your life for no good reason.
> My wife lost her life’s email despite knowing the password. Google didn’t recognize the device, asked to verify using a phone she doesn’t have access to anymore. Despite knowing her login and controlling the recovery email, she couldn’t login.
A friend of mine has encountered this with the TOTP authentication code method. During a move from the US to Europe, they lost their phone. Google let them log in to their regular account no problem, but a second account they use infrequently for a social group got locked out when they tried logging a month after the move. The TOTP secret key string is stored in their password manager and Google doesn't say that the password or TOTP key is incorrect, simply that "for your security, you must complete an additional step" by confirming in an app they no longer have.
Maybe I have been doing IT for too long, but knowing the username, password, and any[0] second factor should always be enough. Surprising users with something else, that they might not have, is unacceptable.
0 - I'm willing to forgive if a second factor was recently enabled; maybe the scammer got in and added a new phone number or backup email account or generated emergency access codes. But, configured more than 14 days ago? Must work.
Yes… but in Fastmail’s case when I encountered an issue I had a “We appreciate your feedback on your use case. We'll take it into consideration for future product planning.” (which is all I was really asking for) from Neil Jenkins, of JMAP fame, within three messages of mine, starting at the standard support form.
Hey it’s your email, trust Google with it if you want. Just know if you ever run into a situation there is no support and they will not help you regain access.
I had a youtube account JimmyRcom with about 21 million total views, I already had 2 stikes already from bogus copyright strikes I never appealed, over 15 years or so. I updated my videos with coinbase referral links. It got picked up as spam and I had my youtube deleted. This also meant the years of favorites, collections, my kids favorites got deleted. All appeals failed. I offered money for a blocked youtube but I get my favorites back. Still wish I could get it back, it hurt quite a bit losing everything. After my kids finally get into school, and the corporate grind cooled down a bit I really wanted to get back making videos
I fully expect to someday lose access to my gmail account because I regularly delete cookies and I won't give them a phone number. If they won't accept a password as proof of ownership on an account, then the account will someday be dead.
So, I have this issue as well, but I found a way around it.
Add the google account to an old android phone you don't use (maybe even an emulated android would work) and it skips all the verification stuff simply because it's on a phone. That way you can keep it logged in and change things even if you can't log in via a browser.
Part of the issue is the account is not dead, in the way many people think. Once you are locked out, after a period of time, Google can do what it wants with it. Which may include looking over or extracting any data from it, then selling it to whoever they like. And where those other entities may be storing your information (or continuously updating a profile about you), for their purposes and however long they like.
So the account is "dead" to you, but not necessarily to Google or at least not until they extract what they want from it (and have sold it to whoever).
Google is attempting to migrate my account to Passkeys, which doesn't work at all for me. Despite spending significant time trying to get it to work I cannot get a passkey that works on my iOS device, and without it it seems impossible.
And yet Google keeps trying to log me in using it.
I had a similar experience with an Android. Even though I never approved the use of my phone, Google account security showed it was registered already.
The prompts went away when I explicitly removed it as a sign in option.
I also had to explicitly disable "skip password when possible".
I pay for Google One for this reason and ultimately account recovery due to theft if it came to it. I've never had to reach out to Google but supposedly of you are a paying customer customer service does exist. I know that the FI infrastructure has CS you can reach as I talked to them back when fi first launched and I did some promotion flipping to get a pixel. I'm probably gonna pay for Microsoft's offering it seems you can't just buy hotmail anymore and instead have to pay for the whole office + storage subscription. Same reasoning though I want CS I can reach at my email provider and I want to know they still exist in 20 years if email still exists.
A few weeks ago, I was in a similar situation, I needed to read an email on an old account. I typed my email, my password and then an error, it was blocked for some reason, it asked me to check my recovery email, except that email was never validated (there was a mistake in the domain extension). It should never have blocked an account with a valid password when the recovery email was never validated. I successfully talked to human support, they told me they could do nothing about it. It magically unlocked a few months later, if you lost your account, keep trying, one day you may access it
> It should never have blocked an account with a valid password when the recovery email was never validated.
Should it not? Accounts get "blocked" because of reasonable suspicion that they're compromised. It's not just something they do to annoy you. The overwhelming majority of these situations are surely just password attempt exhaustion. You or someone else tried a little too hard to log in with a bad password.
So... your solution is to disallow that security layer for people who have typos in their emails and never went through the recovery process? That sounds like it's going to hurt and not help.
I mean, yes. It sucks to lose access to an email account. It sucks immensely more to be hacked. And to some extent those requirements are in conflict. There are tradeoffs to be made.
