Google warns Gmail users they have 7 days to act in case of hacker takeover attack
Update, Dec. 07, 2024: This story, originally published Dec. 05, has been updated with examples of the kind of cyber-attacks used by hackers and scammers to lock you out of your Gmail account. A Dec. 06 update added more detailed information regarding the importance of setting up recovery details for your Google account and the options that are available to Gmail users.
Although I’m pretty sure that a number of the people who contact me claiming that they have been locked out of their Gmail account by a hacker and want my help to get back in are, actually, trying to hack someone else’s Gmail account, that doesn’t mean everyone who asks for help is a scammer. You only have to look at the online Gmail support forums, both official and unofficial, to realize that people fall victim to hack attacks all the time and suddenly find their online lives turned upside down without access to their email. A common thread among these pleas for help is that an attacker, having compromised the account, has changed passwords, phone numbers and even passkeys to prevent the genuine account holder from regaining access. I went directly to Google to ask if there’s anything that users can do to get their Gmail accounts back under their own control, and, as it turns out, there’s a lot more than you might imagine. Here’s what you need to know.
Gmail Hack Attack Leaves Account Locked After Phone Number And Passkey Changed
A typical example of a Gmail user who has found themselves locked out of their account after a successful hack attack compromise was posted to the Reddit Gmail subreddit recently. The user complained that they had been locked out of the account after finding that their “passkeys (fingerprint), passwords and phone number were changed,” laying the blame on malware that was discovered on their device. “The only thing I have attached to the account is my other recovery email that I still have access to, though it doesn’t really help with logging me back in,” the user said, “I don’t have access to backup codes either and I’m pretty much ready to give up at this point knowing that Google doesn’t have live support.” Although Google wasn’t able to help with this specific case, I did ask for broader advice on how a Gmail user should respond in such circumstances in order to regain access to their Google account and their Gmail.
Google Said Users Have 7 Days To Regain Access To A Compromised Gmail Account
I had a conversation with a Google spokesperson, Ross Richendrfer, who deals with workspace security and privacy matters. First and foremost, Richendrfer wanted me to point out that the tactics being seen by these email hackers are not unique to Gmail by any means, it’s a common methodology for an attacker to maintain control of an account once it has been initially compromised. However, Richendrfer did confirm, for context, that Google does see situations where an attacker has compromised an account and then adds a security key or a passkey to prevent the legitimate owner from logging back in. This, Richendrfer said, is usually as a result of the Gmail account holder “not using phishing-resistant authentication technologies, such as security keys or passkeys,” to protect their Google account.
Two Types Of Hacking Threat That Can Lead To Gmail Users Being Locked Out Of Their Accounts
The Gmail Link Hovering Threat
The advice to protect yourself against scammers using the fake URL tactic whereby a link is disguised to look genuine but actually leads to a cloned site has been, for the longest time, hover your mouse over the link. Doing so reveals the real destination of the link in question, so tipping you off to any fraudulent intent. Or so the theory goes. The reality has, also for there longest time, been quite different. You see, scammers are, I’m afraid to say, not all stupid. Some are technically savvy enough to spoof the text that appears when you hover over a link. This doesn’t take any advanced tooling, just a bit of straightforward HTML coding to edit the mouseover text label. This can work because the mouseover label is displayed next to the link that’s being hovered over and, when using a web browser to access Gmail, the real URL is most often displayed at the bottom of the screen. The attacker is relying on the user not looking elsewhere other than the URL that pops up alongside the link. Smartphone Gmail apps don’t appear to suffer from this so use them wherever possible. “Gmail blocks more than 99.9% of spam, phishing attempts, and malware from reaching you,” a Google spokesperson said, “as part of our AI-based protections, Gmail takes into account link obfuscation methods when classifying messages.”
The Gmail 2FA Bypass Attack Threat
Session cookie theft, which is what usually happens when a threat actor is looking to initiate a two-factor authentication bypass attack, works by using an attacker-in-the-middle tactic whereby it’s not your 2FA code itself that is being targeted but rather the cookie that says you have successfully authenticated your identity for that session. Once in possession of the session cookie, the attacker can then, effectively, go back at any time and will be treated as a genuine user of your account as the cookie shows that session as, yep, authenticated. There are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks,” a Google spokesperson said. That’s probably the best advice I would offer, truth be told, as using a passkey rather than a 2FA code that is sent by SMS or even an authentication application generated one is a whole league of difference safer. “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” the Google spokesperson said. If you use Google Chrome as your web browser, then you are also protected by app-bound encryption. Chrome encrypts data tied to identity in much the same way as macOS users experience with Keychain protection to prevent apps running as the logged-in user from gaining access to secrets such as session cookies.
Google Account Recovery Options For Gmail Users Explained
“We recommend all users to set up a recovery phone as well as a recovery email on their account,” Richendrfer said, “these can be used in cases where users forget their own passwords, or an attacker changes the credentials after hijacking the account.” Here comes the most important bit: if an attacker changes your recovery phone number then you, as the original account holder, have up to 7 days to use that original recovery phone number to regain control of your account.
Recovery options should be filed under the same “do not ignore” heading as data backups and the importance of not clicking on unsolicited links in emails and text messages. We all know, however, that all these things are ignored. With 2025 fast approaching, how about you make it your new year resolution to rectify all three, starting with your Google account recovery options?
As Google said, “your recovery email is used to reach you in case we detect unusual activity in your account or you accidentally get locked out,” which is why you shouldn’t ignore it and ensure it is kept up to date. As with telephone numbers, Google said that “when you change your recovery email, you may be able to choose to get sign-in codes sent to your previous recovery email for one week.”
To add or change a recovery phone number or email on Android, open your device settings app, hit Google followed by your name and the manage your Google account option. Now head for the security section and where it says “how you sign into Google” you can select options for recovery phone or recovery email. You will likely be asked to sign in before getting any further, but the selection process is very straightforward and takes no time at all.
When it comes to recovery numbers, Google advised that the number used should be for a smartphone that belongs only to you and is used regularly and kept on your person.
When it comes to recovery email addresses. Google advised that the email address should also be one that you use regularly but is, obviously, different to the one that is used to sign into your Google/Gmail account.
Google also said that if there is something different about how you’re signing in then you might not be given the option to change your recovery information. This would appear to be something that many users get confused about, however, Google advised that you should try again a week later using the same device, or from another device which is regularly used to sign into your google account or from a location where you usually connect from.
Google’s Gmail account recovery guidebook
Richendrfer also advised that anyone, be they using Gmail or any Google service, can get further help with account recovery by starting here or heading to this Gmail account recovery guidebook by Google for more detailed, step-by-step, instructions.