Google hacked account

203 points by hmoghnie 10 years ago | 157 comments

Despite Google boasting of hiring the best engineers. Their system give us mortals hope that our applications are not so bad after all. Let me explain the pain I am going through to recover my hacked gmail account. First, there is no way to talk to someone, their responses are canned, and to top it off, they send you to a link to submit a password request.

So far not a problem, but the email you get back after sending the password reset request contains a link to a page that allows you to cancel the request (not sure the genius who had this idea). Now that the email is hacked, the hacker can read the emails and click to cancel the recovery process. And the vicious cycle continues.

What to do?

andybak 10 years ago |

Try posting to Hacker News in the hope someone with some authority deigns to intervene. It helps if you a high-profile blogger or known industry luminary.

The prospects for the rest of us are fairly bleak.

fixermark 10 years ago | |

> The prospects for the rest of us are fairly bleak

Mostly because if changing ownership of a Gmail account were as simple as "Post to Hacker News and complain," it'd be an obvious and exploitable security gap.

JacobEdelman 10 years ago | | |

That idea, if extended, could be rather entertaining.

"White House Gov Account Hacked, Please Help"

danielweber 10 years ago | | |

Obviously it shouldn't be as simple as "someone complained, so turn over control."

However, us normal plebes should be able to get some competent human on the phone and talk to him about what's going on.

I'd hop through lots of hoops to recover my google account, but without getting a human's attention I can't do anything.

andybak 10 years ago | | |

I don't quite follow.

I don't expect it to be easy to change ownership of an account - but there has to be a secure process that one can follow in the event. I'd be happy to pay for it. It's the fear that if the worst happened you would quite simply be unable to contact anyone that concerns me

hmoghnie 10 years ago | |

will try, thx

sombremesa 10 years ago |

If they are automatically clicking these links you may be able to spoof an E-mail that looks similar to the password reset request but have the cancel link actually log them out.

Going to this URL logs you out on Gmail: https://accounts.google.com/Logout?service=mail&continue=htt...

This might not work, but it's probably worth a try.

umurkontaci 10 years ago | |

It did work for me a when I clicked from here on HN!

Aissen 10 years ago | | |

Yes, and this can be done in a CSRF attack on a web page like superlogout.com (don't go there if you don't want to be logged out of 20+ websites).

w8rbt 10 years ago |

If your account is part of Google Apps for Education, or some other managed Google Apps account, you should contact your Google Apps admin. If it's just a normal Google account, I'm not sure there's much more that you can do.

Email is the most sought after account. All the password reset requests to your Bank, Twitter, Facebook, etc. are delivered to your email account. So when someone steals your email account, they've stolen all the others too. Go change those accounts to use your new email (if you can).

hmoghnie 10 years ago | |

you are absolutely right.

jmilloy 10 years ago |

I agree that Google's help services are lacking. I never got my account back years ago. But this sounds fishy to me.

It's equally likely that you are trying to hack someone else's account as trying to recover your own. There's nothing wrong with the password reset process.

However, isn't there a process for when you suspect your account has been compromised? Have you even tried that? Are you even sure that your account has been compromised, or you just can't remember your password?

I like that us hackers are happy to help, and happy to commiserate with the failings of big corporations, but I think it's worthwhile to be a bit sceptical.

Edit: I'll add that the claim that the reset requests are going to the original account and being cancelled is fishy. We have verification in this thread that this in fact does not happen, and presumably the OP can't access the account to make a truthful counter claim.

finnjohnsen2 10 years ago |

You had two step verification, or not?

I'm hoping you'll say no, because my feeling of security comes from the fact I've enabled TSV.

yandie 10 years ago |

> So far not a problem, but the email you get back after sending the password reset request contains a link to a page that allows you to cancel the request (not sure the genius who had this idea)

Did you set the recovery email the same as the main email? Cause I only get password reset to the recovery email.

If you used the same address for recovery email, then it defeats the whole purpose

hmoghnie 10 years ago | |

no i set another email. but still both emails will get the link.

DannyBee 10 years ago | | |

This is not correct. Or at least, it should not be AFAIK.

I actually just tried it on an account I own, and it does not send the email to both addresses, only to the recovery email address.

If that is really happening to you, that sounds like a bug to me.

giarc 10 years ago | | |

Is the person that hacked the account just sitting there waiting for emails to come in and hopefully can click the "Cancel Request" before you can reset the password?

heavymark 10 years ago |

Would be interested in knowing how they bypassed 2 factor authentication, assuming you had that enabled.

