Comment by jimbocyou
8 hours ago
OP triggered every possible red flags for suspicious account takeover in Google systems: deleting his recovery phone number, moving to another country and cellular provider. And then he gets surprised that the account is in 30 day cool down period??? I don't understand people sometimes.
Have backup codes, Passkey, access to the said number, same laptop logged in, phone logged in, recovery email address access and nothing works...
They didn't willfully delete their recovery phone number. They tried to delete a shitty, known-broken 2FA mechanism after they had set up passkeys. Poor UX conflated the two things, so their recovery phone number ended up being deleted. This is 100% on Google.
Why the fuck would Google care in which country I live? It's a personal decision, and no corporation should have any say in this. They certainly don't have to flag an account for that, especially not if the account has 2FA enabled. This is on Google, too.
Your comment is victim blaming.
The problem is the rapid succession of changes to recovery phone number, country, cellular provider. There is no way to differentiate, at scale, between an account takeover currently in progress that needs to be stopped immediately to minimize damage, and a legit user deciding to change all his personal info at once.
30 day cool down period is a reasonable response, at scale.
> The problem is the rapid succession of changes to recovery phone number, country, cellular provider.
Aren't cellular providers inherently tied to the country they're in?
How do you move to another country without changing cellular providers at the same time?
2 replies →