A few days ago I posted about my disabled gmail account.
After a long, painful process, I was able to successfully recover the account.
Before you read this blog post, let me tell you that one of the things I discovered was
Google’s account recovery process is 100% automated! No humans involved at ANY level.
More on that below.
In getting my account back, I learned a LOT.
Here are the things I learned about my account
My account was disabled/deleted because a hacker got into it.
When I was finally able to recover it, during the “change your password process,” I found this:
So I at least know the account was hacked. The first thing the hacker did was change my password and the account recovery email addresses, so it would be really hard for me to get my account back.
- The hacker also deleted my Youtube account and added 2 more of his own to my account:
I did manage to get my youtube account restored, but he deleted all the videos out of it and I can’t recover those. Good thing I make TONS of backups of things.
The hacker deleted all emails in my inbox (I had probably 15 emails from 10 people in my inbox, 5 of which were to remind me to do something).
If you were expecting a reply from me recently…sorry…your email got deleted.
Keep your inbox clean!
I still don’t know how he got into my account. I had a very strong password. I can only think of 3 scenarios:
- a brute force password attack (unlikely)
- I used the same password somewhere else and he hacked into some other database that had that password (most likely). My own stupidity.
- I logged into my gmail account over an unencrypted connection on a public wifi network and he got my username/password (unlikely)
What I learned about Google’s account recovery system, and what it means to you!
I learned a couple awesome things about recovering a deleted google account during this process…a couple things Google doesn’t want you to know (or…things they don’t tell you).
- If you’re not prepared, forget it
If you’re not prepared to recover your gmail account and can answer the questions google asks, basically you can forget getting your account back. They ask obscure things nobody would ever know (not even you).
Here are 2 screenshots of the page they make you fill out. I took these so I could remember what I had put in. My personal info is blurred out.
These are screenshots of the google account recovery pages
To recover your account, here’s my take on the difficulty:
- frequently emailed people – easy
- labels – slightly more difficult
- invitation url – difficult depending on how you got it
- all questions about orkut and blogger: if you answer yes they want to know the url of your profile and when you started using it – almost impossible to find
- 4 services you use – Impossible, unless…you have a backup of your gmail account in a searchable location like zoho mail.
I was able to find these things by searching through my zoho for things like “calendar,” “docs,” “orkut,” …
It still took a LOT of work.
- Account creation date – Impossible without a backup
Google’s account recovery system is 100% automated!
No human will ever even see your account recovery attempt.
Don’t try to put identifying info into the fields for a human to look at. It will just hurt your chance of getting your account back.
You really just have to figure out how to give enough accurate info to get the computer to say “Yeah, this is over 80% correct, give the account back” or whatever percentage they have.
The reason I know this is:
- How Google responds to your account recovery attempts
Google says it may take between 24-48 hours for them to reply to you.
The first time I submitted the account recovery form I got an answer back in 44 hours.
It was a NO.
The second time I submitted the account recovery form it took 40 hours.
It was a NO.
The third time I submitted the account recovery form, it took 2 minutes.
It was a YES!
Now, I don’t know this for sure, but here’s what this tells me:
- You submit your info to Google and a computer validates it against the data the computer knows about your account.
- If the computer matches the info and it’s correct enough, it fires off an email immediately to you saying “You can change your password now!”
- If the computer looks at your info and it’s not correct enough, it waits 24-48 hours before sending you an email saying “NO, you’re screwed for a while longer!”
If it were humans looking at the requests, why does it take so long to say no, but only 2 minutes to say YES! (I literally got an email from them within 2 minutes of submitting the successful request).
It’s done on purpose!
Google doesn’t want to give too many chances to people who don’t have the right info.
If you get a NO back from Google after submitting the account recovery form, and you don’t hear back from them within 15 minutes, start gathering more data to recover your account.
This whole thing was a big, painful, learning process.
Things I’ve learned and things I’d do differently
- Make backups of everything – I already had pretty good backups. In the future I’ll have rock solid backups.
- Prepare for the worst early – I was slightly prepared. Now I’ll be better prepared.
- Don’t use a free gmail account – I’ve since bought a domain and set up my email through google apps.
- If you want to migrate your email and your docs to another account, I highly suggest this email and data migration company, MigrationBox.com.
Their docs migration needs a little work (only try to move 100 docs at a time)
but their email migration is solid. It moved 175,000 emails of mine no problem.
I chatted with them for a while and they gave me a 40% off coupon for my readers:
JOHNSYNC 40% Off Coupon
What a lifesaver MigrationBox was for me. I now get all my old emails in my new email account. Everything seamless.
They’re also good for:
- moving between gmail/google apps
- moving between just about any email service providers
- syncing email accounts (ummmm…backup anyone?)
- NEVER use the same password for your email, facebook, bank, anything else you care about – I now keep one “junk” password, and like 6 completely secure passwords that I don’t use anywhere else.
- This is a bit extreme, but I’m now keeping an email account that I use to sign up for everything. I won’t sign up for things with my real email address anymore. That way, my real email address isn’t out there in too many databases, and it doesn’t have any passwords associated with it in case I slip up somewhere.
The other email account just forwards to my main one so I still get all the emails.
- UPDATE:This post on lifehacker by adam pash details a new security feature google is JUST NOW rolling out (they’re about a week too late for me…although I’m now using it).
Amazing…as I was going through this nightmare, I had wished google would have some sort of 2-step verification system.
I also wish lastpass had the same thing!
Maybe I’m a bit extreme.
What I do know is that the internet isn’t going anywhere, losing your email account ISN’T fun, and hackers aren’t getting dumber.
It’s getting more and more common. I’ll try to stay ahead of the game from now on.
Please learn a lesson from my misfortunes and mistakes!