Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Need help, locked out of Google account with 10 years of personal data
242 points by taosx 14 days ago | hide | past | favorite | 119 comments
I've been locked out of my Google account which contains over a decade of my digital life, and I'm at my wit's end trying to recover it.

The situation:

- Woke up today completely locked out

- Got "secure your account" message

- Set new password + recovery info but kept getting redirected to login

- Received "unusual activity" warning (around the time I was asleep)

- System asks for old phone number (lost in 2022)

- Have tried recovery dozens of times through g.co/recover

- Still have access to old recovery email but system never asks for it it

What I've tried:

- Using same devices and network as always (google pixel)

- Multiple recovery attempts with both old/new phone numbers

- Both old/new passwords (then never say which one they accept)

- Following all official Google recovery guides

I have so much of my life there:

- Primary email communications

- Password manager data

- Business documents and projects

- Personal documents

- Google Drive contents

- Contacts

- OAuth access to numerous services

- Years of irreplaceable data

I've exhausted all official channels and online resources. The thought of permanently losing access to this account is terrifying. Has anyone successfully recovered their account in a similar situation? Any Google employees or security experts who might be able to help?

This account represents my entire digital identity, and I'm desperate for any guidance or assistance.




Moving forward: always have an email client on a local machine downloading a copy of all emails. Have a local copy of all gdrive contents. Backup your password mangers to a txt file and encrypt it on a drive. And above all, dont trust google with all your stuff. They dont care.

I lost a gmail years ago and only use it as a throwaway email client now. You get what you pay for.


That's completely impractical for the average, and even above average user.

Just because something can be a solution doesn't mean it should be.


We live in less than an ideal world though, we don't really get to dictate how practical the solutions to our problems are.

It is in a way what makes a problem truly a problem. Otherwise, "problems" would all just be different ways of being ignorant of the better way.


Agreed. What are the practical alternatives to GP’s suggestion?

reply


At the very least the average person can simply download all of their google data every year or so to soften the blow considerably. something that's actually super easy to do. https://takeout.google.com/

reply


And then what?

If you're the average person and have gigabits of email, what are you supposed to do then?

reply


Google takeout. Do it every 3 months. Easy peasy..

Good for privacy too. It jas everything! Look through it an permanently delete what you don't want them to keeo.

Note that it is slightly lossy with respect to headers, times etc. Not ideal for anything legal related. For those print them off.

reply


Can you easily consume the takeout data?

reply


Yes. For example emails are an mbox file amd there are free mbox viewers. You then have something like an old school mail client to view emails.

reply


If you live in the EU, you can send a Subject Access Request to Google.

That will get you back the contents of your account (emails, photos, etc).

You can also try submitting a right to rectification. They hold data about you (your account) but have incorrect data regarding ownership.

If either of those fails, you can escalate to the data protection authority in your jurisdiction.

It is likely to take several weeks though.


I do live in the EU, if the plan to get access to the phone number with the telecom operators on monday doesn't pan out I will try to do that.

Honestly I don't mind waiting weeks to recover the contents of my account as long as I know that it's not lost forever. But all the FAQ and comments on the internet regarding similar scenarios have no good ending and people just giving up with no recourse.

I knew about Subject Access Request but didn't cross my mind I could use it in my current scenario. Thank you!


This post seems to have been flagged but I want to thank everyone for their suggestions and future measures. The plan for now is: 1. Retry again with email/pass in incognito in a 24 hour interval; 2. Try to get the same phone number from the telecom operators; 3. Make Subject Access Request (EU) to Google in hopes of at least getting my data back.

In order not to get caught up in the same thing again there are many good suggestions in the comments, all with some overhead/friction but 100% worth it if you ask me :D.


Update: Recovery attempt via telecom operators failed - the number is stuck in limbo between two carriers. While this didn't work in my case, other European users may still recover their number by either:

1. Starting a new 2-year contract

2. Paying a one-time fee for a preferred number (~150 EUR in my case)

Tip: Contact your local carrier to check if number recovery is possible, or if you can request a specific number for a new contract.

Currently pursuing Plan B: Submitted a Data Access Request [1] to Google in hopes of getting my data back.