Unfortunately, it's a tough situation since for all Google or we know you could be the hacker trying to get into the account and hard for them to verify who you are, since if the hacker was able to steal person's phone to bypass 2 factor authentication, they may also have access to a copy of your drivers license or ID to send to google in an attempt to verify they are you.

While far from ideal, assuming you don't have a close friend to contact google for you via their google apps admin account, you could create a new trial google admin account and then contact google through that mentioning your situation of your other account. While they will still have to find a way to verify who you are at least you'll reach a real person.

FredericJ 10 years ago |

The issue is that you're not Google's client. Maybe buy something from them (a large amount of ads), then try to get support?

anticon 10 years ago | |

This worked for me. My account was suspended in error years ago (Suspect logins or something), and the only way I got it back was by calling up an adwords representative and telling them I couldn't login to adwords and spend money until they unsuspend my email account.

troels 10 years ago | | |

That actually worked?

iagooar 10 years ago | | |

If something I learned about this world is that money talks. Always.

fixermark 10 years ago | |

Or a Google Apps for your Domain account. $5 a month, and you have full admin control over the account (and a payment channel backing it, so if someone does compromise the account, you can stop paying the bill to get Google's attention).

itsbits 10 years ago |

Someone hacked and deleted my gmail account back in 2008. And I wasn't able to create another with same name. It was like my life that time coz I had all my personal backups as mails in that one. Since then I keep a copy in my harddrive as well even when I have cloud account.

y0ghur7_xxx 10 years ago |

Unfortunately (because their services are quite good) google has no support staff. This is well known, and you should take it into account when using the services they offer.

It is not difficult to do without them.

Asking for help on HN or Reddit works sometimes, but if your business (or personal life for that matter) relies on their services you should really work towards being able to do without them.

philbo 10 years ago |

This actually happened to me a few years back and, eventually, they were very helpful.

The key for me was providing sufficient proof that the account really was mine and really had been hacked. I gave them as much information as I could remember/check:

* some contact names

* some tag names

* some recent thread subjects/recipients

* name of the person who first invited me to GMail back in the day

* details of any labs settings, theme etc

* mailing list subscriptions

I wish I could remember the email address I used to get in touch with them but, as I said, this was years ago now. I definitely found it somewhere publicly available, albeit buried somewhat.

HTH

topynate 10 years ago |

Hm, I'd try timing the request so that it's the middle of the night wherever the thief lives. Try once assuming that he lives in America, once assuming Eastern Europe.

deadmik3 10 years ago | |

This may not be the quickest result, but the basic idea of just trying & trying & trying... until you eventually beat the hacker sounds almost like a game.

toxicFork 10 years ago | | |

What if the hacker tells google that OP's other non-hacked email "has been hacked" and to please unlink it from the hacked account? :D

Implicated 10 years ago | |

Unless they've scripted the process to open password reset emails and follow the cancel link.

creyer 10 years ago |

I guess is all about: how can you prove you're not the hacker?

raverbashing 10 years ago | |

Location of past IPs used to access GMail

Knowledge about items on the inbox/address book

Location of devices used to access the account

Knowledge of past passwords

Not sending password reset emails to secondary emails that have just been added

danielweber 10 years ago | |

If a human looks it would be trivial for me to do the legwork to prove I own the google account.

I've had more than one job that uses gmail in the office, including my current one. My boss's account is presumably authenticated and if I bugged him he would vouch for my identity.

I have correspondence with a bunch of people in my google account going back years. I could bug any number of them to vouch for me.

I've had, in the past, a few work accounts that used google, that mad my picture associated with it. I can do a google hangout to show that that is still my face.

I have a driver's license with my real name on it, which matches my google account.

I control the phone number associated with my google account.

. . . A hacker could compromise one or two of those, but it would be hard for him to get a majority of them, even if he had my phone and email in his control.

EGreg 10 years ago |

The right way for these companies to restore your account would be several of the contacts you've added long ago to verify that it is indeed you, in some way a machine can use, such as you signing in with your OLD credentials (which are kept around), filling out a form with their contact details (which were in the addressbook on the service and to which you have sent at least a few emails long ago) and them forwarding you the generated keys to your email by some method they choose to reach you -- only by collecting 4 or 5 of these keys could anyone unlock the account. Presumably you choose the people to whom you've reached out another way and explained how to tell you the code to activate your email.

This is like an alternative to two-factor communication. It can only be defeated by someone actually hacking your account and then convincing 3-4 of your close friends to send him the keys to your account when you start the dispute.

I'm a big fan of using information obtained easily and casually in the course of doing something productive (like often emailing someone) for good purposes.