Weird, I’ve had the exact opposite problem. Added a recovery email years ago before Google required the recovery email to be verified. Then I needed to recover the account, but I was not allowed to do so as the recovery email wasn’t verified. Despite the fact I was never asked to verify it in the first place. What’s the point of a recovery email if it can’t be used to recover the account?
> When her ancient iPad finally died, she tried to add the gmail account to her new replacement iPad. However, she couldn’t remember the password in order to login.
There are of course no details on how exactly the iPad died, and it's possible it's been thrown away already, or that it has been remotely disabled, etc.. But I'm very sure that the iPad can be repaired, or at least that the data on the iPad can be recovered. If the problem is that it doesn't "turn on", maybe spend a couple hundred dollars and send it to e.g. Northridge Fix.
If you get an old iPad, you can't (re)install modern apps.
Apple has forced app developers to upgrade their apps, which has revoked support for older iOS versions.
I ran into this over Christmas when trying to help someone who had been using an old "The New iPad" (I think the iPad 2) but had lost the charger cable.
We charged it up, it powered on and reconnected back to their wifi. They had to re-sign in to Apple, but was unable to install any of the Google apps.
This is the 6th month that I lost access to my gmail account because I forgot my password (I was forced to change it prior to that, and I changed my devices). I lost access to many services from McDonald reward program to bank account (which I can recover I think). I just think it is such a bad idea to use email for accounts. I have migrated to iCloud email because it has a reasonable recovery process I can trust. I think the default option for accounts should be phone numbers, anything else is not great.
In the past I have been using iCloud to manage my passwords, but since gmail was my primary, I had the password for many years, I was able to remember it, didn't think it was necessary to use keep this particular account in iCloud. Then 2FA was introduced then forced on my account, I was also forced to change my password because Google was tightening its security (I don't remember exactly), I think that's when it went wrong. The funny thing with Google is that the recovery option should be my phone, somehow it is not enough for Google.
The worst in all of that is that when it is for nefarious purpose, like government access or spying, they don't have issue to have an employee giving access...
In theory yes, in practice Google will stonewall you just as usual and none of the regulators is interested in enforcing the GDPR enough to get this pushed through, so in practice you're still out of luck. Here's a real-life example: https://ruben.verborgh.org/facebook/
We seriously need some stronger consumer-protection laws in those areas. We live in a digitalized World. To some degree those accounts are a part of peoples lifes! Companies should not be able to simply take those away without any good reason and any way of legal recourse.
You most certainly can and they have to provide you the data. GDPR is about you as an individual and the login itself is irrelevant. Chances are you'd most likely hit the same wall when talking to the customer support.
And a related PSA: never use "login with Google" or the like. You're exposing yourself to a severe cascade risk for the sake of saving a a little time.
> And a related PSA: never use "login with Google" or the like. You're exposing yourself to a severe cascade risk for the sake of saving a a little time.
> And your email should be on your own domain.
Underrated comments, right here. I use login with Google for nonessential things, and own my email domains.
The only things I'd add are that you should own both your email domain and the domain for your recovery email, AND that you should be backup files and photos to another service/location.
80/20 solution: People want to use the gmail interface, so the ideal solution is to use a custom domain and point it there. You can still lose all that email but you don't lose the ADDRESS, so all the accounts that you use to login can be redirected to another email platform.
Archived all my old mail in a paid service. Still use the google one for the easy one tap login at many places. But if possible I added the other account too. Some places you can link logins together with regular email password.
> I recognize that there are many different kinds of google users. Some folks [...] need maximum security.
(un?)fortunately this is not exactly true. While it's true that some folks do need "extra security", the steps in discussion here are fortunately still applicable for the general population. We as a society have decided (correctly) that leaking your private photos, conversations and data is an unacceptable risk, and punish the companies strongly for it. So companies cannot just make it less secure.
Auth is a complex topic with many gotchas, and there is just no way around it. It's like saying you'd like to drive a car without a license, sure taking the license is "hard", but if you want to drive it's what you've got to do. But only there's a hundred cars actively trying to crash into you and steal your goods.
> We as a society have decided (correctly) that leaking your private photos, conversations and data is an unacceptable risk, and punish the companies strongly for it.
On what planet do companies get punished strongly for leaking PII? It happens to me multiple times per year and if I'm lucky I get a pittance from a class action suit years later. The executives who raked in huge bonuses cutting security don't get punished and the company stock price rarely suffers beyond a blip when the leak is first disclosed.
Punish companies is not the same as you getting compensated. It happens (at least in EU) harsher with the GDPR, so yes it's fairly recent, but so is security online (just 10 years ago not even half of the sites used HTTPS).