[1]: https://support.google.com/policies/contact/sar

reply


Finally, Google gave me access to my account by allowing me to use the new phone number they asked me to provide and not the one from 2022, exactly 8 days after the incident.

reply


Upvoting as this usually proves the only effective way to get service.

Try cross-posting to Reddit as well


Thank you, will probably resort to that as well.


Also do Twitter and whatever other socials you have. The only way to get them to help is public shame. It's sad, but we don't make the rules, we just play by them.


I'm not on any socials. At this point I'm more ashamed of myself, I'm technical enough to build a homelab, I was just delaying the migration until I had something a bit more solid with k8s and ceph that I could share with a nice UI.

Even a small job that would backup emails and data to S3 and a hdd once a day would have saved me all this embarrassment. Hopefully starting with 2025 will have something to share with HN that is more positive.


No reason to be embarrassed. You put your faith in one of the largest companies that has ever existed. That is a logical thing to do.


It's not, considering the scale. The projected image of reliability and trustworthiness can't be than more of a facade, with only 'some' humans shepherding an endless army of 'zalgorithms on crack'. If any of their spasms is hitting YOU for whichever reason, you're usually out of luck if the expectation is normal, casual means of interaction/recovery.

For me that began with the necessity of providing a SMS-capable mobile phone number for recovery, which I won't ever give them.

They have alternative e-mails, fully verified, which were sufficient for opening that account.

Depending on where you are, that behaviour could even considered illegal, because they are weasle-wording around that necessity in their TOS, letting you make an account without that in earlier times, then changing that somewhere in their TOS later, which you have to agree to, or else...

But still just not explicitely stating that necessity when you're opening some account somewhere in googleverse right now, instead weasle-wording around in some of their fora, and censoring questions about that in there. No matter if in german, or english.

While having my full 'Ladungsfähige Adresse' ( https://de.wikipedia.org/wiki/Ladungsf%C3%A4hige_Anschrift ) with POTS/Landline for other reasons.

(Imagine endless stream of CENSORED cusswords here...)

edit: If any of your services require a SMS-capable mobile-phone to operate, even if only for authentication/recovery, then F....... say so loud and clear, right from the start, for every service, any place, anywhere, any time!

But that would be too obvious, innit?


To add some specifics to the perceived stupidity:

After being locked out, given that box with options to restore.

Trying several, won't work. All leads to phone number, and not that obvious it has to be mobile, and SMS-capable.

Giving them the POTS/Landline, because even Amazon manages to give instant call-back on that. (In the middle of the night, very early morning even!)

Error like: 'This number has been tried too often.' WTF? That was the first time ever!

NOT this is no mobile-number, try that! Why do they even let me enter that, then? Why do they insist on SMS, while some voicerobot could sing some f...... code to me on that landline, which I could enter into some form?

Why can't I switch OFF all of that hypersensitive security crap in account settings, because I know it's suspicious, sometimes not logging in for weeks, or even months, without any former cookies, on different devices, from locactions far away, in different timezones, physically, while using VPNs, too?

Do I have to say daily where I am, like a good android-sheepl? Do I have to upload a whitelist of devices with identifiers in advance? Can I authenticate with the imprint of my glans penis on the sensor, then?

  GO TRACK YOURSELF!

reply


Why don't you just contact someone at Google? I would recommend starting an Advertising Campaign and not paying it. You will be surprised how quickly a support number with a real human being at the end appears.


how do you do that if your are locked out of your account?

reply


Hey there, mate! Can't really do a thing, but I'm here for emotional support. You won't believe how many of us are here. :(

In my case Google refused working secondary e-mail link, secret word, current password - all of those. Probably just because my IP address changed. And my gmail and YouTube channel are now lost forever with no explanation. (I had no mobile number attached to it)


Appreciate the emotional support, I feel for you. You reminded me of my youtube music subscription with my massive playlist, I like to think of it as just currently unavailable, I lose hope slowly.

https://i.ibb.co/QdsKthf/markup-1000014882.png


>(I had no mobile number attached to it)

That's just heresy for Google.


I'm sorry this happened. This is my digital nightmare scenario!