PS: I have disclosed it publicly on this date so no patenting! :-)

mark_l_watson 10 years ago |

Google provides some great services, but support is lacking.

I suggest, for the future: 1) use two factor authorization 2) use a separate email service because email is so important that you need the best support, etc. that you can get (I use Fastmail) 3) periodically download your Google data so if you ever need to set up a new Google account, you have some of your old context

I do still use GMail, but as a backup email.

I am going to start teaching free Internet security and privacy classes at my local library so I have been thinking a lot about these issues. Google, Facebook, Twitter, etc. provide really nice services, but it is important to consider privacy issues and have a plan for using these "free" services.

q3k 10 years ago |

It's a free service. You get what you pay for.

GnarfGnarf 10 years ago | |

I think it's more accurate to say that you don't get what you don't pay for. Did the folks who bought Worldcom stock get what they paid for? Enron? Bre-X?

brightball 10 years ago |

If they're going to have cancel password change requests they also have to have cancel change of alternative email requests. That's the first thing a hacker changes.

Additionally, you have to track every change with a timestamp so that you can invalid everything that came AFTER the change you just reset. That will prevent a hacker from being able to screw with the account because the original email address will also be able to cancel future changes, no matter how many times the perpetrator did it.

aseemraj 10 years ago |

Google sends the recovery information related emails on the recovery email address. So they won't be going to the account that is not accessible to you (I prefer to say that instead of hacked). And the link to cancel the request is indeed a good idea, because if someone else submits a password reset request, then you must be able to cancel it because you did not initiate it. Otherwise, you will end up losing your account to the real initiator of the request.

ruanmartinelli 10 years ago |

Adding to discussion: once I tried changing a corworker's gmail password just for fun (he was right beside me and doubted that I could) by just providing few ordinary information I knew about him (e-mail lists we were both subscribed to, e-mail from our boss, other coworkers, etc). Well, I was able to change his password to a completely new one. Very concerning, not sure if it still remains that easy.

hellbanner 10 years ago |

A while back, I was chatting with someone on gTalk who I had pissed off in a forum. The next time I tried to sign in, my password has changed. I had to do the reset.. when I signed back in, no signs of foreign IP access was there.

My best guess: malware on the forum OR they exploited a vuln on Gmail.com similar to how hotmail.com & yahoo.com used to be very very vulnerable..

frosttt 10 years ago |

You can try here. https://productforums.google.com/forum/#!forum/gmail

hiou 10 years ago |

I would see if you can upgrade your gmail to a paid account and then contact their support. Free accounts get very little attention but paid accounts will get you to a real person eventually.

rogeryu 10 years ago | |

Great - but that only works if you have access to the account. Otherwise I could take over any account by simply paying? I guess Google is smarter than that.

rghose 10 years ago |

I guess you just need to be faster than the person who hacked your account. Just before the cancel link is clicked you gotta make your move.

Yeah, and the cancel request was a total stroke of genius!

pbhjpbhj 10 years ago | |

I imagine that Google would allow the "cancel request" to override recent password alterations to avoid accounts being taken over simply because the cracker moved faster than the owner once it was realised the Google account was cracked/accessed.

It may not be enough to run a password update before they act on the email. It also may not be physically possible if they have a script watching for such emails from Google and cancelling the request immediately, you'd then need to set up a faster method and/or receive the email before they did.

BtM909 10 years ago |

I'm assuming you've tried this: https://support.google.com/mail/answer/50270?hl=en&ref_topic....

On the other hand, it is a free service. If you'd have the business subscription, they do have a helpdesk you can contact by phone: https://www.google.com/work/apps/business/support/

hmoghnie 10 years ago | |

Tried that, It will send me a link to the original hacked email with a link to cancel the request !!!!

sparticvs 10 years ago | |

It's not a free service, and it never has been. I pay them with my personal information and not with national currencies.

black-perl 10 years ago |

And, the loop continues. Can't they reset your gmail account. Yes they can ! Ask them explaining the problem.