There's dozens of high-profile fines every year due to data mishandling from Europe, just a quick search:
> Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021, according to international law firm DLA Piper.
This class of users is also some of the most easily scammed.
These folks, who need "less security", are the exact same who will tell a stranger their password over the phone simply because they said they worked for Google. Scammers can use data from an email account to write convincing fake communications that lead to folks losing their life savings.
Teaching folks that their data isn't important enough to turn on security, is teaching them to fall into scammer's traps.
security against leaks needs to happen at the backend. security to access an account doesn't protect against leaks of the database. it protects against personal data or identity theft, which is not something companies get punished for
They are unfortunately all related in multiple complex ways; for example password strength is important against leaks if the data is encrypted. Some times a leak happens through admin accounts, so if you have a single sign in system then security to access those is important.
I've said it once, and I've said it again for well over a decade. The only google account recovery is creating a new account in 5 minutes. If doing that does not restore the full extent of the purpose for which you were using google's services, you're doing it wrong.
Google accounts serve one purpose: if you are trying to use a google resource that requires an account. Example: save some marked places on google maps.
I can't think of other examples. As the article states, google's explanation for their user-hostile policies, is that at their scale, there is no other option. The other option is, provide services at a scale you can support, and if going larger is not affordable, then you are not able to go larger.
Imagine going into a store. You purchase a microwave. You get it home, open the box, and in the box is a dead cat. You take it back to the store, and there's no one to talk to and no customer service desk. You walk back out of the store with your dead cat in the box, and when you show the receipt to the guy in the store, he accuses you of stealing a microwave because the receipt is from yesterday. No, he won't look inside the box, there's another customer walking out whose receipt he needs to check.
Then they ban you from all their stores for trying to steal a microwave, because they have you on camera walking.
You write a letter to corporate, and they tell you that at their scale, they cannot have a customer service desk, or hire another receipt checker.
The thing is, there's actually no real reason to use google for anything. You don't need to ban it from your life, you just don't use it for anything that needs an account with data you need to keep. I use google products for maps and to chromecast to my tv. I use it for search. When I get a new machine or browser, that account just gets recreated because I don't bother storing their password or login name. Like for this site.
I have had a Google account for quite a while. I got a fairly early Gmail account when it was apply for an invite only. I had a G+ account that was taken around the back and a single shot heard. That was well after my home page of links thingie was unceremoniously put down (I can't even remember what that was called).
I would not dream of actually putting anything useful into a Google account. The most basic of due-dil process should ring an alarm bell enough to awaken the dead.
Entrusting your corporate data to Google is playing a form of Russian Roulette. Do ensure you have local backups. I understand why unprofitable products get dropped by Google - my company does the same thing. However, I'm not running a hyper-scaler cloud. A common misconception about the cloud is that you simply divest all responsibility and shove your stuff into it and all will be well.
I've had better luck over the years with google drive to store my documents than a physical backup drive. But the thought of losing access to my account scares me
You will always need backups, regardless of where your primary storage is. These backups could be local or remote.
You have to decide how important your data is. You might divide it into a few categories and decide what you can or cannot afford to lose for each category. For example your password database and family holiday pics are often more important than nearly everything else! Then you decide how much money to throw at all this. It's all a big risk assessment thing.
If you will insist on cloud then please use two of them or one and a local backup system. For really important stuff you can buy a brand that you have heard of 128GB USB stick for about £13 (just checked on Amazon). That's bugger all cash! Buy 10 of them.
Please take responsibility for your data. Use cloudy stuff for convenience but do not lose sight of who really is responsible for it - you.
I unfortunately can't answer that. My work gives me double-digit TB OneDrive, and if I need personal stuff on there, I put it in a password-protected 7z file. I don't actually use it all that much though. I just rsync between two laptops in the background and a copy of everything gets pushed to my phone when I plug in to charge at night. I only have about 500GB of data that I care about not losing - like a dump of all my emails in a pst going back 7 years, and some photos and personal video. Rsync does it all w/ 3 copies on local devices, and I don't think about it.
> They’ve all basically hit the brick wall of Google suggesting that at their scale, nothing can be done about such “edge” cases.
The thing is that at scale your “edge” cases are still millions of people. Companies love the benefits that come from scale, like having a billion people use their service, but they never seem to be capable of handling the other parts that come with it :(
What I don't understand is why there isn't some kind of paid escalation option. I fully understand why they don't provide free human support for a billion unpaid users, but couldn't there be a $50 "OK, we will actually take a look at your issue" option? Surely that wouldn't be a money loser. Hell, you could outsource it.