It is disturbing how much of our digital and physical life (utility accounts, medical insurance, etc. etc.) are tied to email addresses and these email addresses are something we can never ever truly own. If you are locked out of email, you are also locked out of at least half a dozen critical portals that send password resets, OTPs and all kinds of authentication fragments to your email address!

Most email addresses are on somebody else's domain and they can lock you out anytime. Even if you manage to set up your domain name, you are still renting the domain name from someone. One missed payment or you somehow mess up the admin work of your domain name or you lose your domain name for any reason (yes, it happens!), nobody in the world can reach your email address!

How did this happen? Weren't the old days of snailmail better? You could own a house or you could rent a house and get actual physical letters at your home. If you moved houses, you could have the new tenants of the old house forward mail to your new one until everything settled down.

Email addresses seem like good secondary mode of communication but I find it disturbing that all around the world, email addresses have become the primary mode of communcation and sometimes the only mode of communication!

Does anyone else feel extremely uncomfortable that so much of our critical digital and physical lives are tied to email addresses, things that we can never truly own and can be taken away from us anytime?


While you dont own a domain name, you have legals means to get it back.

Thats not the cast with a GAFAM email account.


> While you dont own a domain name, you have legals means to get it back.

Can you or someone else share more about this? Do these laws work across countries? Can someone in Bhutan exercise their legal right to get back their .com or .org domain name? Must someone in Bhutan always buy a .bt domain name? I'd like to learn more about how the legal framework works and protects the customer from loss of their domain names?


Provided you're in the same coutry as the registrar and using your passport for registration. And you don't miss your pay date (they usually don't allow to pre-pay for many years in advance). And payment remains available (I once had to resort to paying with cash(!) because of banking troubles). And registrar doesn't get bought, go bankrupt, etc. After losing an important domain I can't say it's THE way to go. Also, self-hosting e-mail is a nightmare. Not only because of ridiculously complex software, but also need to be trusted, which, in e-mail world, is hard as...


You don't have to self host your email, you only need to redirect to your preferred email service.

I prepaid my domain name for 15 years.

You can transfert your domain out of a registrar.


How do you actually get it back? Friend of mine has a portfolio website in their name they’ve been maintaining for well over a decade, they missed one payment and some scoundrel bought it up and is demanding thousands of bucks for it.


There is a grace period of 1-2 month before the domain is put back to sale.


What is the legal means to get it back?


No need for any tricks, just go to your registrar and extend/restore the domain. The fees are huge though, usually.


With a lawyer.


YMMV but I've had similar loops during login that were resolved by trying to login in incognito mode. And if it works, then clear all your cookies / reboot / try again in the main browser.

There's something broken in google's auth security system.


Same. I don't remember how I got out of it the last time, but I came to the conclusion that their login security is dysfunctional. I even had the right phone, authenticator codes, etc., and it kept asking me for something else that woulf lead to an authenticator code being asked for again, restarting the whole loop.

Maybe it's more "secure", but the situation is strikingly similar to a hacker changing your passwords.

So glad I switched to ProtonMail a long time ago and decentralize my data across different services. One's life should not be left in the hands of The Google.


> restarting the whole loop.

I once recorded and made a GIF out of it :D :_D :_(


Just tried, first screen:

"Account disabled 'myemail@gmail.com', We noticed unusual activity in your Google Account and locked it to protect your information. Learn more" and a button "Try to restore".

And now I got: "Too many failed attempts, Unavailable because of too many failed attempts. Try again in a few hours.".

At least I got a new message.


Yeah... this is consistent with my experience. Try to keep calm and actually try again in a few hours.

It sounds like you have 2FA enabled so an account takeover is very unlikely. It sounds like you haven't violated the TOS in some egregious way, so actual ban is unlikely.

Most likely is there's some type of crazy cookie thing going on that is causing the auth system to vomit. It's shocking that this happens, but alas.


Also make sure you’re not on a VPN when trying any of this.


Seriously, just take the messages at face value. Better headline would have been "Google proactively protected my 10 years of private data after some villains tried to steal it".


This happened to me back in ~2018 or so. I'm trying to think back to what happened and how it was resolved.

The only way I've ever been able to get decent support from googles help center is by calling and escelating the issue and then eventually getting to the right person via the email chain started following the call. Its a pain in the ass I know.

