A few days ago I received an ominous email from Google. It came with the subject line: Critical security alert, and the heading: Someone knows your password. The email body explained,
Google has become aware that someone else knows your password, and we've taken steps to protect your account. Please sign back into your account now and choose a new password to secure your account.
The email itself had all the trappings of a phishing attempt but after verifying that it was indeed from Google, I proceeded with the recovery steps. Now this was a non-Gmail username from years ago that I wasn't using anymore, but I just didn't want it in the hands of bad actors. Thankfully I still had the password for the account and my plan was to recover the account and then delete it, but that turned out to be wishful thinking.
I clicked the button in the email which took me to the login screen. Popped in the email and then the password and was greeted with a roadblock,
Couldn’t sign you in.
Google couldn’t verify this account belongs to you.
Try again later or use Account Recovery for help.
Ok, let's click on the Recover account button and follow the steps.
Back to the login screen to recover the account. This time the password screen had a different prompt,
Enter the last password you remember using with this Google Account
Well, I already knew what the password was and that's what I entered. And with that I'd reached the end of the road,
Can’t sign you in
You can’t recover your account at this time because Google doesn’t have enough info to be sure this account is yours.
If you want to create a new account to use Google’s services, be sure to add a recovery phone or email address and keep them up to date.
Somewhere along this journey I was also offered a link to try a different recovery method. Clicking on that link would simply take me back to the same hopeless screen above, exclaiming that I couldn't recover my account.
I am pretty certain that I hadn't added any additional recovery emails or phones, but since this account was already based on a non-Gmail email, Google could have sent a message to that email address to verify me.
Instead I received this email from [email protected],
Sign-in attempt was blocked
Someone just used your password to try to sign in to your account. Google blocked them, but you should check what happened.
Really Google? The someone was me. How can I check what happened when I can't login to check what happened?
As mentioned, this was an old unused account so the damage was negligible. I can only hope that Google has fully locked out the account so no one can access it including the jerk who'd supposedly breached it.
Meanwhile while I was searching online for alternative ways to recover the account, I came across many messages from desperate people pleading with Google to help them with account recovery only to be met with silence.
Some were claiming that they'd lost years of work and emails with no recourse. Those accounts including my own are apparently gone for good and Google is not going to help whatsoever.
I can see this from Google's point of view, sort of. They probably worry that account recovery via a human agent, even with a high bar to prove one's identity, has the tiny chance of getting abused by bad actors, such as rogue nations, to break into people's accounts. So they've decided to provide no support for this issue and therefore leaving the users exposed to the risk of losing their accounts forever.
If you are worried about getting locked out of your Google account forever, you'd do well to at least check your account recovery steps here, https://myaccount.google.com/security.