It seems instead that they just don't even want to touch it.
If that actually becomes a paid service, it must legally bind Google to provide some formal results out of it, or people that paid can now sue Google for something like negligence. Then Google can't conveniently hide all the details about of why accounts got banned when people demand in court. It's a whole can of worm for Google for morsel amount of revenue.
This exists… if you know a googler. I got locked out of my 14ish year old account due to the AI deciding I was no longer the rightful owner even with TOTP codes, SMS, and printed backup codes. I asked a friend who works at Google, and there’s an internal form they can fill out to recover an account. I received a non-template response less than 30 minutes later with a link to reset my password.
Because it would look like "Google is holding my account hostage unless I pay them".
I can't believe I'm writing this, but this is where a middleman could help. Companies can pay a fixed subscription to become "Google Gold Partners" and get privileged access to tech support resources. Users with issues don't pay Google directly, they pay those companies to solve their issues with Google products. In this way Google is still incentivized to solve problems as quickly as possible.
Interestingly, many people already pay for Gmail (or rather Google one) for extra capacity. Yet, I'm pretty sure they get the same support experience. I think it's just not worth for them to change, given that everyone seems ok with the current approach (that lady and a few others obviously aren't, but I don't think they really even make a dent in Google's reputation)
1 reply →
100% this. It seems so obvious. If edge case escalation is uneconomical, price it so it's not.
I once lost a Google account because of their "the password is not enough, we'll randomly decide what is" policy. It's very unpleasant to get to that "make another account" page, and realise it's all gone.
I'd have happily paid money to go through identity verification and so on to get it back. Its sad they're just leaving this money on the table, hurting both themselves and their customers.
Because that can be seen as a money making opportunity by one of their executives in future and the number of accounts that would need support could rise.
Because there's probably lots of accounts worth $50 to get into.
1 reply →
Seems like that would invite more bad PR than it's worth...
The trick is regulation. A huge difference between the wildly profitable tech companies and most other large companies is that everyone else has to have customer service departments... large departments providing hundreds or thousands of jobs and salaries helping users with the product.
Very simply, Google and the like should be required by law to have customer service adequate to support user needs in every language they operate. Problem solved.
In the case of a free GMail account, the user who doesn't get the support they need can get a full refund.
In all seriousness, how does it even make sense to regulate expensive customer support for a free product?
If you do, you may not have any free products anymore. But perhaps we'd be better off having decent customer support with no free products.
As for paid products, it does make some sense to have some minimum customer support, but I'll be surprised if there's a proper way to word the legislation to achieve what we want it to achieve.
11 replies →
They aren’t “people”, they are “consumers”, “punters”, “suckers” or “revenue units”. I’ve heard them called less polite things, too.
And that’s why this happens.
When Google was first starting, savvy techies were aware of aggressive sociopath companies (e.g., Microsoft), and also that Google would probably be very powerful.
Maybe Google had some of that savvy and that's why they instituted "Don't Be Evil".
With all the supposedly smart people and resources that Google has, you'd think they could somehow figure out how not to be the cause of marginalizing people while dismissing them as "edge cases".
Google seemed to change around the time they bought DoubleClick. That was around the time they stopped making anything new which was good, because they stopped making products which the people who worked there personally wanted to use and started making products which they needed to sell ads.
I’m sure that you don’t see people looking out for users for the simple reason that the money guys won and the way you get rewarded is by viewing your customers as cattle.
"Don't be evil" was /killedbygoogle too :)
4 replies →
I have a very old account that I still use for some email forwards to my main account. Even though I can verify all the other requirements, since I haven’t logged into that account with a machine it recognizes that I still have, apparently I will never be able to log into the account. Literally nothing can be done because google would rather take the easy way to handle this.
I have an account that I made in 2005 that can't get past the circle of login nonsense even though I can provide verification codes when it emails the "backup account". What's the point of the secondary account if you can't use it to log in?
There are now email addresses of some friends from my youth (before I wised up and stopped letting my Google account hold important data) forever locked away where I can't get to them. I'd probably have to work at Google to have any chance at all of recovering.
Scroogled indeed.
I’ve (slowly) begun to make an archive of all my Google data so it will be less-awful should something ever happen. Your story scares the crap out of me because I (already) have an account that I’ll never be able to access again either - c’est la vie but it still stinks to know that a large part of my life is locked behind a metaphorical prison.
You know about Takeout, right?