I *think* I ended up just having to get my phone replaced because it was the primary device that every other service relied on in the end for authentication(Google pixel & Google fi, Google TV, gmail, oauth, etc).

Also look in your recovery email for an email that contains a list of backup/recovery codes. I'm pretty sure they don't email these codes anymore and your prompted to write them down/save them elsewhere but worth checking.

Needless to say sibce then I do not use google for hardly anything other than the phone itself.


> account represents my entire digital identity

probably a mistake - not saying I havent done the same, I have and still do... however, I regularly back up my mailbox and data I cannot live without every 4 months to local storage & then copy the dataset to 2x physically separate media stored in different secure locations. currently using "Corsair survivor stealth" usb drives.

short term fix? post on their social media feeds about it.

reply


Ok this is what you do.

1) Incognito mode in Firefox 2) Use the same IP as before, or a private proxy with the same country and city as before 3) Goto Bing and search for gmail 4) Attempt to login 5) If asked to enter your full recovery email address - opt for this option 5) If you are then prompted for pva code use a fresh SIM which has same country code as the one you are in. 6) This might work


The solution to this is to find a Google employee that can vouch for you. There is an internal process to recover an account in this situation.


Really sorry this happened to you! I don't really have an immediate solution for you, my own experience tells me you're unlikely to get the account unlocked any time soon. That said, my story did have a happy end eventually: https://news.ycombinator.com/item?id=36335975. There were other reports that 2 years might be a magical amount of time before they let you back in. Not consolation right now, I know, but maybe better than nothing.


Happened to me once a few years ago but after trying many times with the correct and older requested passwords, it eventually worked for some unknown reason. I didn't have 2FA setup though...


For others in the thread: it's a good time to run Google Takeout (every 6 months) and copy your content to your own drive. Google Takeout now supports other clouds

Review your security and recovery settings. Hackers are very aggressive right now.

  1. third party apps
  2. 2fa activation
  3. family member settings
  4. recovery email & phone contacts


> The thought of permanently losing access to this account is terrifying.

Complete non-sequitur here, but that is one of the two inevitable things, according to Ben Franklin.

Yes, I’m talking about death.

So we should all make plans if there is actually worth anything preserving in posterity, plans that go beyond “just log in to my account” (which as OP shows is a huge PITA).


You say you lost a phone number in 2022. Might some of the people you know, still have it in their contact lists?


Sorry, I meant that I don't have it in my possession as I've moved out of the country and stopped paying for it, but I still know the number, the issue is that I can't get a message to it for 2FA.


Have you tried calling it and pleading your case with whomever owns it now?


I did, it's not currently allocated and it's in a "quarantine" list before some phone network operator allocates it.


I also moved out of country, but I kept paying $10/month for the phone number and $20/month for the mailing address, it's worth it.


Have tried recovery dozens of "times through g.co/recover"I don't quite understand your statement. The device can be lost, but you can always make a copy of the SIM cards. You may be referring to the fact that you gave or had your phone number cancelled.

reply


Exactly this is why I moved away from Google and never use it for anything important.

When they started requiring verification from old phone it was too much. What if I lost it, it got stolen etc. Also have to account for them changing their verification requirements as they wish.

reply


Try a different network entirely. Maybe you have a bad neighbour on that IP address. Or you are fingerprinted for some other reason.

If your phone has downloaded data, such as emails and contacts, back that phone up right away. At least that is something if not everything.

reply


Tried that, the loop remains the same and asks for the phone number and then asks for the code.

reply


<https://xkcd.com/743/>


I'm sorry, this is the Stripe support forum, not the Google support forum.

reply


Can you somehow obtain a new SIM with the same number?


I may, remains to be seen, the main offices of the telecom don't work during the weekend.


The same thing happened to me in 2016 — I gave up and started a new account.


> I gave up and started a new account.

Some people never learn?


What would have been the lesson to learn in this case? What is a good solution?

I solved it by completely moving away from Google and services where I'm offered little control over verification settings. I remember I found the related settings in Google too restrictive at the time, and they seem to change requirements over time, thus making it too unpredictable for me. The "verify on old phone" really scared me away.

reply


Ultimately, the lesson learned was big tech isn't your ally nor is the data you lend to them yours. Act accordingly. If they decide you no longer deserve access to the data, they can and will cut you off.