resulemniyet 10 years ago |

https://www.emniyetevdenevenakliyat.com https://www.kayserievdeneve-nakliyat.com https://www.kayserievdenevenakliyeciler.net https://www.kayseri-evdenevenakliyat.net Eşyalarınızın büyük olması asansörlü taşınma için engel teşkil etmez.Binanız pimapen pencere olduğu müddetçe eşya büyüklüğü önemsiz kalır.Çünkü pimapen pencereleri tamamen söküyoruz. Bir şehirden öteki bir şehre nakliyat işleriniz olduğunda size nakliyat için bir zaman veririz ve bu süre içinde nakliyat işleriniz tamamlanmış olur. şehirler arası taşımacılıkta kayseri evden eve Nakliyat kalitesini yaşamak için çok sayıda seçeneğiniz var. Taşınacak eşyanın cinsi büyüklüğü ne olursa olsun Türkiye’nin bütün illerine hizmet vermekteyiz… Eşya taşıttırmak isteyen müşterilerimize sunduğumuz hizmetler arasında asansörlü eşya taşımacılığı yanı sıra anahtar teslim evden eve taşımada sunuyoruz. Firmamız kayseri melikgazi de ofisimiz kayseri ve tum turkiye evden eve nakliyat bizim işimiz Asansörlü kayseri evden eve nakliyat hizmeti şimdilerde moda olup en iyi ve kaliteli taşınma için mükemmel çözüm.Kayseri evden eve nakliyat firma elemanları olarak hizmet veren arkadaşlarımız asansör ile yapılan işlerin daha kaliteli ve güvenilir olduğunu bizimle paylaştıktan sonra artık işlerimi bu kalitede olacaktır. https://www.nevsehirevdenevenakliye.com https://www.aksarayevdenevenakliyat.biz https://www.evdenevenakliyatc.net https://www.kayserievdenevenakliyat.biz https://www.hizmetevdeneve.com https://www.kayserievdenevenakliye.net http://nigdeevdeneve-nakliyat.com/ https://www.sivasevdenevenakliyat.biz https://www.yozgatevdeneve-nakliyat.com http://www.evdenevenakliyatciler.net/

bingobob 10 years ago |

if you get your account back i would look at setting up 2-Step Verification https://support.google.com/accounts/answer/180744?hl=en

frosttt 10 years ago |

Have you tried the forums? If so, could you point me to the post, please?

cbaleanu 10 years ago |

You can also receive a pin code via sms on your phone...

hmoghnie 10 years ago | |

The hacker has modified that number too

cmdrfred 10 years ago |

Hacker != Guy who phished your password

pooooooop90900 10 years ago | |

Hi I'm a secret agent of sleepy town

timruffles 10 years ago |

For next time: pay for google apps.

frosttt 10 years ago |

Did you post on the gmail forums?

ceejayoz 10 years ago | |

I'm a little baffled at the idea that the forums would be able to resolve this sort of thing.

9931323781 10 years ago |

MY AIM IS ALL INDIA RANK 1st in IIT JEE AND IChallange 95%MARKS IN BIHAR BOARD EXAMINTION IN 2016

chintan 10 years ago |

edge case - scheduled for sprint # 5642

pooooooop90900 10 years ago |

Cool

kazinator 10 years ago |

> What to do?

The first step would be to edit the title of your submission to begin with "Ask HN: hacked Google account, what to do?", since you're asking a question.

"Google hacked account" means, to an English speaker, that Google perpetrated hacking against some account somewhere (subject-verb-object, right?) E.g. Google people gained access to your bank account. I.e. your current submission title is clickbait.

jokr004 10 years ago | |

Your nitpicking isn't helping anyone.

smtddr 10 years ago | | |

Nitpicking? I had no idea what this submission was even about. I thought maybe Google, the company, was hacked by outsiders. That was my best guess. Or even "Google hacked" could imply "Hacked by Google", I don't even know.

The current title is ambiguous at best; just plain misleading/sensational at worse - especially now reading that this is really about just one person losing access to their Gmail.

_____

EDIT: In case the title does get changed, the original title that I'm looking at right now is "Google hacked account". This is what I woke up to this morning --- http://i.imgur.com/vWJ41ck.png

myth_buster 10 years ago | | |

It would be helpful to many who will misinterpret and be visiting now that the thread is on front page.

philtar 10 years ago | |

That's the least relevant thing you can tell someone with 130+ points and 60+ comments.

myth_buster 10 years ago | | |

I visited because I misinterpreted the title and I think grandfather comment shows that it's not an exception.

bitmapbrother 10 years ago | | |

With all due respect, your very misleading title gave the impression that Google security was hacked when in reality you were hacked either by social engineering, using a very weak password or not using 2 factor authentication.

9931323781 10 years ago |

I WANT TO CHAIRMAN OF GOOGLE

Adiminstrator 10 years ago |

Hello,

I believe i can help.

Tepix 10 years ago | |

Now that's just cruel.

praalka 10 years ago |

they went full microsoft

JupiterMoon 10 years ago | |

Strangly hotmail does a better job here...

GFischer 10 years ago | |

Exactly the opposite, Microsoft might have worse services but their support is excellent.