14 replies →
I have a similar story with a major ISP. I had their service 20 years ago but eventually switched to a different provider. They let me keep my email address, however, and I set it to auto forward to my new address. I have long since lost the ability to log into that original account, but it is still happily forwarding emails to this very day. They are always scams or junk. :P
Actually, there are opinions that Google exploits locked out accounts, to extract and sell all of its data (to include gov't organizations). It appears while the person still has access to the account, there are limits to how Google can exploit the data it contains.
When the account is locked out, after a set period of time, Google can do whatever it wants with such data without limitations. The number of locked out accounts, in which Google has and could totally and fully exploit, is likely staggering and beyond what many can imagine.
This answers a question I have idly wondered- if I have setup email forwarding, but get locked out of the account, will Google continue to forward the address? So, probably best to configure it while I can.
Given the difficulty people talk about recovering an account to which they've lost the password or recovery methods, it seems like Google ought to periodically ask you to verify that your recovery e-mail and phone number and 2FA device are still correct. It seems like that would basically solve the problem in most cases.
So I kind of find it strange that I use Google services extensively, and yet I can't recall ever receiving a reminder of that kind. But maybe other people are?
Since Google seems to anecdotally make it impossible to recover an account if you don't have access to your old phone number or another logged-in device, it seems like it should be a bit more proactive in ensuring things like a phone number are kept up-to-date?
Obviously that won't help when people don't touch an account for years, but it would help in cases like this story, where people actively use an account on a device for years but without ever having to regularly put in a password.
> it seems like Google ought to periodically ask you to verify that your recovery e-mail and phone number and 2FA device are still correct. It seems like that would basically solve the problem in most cases.
I get prompt to verify my recovery email ~once a year. You guys don't ?
I'm actually pretty sure I get it more often than that.
I don't but Google might be able to figure out I'm active enough (e.g. it can tell I pick up on Google Voice calls at my recovery number, and am always logged in with lots of devices) that it doesn't bother.
So stories like this make me assume that Google isn't sending them out enough. But maybe it does? Then is there a question of people's responsibility if they ignore them?
I have a google account. I know the password. I have access to the recovery email.
I however don't have access to the associated phone number. Google won't let me log in...
"I have a google account. I know the password. I have access to the recovery email"
This also applies to microsoft. Except Microsoft also asks for PII (name, dob, country, gender) But they still want the old phone number
That happens to me periodically, I am prompted to check the 2FA settings and confirm the phone number.
The cynic in me suspects that they probably tried this and discovered that they will lose a percentage of logged-in accounts and how much that costs their revenues/bottom-lines.
Seriously though, even apple does this - where they periodically ask you for your pin/password on phones with fast biometric logins every 1-2 weeks as a memory refresher.
For google: I think they should do a memory refresher too. Once you've confirmed that you remember it, they can stop bugging you for some time. And if a logged-in user can't remember it, then don't log the user out, give them time to save important things.
I have several accounts and Google will only show remiders for those I barely log in. It even used to send reminder emails but that seemed to stop after I marked them as spam.
Welp, no offense but this gets the "dumbest thing I've read on the Internet today" award.
1 reply →
My wife lost her life’s email despite knowing the password. Google didn’t recognize the device, asked to verify using a phone she doesn’t have access to anymore. Despite knowing her login and controlling the recovery email, she couldn’t login. Everything was tied to her email. She lost access to many other accounts connected to the gmail as a well. Lost contacts, lost YouTube account, and on and on. It was honestly traumatic for her, and maddening because she has the password.
Do not use Google for email. Just pay $5/mo for an email service that won’t ruin your life for no good reason.
> My wife lost her life’s email despite knowing the password. Google didn’t recognize the device, asked to verify using a phone she doesn’t have access to anymore. Despite knowing her login and controlling the recovery email, she couldn’t login.
A friend of mine has encountered this with the TOTP authentication code method. During a move from the US to Europe, they lost their phone. Google let them log in to their regular account no problem, but a second account they use infrequently for a social group got locked out when they tried logging a month after the move. The TOTP secret key string is stored in their password manager and Google doesn't say that the password or TOTP key is incorrect, simply that "for your security, you must complete an additional step" by confirming in an app they no longer have.
Maybe I have been doing IT for too long, but knowing the username, password, and any[0] second factor should always be enough. Surprising users with something else, that they might not have, is unacceptable.
0 - I'm willing to forgive if a second factor was recently enabled; maybe the scammer got in and added a new phone number or backup email account or generated emergency access codes. But, configured more than 14 days ago? Must work.
I had this issue.
Next time I visited the city I usually logged in from years ago (i had moved), it worked no problem.
> Just pay $5/mo for an email service that won’t ruin your life for no good reason.
Just because you're paying doesn't mean you won't get into these situations.