Personally, I pay for a service (email, data, password manager, etc). I also backup my data in multiple locations. It's a lot of work, but I don't really see an alternative at the moment.

reply


Always remember to set a recovery email for your Google's account.


Recovery email is good but still not the most reliable way.

My #1 recommendation is to setup a passkey, and also set multiple security keys as the 2nd factor. All other authentication factors are subject to some form of heuristic defense.

Beyond that, a few optional things you can do in addition:

- Use Advanced Protection. - Use a platform that's more secure , which are iOS, ChromeOS and some android (e.g. Pixel), in general and especially during recovery attempt.


Good luck. I lost access to my Facebook account of 18 years a few years ago due to some 2fa bug (it tells me to enter a code from the fb app which doesn’t have that code.) Despite sending copies of my passport, license etc, the automated systems are of no help.


You did it to yourself by WILLINGLY and KNOWINGLY using proprietary software.

You can only blame yourself.

reply


I was just helping someone with this. Attackers captured the account at night time his hours, and updated all of the recovery contacts to their own. The account recovery process is deliberately secretive to prevent attacking the protocol.

Eventually you get escalated to a team that reviews your govt ID. have you hit that point yet?

https://support.google.com/accounts/answer/6294825?


This is my worst fear fr

reply


nice reminder that I need to set a reminder to download a full backup of all things google takeout regularly.

In a (maybe, maybe not) similar situation when a friend got a new phone, added sim card - then could not start the phone because google pass was not working.. (and he could not get 2fa of sms auth)

I suggested he go home where is already logged into gmail - and update account settings to allow additional methods of account recovery - bam - fixed.


Do what I did. Draft a formal complaint covering all of this. Document as well as possible, take it to get notarized, send registered mail to Google's legal arm. Worked for me but you have to prove as well as possible that its you. Good luck.


I dunno, call their tech support line? Oh wait… sv doesn’t do that.


Not intending to shame OP, but in 2024 with stories like this occurring regularly, I am totally baffled why anyone still trusts Google with anything important. Make the switch! Run, don’t walk. Do it today.

Google is the Scorpion in the parable of the frog and the scorpion - it cannot help its nature.

https://en.m.wikipedia.org/wiki/The_Scorpion_and_the_Frog


In this case a big part of the problem seems to be that OP has 2fa enabled but set to a phone number they don't have access to anymore. This is a really tricky situation for any provider to handle.


And they moved countries.

This is some of the most suspicious login activity imaginable. Nobody should be surprised if an account gets locked when you repeatedly try to access it from a new country and without your second factor.


Just to clarify, I moved countries in the past, for the last year I've been in the same country for well over a year.


Switch to what?


You don't necessarily need to switch, just ensure Redundancy. If you keep a password database in there, or personal files, keep it on a secure external drive and make backups. Or Dropbox. Or anything.

Just keep an extra. Don't put all your eggs in one basket.

We have a home media server. Our important data automatically backs new files to a secure folder in there once a week. If I can do it, anyone can. And it could be done easily to an external drive or something that you plug in once a month. Anything. Anything at all.

Most companies have backups. There's a reason they do that.


How does that work in practice? I mean I may keep my data at multiple places. But my government, my hospitals, my utility accounts, they all want my email address to send me OTPs, password reset links and such things that are necessary to prove my digital identity.

How do I spread this risk and make it manageable? I have to give them some email address and I fear losing access to my email. And yes, I can lose my email address even if I have my email on my own domain. There are many failure modes for losing domain names. So how do I manage this risk?


I have secondary account recovery for everything and secondary accounts for everything. If email one doesn't work, my phone and second email does. Where OP went wrong was not updating their phone number when it changed. There's not a lot to be done at that point.


Just looking at emails: your choices are to trust someone else's domain -- likely gmail -- or own your own domain + some kind of forwarding or 3rd party mail service.

For gmail, you risk account lockout like OP is experiencing. You can mitigate the risk with more recovery options at account.google.com like backup codes.

