The biggest email platform on the planet provides a free service for more than 2.5 billion users, so it’s little surprise that it is popular with those who would use everything from AI attacks to legitimate Google security prompts to get access to the valuable data stored within. But what happens if your Gmail account gets hacked and you discover that the recovery options don’t work? Here’s what you need to know.
Help—I Can’t Recover My Gmail Account
I probably get more emails and messages asking for my help to recover Gmail accounts that the sender says they have been locked out of than any other kind of support request. Being a cynical old hacker I suspect that the vast majority of these can be filed in “nice try, I’m not falling for that,” even if I could help with the account recovery process, which I cannot. All I can do is point them in the direction of the official Google support forum, the Gmail subreddit and Google’s own advice pages. However, I have noticed a number of people posting to those very places over the last few days who have what appears to be an impossible problem when it comes to account recovery. Here is my favorite example, if that’s the right word:
“I can’t access my account from new phone because I use my account as a recovery account.” While this appears to be a genuine request for Google help, I’m not convinced. Mainly, it has to be said, because it is not possible to set your recovery email to the same account, you want to be able to recover, for pretty obvious reasons. There is a chance that this might not have always been the case, of course, so even given the benefit of the doubt, the user in question is still screwed. If that was, indeed, the only recovery option enabled, then they would not be able to recover the account. There is no simple answer, no extraordinary hint to avoid this happening to you: you can’t use the same address for recovery, so you are safe. The same can’t be said for all users in all circumstances.
A Hacker Has Changed My Gmail Account Recovery Number
One request on the official Gmail support forum is much more worthy of my attention, and serves as a reminder to all Gmail users of what to do if they find themselves in a similar situation. “My Gmail has been hacked, and they have changed the recovery number.” This seems, at first look, like another impossible situation. However, all is not lost even in this case. During a recent conversation with Ross Richendrfer, a Google spokesperson specializing in Gmail workspace security and privacy matters, this very topic came up. The good news for Gmail users is that all is not lost: “We recommend all users to set up a recovery phone as well as a recovery email on their account,” Richendrfer said, but if an attacker changes one or both the original account holder can still use the original phone number to gain account control as long as this is done within seven days of the change. Richendrfer also warned that these recovery-changing tactics are usually a result of the Gmail account holder “not using phishing-resistant authentication technologies, such as security keys or passkeys,” to protect their Google account.
I would advise that all Google account holders use security keys, specifically a Google Passkey, now that it is so readily available and easy to use, to provide stronger protection against Gmail attackers. I also recommend anyone who is worried about such attacks make use of the free Google Security Check-Up tool to get an actionable analysis of their current security posture.