Yes… but in Fastmail’s case when I encountered an issue I had a “We appreciate your feedback on your use case. We'll take it into consideration for future product planning.” (which is all I was really asking for) from Neil Jenkins, of JMAP fame, within three messages of mine, starting at the standard support form.
Hey it’s your email, trust Google with it if you want. Just know if you ever run into a situation there is no support and they will not help you regain access.
1 reply →
I had a youtube account JimmyRcom with about 21 million total views, I already had 2 stikes already from bogus copyright strikes I never appealed, over 15 years or so. I updated my videos with coinbase referral links. It got picked up as spam and I had my youtube deleted. This also meant the years of favorites, collections, my kids favorites got deleted. All appeals failed. I offered money for a blocked youtube but I get my favorites back. Still wish I could get it back, it hurt quite a bit losing everything. After my kids finally get into school, and the corporate grind cooled down a bit I really wanted to get back making videos
I fully expect to someday lose access to my gmail account because I regularly delete cookies and I won't give them a phone number. If they won't accept a password as proof of ownership on an account, then the account will someday be dead.
So, I have this issue as well, but I found a way around it.
Add the google account to an old android phone you don't use (maybe even an emulated android would work) and it skips all the verification stuff simply because it's on a phone. That way you can keep it logged in and change things even if you can't log in via a browser.
Part of the issue is the account is not dead, in the way many people think. Once you are locked out, after a period of time, Google can do what it wants with it. Which may include looking over or extracting any data from it, then selling it to whoever they like. And where those other entities may be storing your information (or continuously updating a profile about you), for their purposes and however long they like.
So the account is "dead" to you, but not necessarily to Google or at least not until they extract what they want from it (and have sold it to whoever).
Do you have a citation?
1 reply →
Google is attempting to migrate my account to Passkeys, which doesn't work at all for me. Despite spending significant time trying to get it to work I cannot get a passkey that works on my iOS device, and without it it seems impossible.
And yet Google keeps trying to log me in using it.
I had a similar experience with an Android. Even though I never approved the use of my phone, Google account security showed it was registered already.
The prompts went away when I explicitly removed it as a sign in option.
I also had to explicitly disable "skip password when possible".
I pay for Google One for this reason and ultimately account recovery due to theft if it came to it. I've never had to reach out to Google but supposedly of you are a paying customer customer service does exist. I know that the FI infrastructure has CS you can reach as I talked to them back when fi first launched and I did some promotion flipping to get a pixel. I'm probably gonna pay for Microsoft's offering it seems you can't just buy hotmail anymore and instead have to pay for the whole office + storage subscription. Same reasoning though I want CS I can reach at my email provider and I want to know they still exist in 20 years if email still exists.
A few weeks ago, I was in a similar situation, I needed to read an email on an old account. I typed my email, my password and then an error, it was blocked for some reason, it asked me to check my recovery email, except that email was never validated (there was a mistake in the domain extension). It should never have blocked an account with a valid password when the recovery email was never validated. I successfully talked to human support, they told me they could do nothing about it. It magically unlocked a few months later, if you lost your account, keep trying, one day you may access it
> It should never have blocked an account with a valid password when the recovery email was never validated.
Should it not? Accounts get "blocked" because of reasonable suspicion that they're compromised. It's not just something they do to annoy you. The overwhelming majority of these situations are surely just password attempt exhaustion. You or someone else tried a little too hard to log in with a bad password.
So... your solution is to disallow that security layer for people who have typos in their emails and never went through the recovery process? That sounds like it's going to hurt and not help.
I mean, yes. It sucks to lose access to an email account. It sucks immensely more to be hacked. And to some extent those requirements are in conflict. There are tradeoffs to be made.
> of reasonable suspicion that they're compromised
Or more likely an automated unreasonable suspicion
> Should it not?
Yes, it should never ask you for a confirmation that is impossible, this is a simple nonsense of design. Also, months is not a useful tradeoff
Weird, I’ve had the exact opposite problem. Added a recovery email years ago before Google required the recovery email to be verified. Then I needed to recover the account, but I was not allowed to do so as the recovery email wasn’t verified. Despite the fact I was never asked to verify it in the first place. What’s the point of a recovery email if it can’t be used to recover the account?
> When her ancient iPad finally died, she tried to add the gmail account to her new replacement iPad. However, she couldn’t remember the password in order to login.
There are of course no details on how exactly the iPad died, and it's possible it's been thrown away already, or that it has been remotely disabled, etc.. But I'm very sure that the iPad can be repaired, or at least that the data on the iPad can be recovered. If the problem is that it doesn't "turn on", maybe spend a couple hundred dollars and send it to e.g. Northridge Fix.
If you get an old iPad, you can't (re)install modern apps.
Apple has forced app developers to upgrade their apps, which has revoked support for older iOS versions.
I ran into this over Christmas when trying to help someone who had been using an old "The New iPad" (I think the iPad 2) but had lost the charger cable.
We charged it up, it powered on and reconnected back to their wifi. They had to re-sign in to Apple, but was unable to install any of the Google apps.
This is the 6th month that I lost access to my gmail account because I forgot my password (I was forced to change it prior to that, and I changed my devices). I lost access to many services from McDonald reward program to bank account (which I can recover I think). I just think it is such a bad idea to use email for accounts. I have migrated to iCloud email because it has a reasonable recovery process I can trust. I think the default option for accounts should be phone numbers, anything else is not great.
Have you considered the use of a tool such as a password manager or book?
In the past I have been using iCloud to manage my passwords, but since gmail was my primary, I had the password for many years, I was able to remember it, didn't think it was necessary to use keep this particular account in iCloud. Then 2FA was introduced then forced on my account, I was also forced to change my password because Google was tightening its security (I don't remember exactly), I think that's when it went wrong. The funny thing with Google is that the recovery option should be my phone, somehow it is not enough for Google.
Now I would absolutely use a password manager.
The worst in all of that is that when it is for nefarious purpose, like government access or spying, they don't have issue to have an employee giving access...
I wonder if GDPR, etc can require Google to hand you your data back even if you can’t access the account.
In theory yes, in practice Google will stonewall you just as usual and none of the regulators is interested in enforcing the GDPR enough to get this pushed through, so in practice you're still out of luck. Here's a real-life example: https://ruben.verborgh.org/facebook/
1 reply →
We seriously need some stronger consumer-protection laws in those areas. We live in a digitalized World. To some degree those accounts are a part of peoples lifes! Companies should not be able to simply take those away without any good reason and any way of legal recourse.
You most certainly can and they have to provide you the data. GDPR is about you as an individual and the login itself is irrelevant. Chances are you'd most likely hit the same wall when talking to the customer support.
2 replies →
I've had Google block accounts when I entered the correct password the first time
And a related PSA: never use "login with Google" or the like. You're exposing yourself to a severe cascade risk for the sake of saving a a little time.
And your email should be on your own domain.
> And a related PSA: never use "login with Google" or the like. You're exposing yourself to a severe cascade risk for the sake of saving a a little time. > And your email should be on your own domain.
Underrated comments, right here. I use login with Google for nonessential things, and own my email domains.
The only things I'd add are that you should own both your email domain and the domain for your recovery email, AND that you should be backup files and photos to another service/location.
80/20 solution: People want to use the gmail interface, so the ideal solution is to use a custom domain and point it there. You can still lose all that email but you don't lose the ADDRESS, so all the accounts that you use to login can be redirected to another email platform.
Archived all my old mail in a paid service. Still use the google one for the easy one tap login at many places. But if possible I added the other account too. Some places you can link logins together with regular email password.
> I recognize that there are many different kinds of google users. Some folks [...] need maximum security.
(un?)fortunately this is not exactly true. While it's true that some folks do need "extra security", the steps in discussion here are fortunately still applicable for the general population. We as a society have decided (correctly) that leaking your private photos, conversations and data is an unacceptable risk, and punish the companies strongly for it. So companies cannot just make it less secure.
Auth is a complex topic with many gotchas, and there is just no way around it. It's like saying you'd like to drive a car without a license, sure taking the license is "hard", but if you want to drive it's what you've got to do. But only there's a hundred cars actively trying to crash into you and steal your goods.
> We as a society have decided (correctly) that leaking your private photos, conversations and data is an unacceptable risk, and punish the companies strongly for it.
On what planet do companies get punished strongly for leaking PII? It happens to me multiple times per year and if I'm lucky I get a pittance from a class action suit years later. The executives who raked in huge bonuses cutting security don't get punished and the company stock price rarely suffers beyond a blip when the leak is first disclosed.
Punish companies is not the same as you getting compensated. It happens (at least in EU) harsher with the GDPR, so yes it's fairly recent, but so is security online (just 10 years ago not even half of the sites used HTTPS).
There's dozens of high-profile fines every year due to data mishandling from Europe, just a quick search:
> Data protection supervisory authorities across Europe have issued a total of nearly EUR1.1 billion (USD1.2 / GBP0.9 billion) in fines since 28 January 2021, according to international law firm DLA Piper.
"fined Facebook owner Meta META 265 million euros [...] for not better safeguarding more than half a billion users’ phone numbers and other information" - https://www.wsj.com/articles/facebook-parent-meta-fined-276-...
"European Union privacy fine related to data transfer of Facebook's EU users to U.S. servers" - https://www.reuters.com/technology/meta-face-record-eu-priva...
"Luxembourg DPA issues €746 Million GDPR Fine to Amazon" https://dataprivacymanager.net/luxembourg-dpa-issues-e746-mi...
"Manx Care faces £170k fine over patient data breach" - https://www.bbc.co.uk/news/world-europe-isle-of-man-62590514
etc
4 replies →
This class of users is also some of the most easily scammed.
These folks, who need "less security", are the exact same who will tell a stranger their password over the phone simply because they said they worked for Google. Scammers can use data from an email account to write convincing fake communications that lead to folks losing their life savings.
Teaching folks that their data isn't important enough to turn on security, is teaching them to fall into scammer's traps.
aren't those two different issues?
security against leaks needs to happen at the backend. security to access an account doesn't protect against leaks of the database. it protects against personal data or identity theft, which is not something companies get punished for
They are unfortunately all related in multiple complex ways; for example password strength is important against leaks if the data is encrypted. Some times a leak happens through admin accounts, so if you have a single sign in system then security to access those is important.
If I’m a Google One subscriber, is account recovery easier?
I've said it once, and I've said it again for well over a decade. The only google account recovery is creating a new account in 5 minutes. If doing that does not restore the full extent of the purpose for which you were using google's services, you're doing it wrong.
Google accounts serve one purpose: if you are trying to use a google resource that requires an account. Example: save some marked places on google maps.
I can't think of other examples. As the article states, google's explanation for their user-hostile policies, is that at their scale, there is no other option. The other option is, provide services at a scale you can support, and if going larger is not affordable, then you are not able to go larger.
Imagine going into a store. You purchase a microwave. You get it home, open the box, and in the box is a dead cat. You take it back to the store, and there's no one to talk to and no customer service desk. You walk back out of the store with your dead cat in the box, and when you show the receipt to the guy in the store, he accuses you of stealing a microwave because the receipt is from yesterday. No, he won't look inside the box, there's another customer walking out whose receipt he needs to check. Then they ban you from all their stores for trying to steal a microwave, because they have you on camera walking.
You write a letter to corporate, and they tell you that at their scale, they cannot have a customer service desk, or hire another receipt checker.
The thing is, there's actually no real reason to use google for anything. You don't need to ban it from your life, you just don't use it for anything that needs an account with data you need to keep. I use google products for maps and to chromecast to my tv. I use it for search. When I get a new machine or browser, that account just gets recreated because I don't bother storing their password or login name. Like for this site.
I have had a Google account for quite a while. I got a fairly early Gmail account when it was apply for an invite only. I had a G+ account that was taken around the back and a single shot heard. That was well after my home page of links thingie was unceremoniously put down (I can't even remember what that was called).
I would not dream of actually putting anything useful into a Google account. The most basic of due-dil process should ring an alarm bell enough to awaken the dead.
Entrusting your corporate data to Google is playing a form of Russian Roulette. Do ensure you have local backups. I understand why unprofitable products get dropped by Google - my company does the same thing. However, I'm not running a hyper-scaler cloud. A common misconception about the cloud is that you simply divest all responsibility and shove your stuff into it and all will be well.
Due diligence and caveat emptor.
what do you suggest for cloud storage?
I've had better luck over the years with google drive to store my documents than a physical backup drive. But the thought of losing access to my account scares me
You will always need backups, regardless of where your primary storage is. These backups could be local or remote.
You have to decide how important your data is. You might divide it into a few categories and decide what you can or cannot afford to lose for each category. For example your password database and family holiday pics are often more important than nearly everything else! Then you decide how much money to throw at all this. It's all a big risk assessment thing.
If you will insist on cloud then please use two of them or one and a local backup system. For really important stuff you can buy a brand that you have heard of 128GB USB stick for about £13 (just checked on Amazon). That's bugger all cash! Buy 10 of them.
Please take responsibility for your data. Use cloudy stuff for convenience but do not lose sight of who really is responsible for it - you.
9 replies →
I unfortunately can't answer that. My work gives me double-digit TB OneDrive, and if I need personal stuff on there, I put it in a password-protected 7z file. I don't actually use it all that much though. I just rsync between two laptops in the background and a copy of everything gets pushed to my phone when I plug in to charge at night. I only have about 500GB of data that I care about not losing - like a dump of all my emails in a pst going back 7 years, and some photos and personal video. Rsync does it all w/ 3 copies on local devices, and I don't think about it.
[dead]
[dead]