For a service other than gmail, I think the risks of lockout without customer service to help might possibly be less., especially if its paid like fastmail. If you do pay you have the risk of not wanting to pay anymore, or forgetting to pay, and if you don't pay you also have the risk of the service going away. I suppose the service going away is ok.

I for one am pretty confident google will keep gmail running as well as possible, so I see other services as a bit more risk there.

If you own the domain, you have paid for it and risk someone stealing it or grabbing it when you forget to pay. You can mitigate the risk by choosing a registrar with good security, paying for a longer term or not forgetting, eg a quarterly reminder to review your domain names. You also need to be able to access your registrar account. You can choose registrars you get other services from, like AWS Route 53 if you use amazon for anything, or Cloudflare for VPN, and mitigate the risk of non-payment or non-access because access and payment will be done more frequently.

Using your own domain is also more moving parts, decisions, setup, etc. So you risk more things going wrong or fatigue over all the maintenance taking over. How you weigh the monetary and complexity cost of using a domain name for email compared to the upside of control, having a personal site at your own name, etc.


With government and hospitals you can just reregister in meatspace.


The issue is an @gmail.com address is owned by Google, not you. Not only do you lose your contacts’ ability to reach you, but accounts tend to use email as a last-resort primary identifier. If you lose your ability to receive verification codes, you’re often screwed.

While the crowd here can maintain a domain, that’s not a realistic option for most average people. In practice, most people’s digital lives can be lost or reset simply by messing up their primary email account. With extremely limited recovery options, after a certain point at least.


> While the crowd here can maintain a domain

And domains can be lost too. Missed payments, error in administrating the domain, government takedowns. Many failure modes exist for domains too. Nothing in the digital world is permanent! That's why I find it disturbing that so much of our digital identities are tied to our email addresses.


Maybe with a paid email service like sneakemail.com you can restore access just by paying later?


They can use a forwarder like simplelogin, where they can change the target address.


For email which is the most important to get back under your control simply buy a domain and then there are plenty of options for email hosting (including Gmail, but you cannot be locked out now).


There's a good alternative for everything google does except Youtube - and if you are looked out of a consumer (not creator) youtube account, you can always just create it a new one. For the creators, make sure you are building views on other platforms so no one can ice you out.


Honestly the answer depends on your personal requirements. If you want a product exactly like Google's offering you are not likely to find it. Somewhat like if you buy into the Apple ecosystem, buying into the Google ecosystem is designed to be a first class experience and everything else to feel slightly second class. This is of course a sort of faustian bargain, but it is up to you if you take it.

There are alternatives that do e-mail, cloud storage, contacts and calendars if you're prepared to research them. I won't post a list but mention some categories of options: there are companies offering similar products (fastmail, proton), you can sometimes rent managed next/owncloud/e-mail such as exchange from some suppliers, or you can self host some or part of your needs (e.g. I know people who tailscale to NAS drives). My google account is only used for paid-for android apps, for example. I'm one of the self-hosters (but I keep an eye on the managed offerings from local companies). I don't use tailscale as I can wireguard to my router, but tailscale works well when you just want stuff that plugs in and works. Synology NAS drives apparently can be tailscale endpoints.

Ultimately, I try to avoid Google as much as possible and to a lesser extent other large cloud providers. This stems from exactly the kind of incidents the OP faces, along with the usual concerns about ads/tracking (and specifically not contributing to this as a business model).


Anyone try Proton?


Which service do you recommend as alternative?


FastMail, Dropbox, Apple iCloud (Photos, Keychain, etc)


+1 for fastmail, it has built-in backup mechanisms.


Would definitely not recommend ecosystems. They can and do lock you out and you have more to lose.


I’m able to get ahold of a human for support with all products I mentioned. I’m unable to get ahold of a human at Google ever for any of their consumer offerings. I see lots of HN threads begging for Google support, I see no HN threads begging for support from any of the companies I listed.

You should always have backups, regardless of provider.


Fastmail. But you have to pay.


Paying is fine. Makes me the customer, not the product. Was just wondering which alternatives were worth considering :) thanks


Proton.


100 percent use proton!


postale.io

Requires your own domain.

reply


I am very happy with Apple and iCloud, seriously. I've got plenty of cloud space for a fair price, it integrates seamlessly with Apple devices, ships with a password manager, you can hide your mail addresses, and other goodies. I've never had a problem with it.


Last time I went to France, Apple locked my iCloud for the duration until I could get back and login from a USA IP address. They even cancelled my Apple Card. And France is not exactly a suspicious destination, and I go there 4 times every year. I don't think Apple account abuse systems work better than Google's.


There are similar stories with Apple: https://news.ycombinator.com/item?id=38625875


Do you or someone else know if Fastmail is any better? If I buy a Fastmail email, what protections exist that would stop them from accidentally or arbitrarily locking me out?

And note, I don't live in the US. I'm wondering about this question from a global perspective.


1. Use your own domain, to have a migration path out when needed.

2. Use JMAP/IMAP or https://www.fastmail.help/hc/en-us/articles/360060590573-Dow... and keep a copy of all your mail locally.


This is not an example of malicious activity though.


But your parent comment said:

"Google is the Scorpion in the parable of the frog and the scorpion - it cannot help its nature."

The scorpion is not malicious in the scorpion and the frog fable. So what's your point?


First things first: (Parenthesis) From now on, if it is important, pay for it. At least a smaller email provider with real human support, but best is "buying" your own domain and hosting your email. Same goes for backups. And pass the info to your loved ones.

Less importantly: Since you know exactly what phone# is requested, try to contact it. Approach it in a way that doesn't alarm the renter and blocks you. Meanwhile, contact a real human in "telephone company" (maybe said # is free) and explain the situation: you want/need to PAY to get the phone number assigned to you (My telecom offers that service)

Human Is always the keyword


I gave up on keeping my main on my own domain a few years back since MS mailservers (both Azure and on-prem Exchanges) started rejecting as spam, spam drove us all to centralization and now that they're running amok we have no good recourse.


Learnt my lesson, already working on taking measures for new data or hopefully the data from the account if I recover it.

I already called the number, it seems it's not in use, called someone (he was selling "pretty" numbers online) to ask if it's possible to get it back and they said that there have been cases and it's currently in something they call "quarantine" and there may be complications as there are two operators involved, the original operator of the number and the one to which the number was ported to. I will follow up on Monday on that front.

Thank you.


Once you've got it all sorted, get 2 yubikeys, use them to secure the account, and keep one on you and another in a safe place.

You can just use the cheapest ones.


> but best is "buying" your own domain and hosting your email

I wish this were still the case. Sadly, if you buy a domain and host your own email, you're going to get stuck in spam filters all the damn time. Your email address will feel broken, sending messages into the void.

The only email infrastructure services that are reasonably reliable belong to the likes of Google (Workspace), Microsoft (365), etc. Protonmail is reportedly okay, but my experience is that they still get spammed an awful lot.


I really wanted not to comment this because there are many better authorities in the topic here. OTOH, I am sure I will learn something:

There will be friction. We are trading convenience for security. Paid smaller provider with human support is more convenient and probably enough for most people.

Also, the own-domain-approach is for an important inbox. Read as: it is business related, it pays for itself. It also allows you to set up as many addresses as needed. The receiving inbox is the critical part of email here, because it is often part of your logins.

Regarding your outbox:

>you're going to get stuck in spam filters all the damn time. Your email address will feel broken, sending messages into the void. I try to remember this: Initially using forwarding. Send the message directly from your address to the recipient, and a ccc to a (more popular) forwarding address that sends the duplicate to the recipient, and starts with a clear: DO NOT REPLY TO THIS ADDRESS, and a "reply to" your own domain address. Your domain will eventually gain traction. This is a time investment to prevent a [another] catastrophe. Other mention this point as an "SMTP relay service", which is a much better.

Others also mention that domains can be seized, which sounds less likely than Google or Apple randomly blocking your account.

Failed Payments and other Domain management tasks, that's something I only know as much as any other passerby.

Edit: inbox vs outbox


You can pay for an SMTP relay service that maintains a good reputation if sending mail is important to you. Also if the email is only for auth purposes to decouple 3rd party account recovery mechanism from services like cloud storage, sending email is not important, so an inbox without a healthy SMTP reputation can still be a valuable tool.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: