Gmail account recovery and security
This article will guide you through the process of recovering your lost Google Gmail account and protect your account if necessary, reducing the chances of being stolen again.
- Take a tour of account recovery
- Lost Password Recovery
- Lost account name
- Accounts with 2-Step Verification enabled
- G Suite account
- Additional recovery hints and tips
- Other account recovery cases
- FAQ about account recovery
- Account security
- Protect account content
Take a tour of account recovery
In 2016, Google made major changes to the account recovery process. It has been simplified to a more general process, usually covering a few specific cases. That said, don’t be surprised as the recovery process you used in the past may be different now.
Additional sources of information include the account help center and the account help forum, both of which support searching for topics of interest.
Gmail Account recovery is currently designed to work best for one loss like password. Responsible users keep their accounts secure and their recovery options up to date so they can easily verify if necessary or prove ownership of lost accounts. The more missing items (recovery phone, recovery email, past password, known device/location/IP address), the harder it is to prove ownership. If there are many missing items, do not work or have been changed, you cannot prove ownership and your account will be lost.
If your account does not have a recovery email or phone configured or is out of date, it is not enough to prove ownership and you may not be able to recover your account.
If your account is stolen and your recovery options are changed, you may not be able to recover your account because it is not enough to prove ownership. Fortunately, if less than a week has passed, Google can use the previously configured phone number for verification.
If it’s been a few months since you last logged in to your account, you won’t have a recently used device/location/IP address, which greatly reduces your ability to prove ownership.
Obviously, the above doesn’t mean that account recovery is generally impossible. Its purpose is to establish realistic expectations for how easy account recovery will be based on information that can be used to prove account ownership. Obviously, not all lost accounts can be recovered.
Lost Password Recovery
The recovery process can be started in one of two ways:
- Go to the Gmail login page at https://mail.google.com/, enter your email address and click on the “Forgot your password?” link.
- Go directly to the start of the recovery process at https://accounts.google.com/signin/recovery.
You should see a “Account Support” page where you can enter your email address and click Next to start the process. If you don’t remember your email address, there is also a “Find my account” link (explained below).
This gives you multiple ways to regain access to your account or prove that you own it. The options available depend on the recovery options previously configured for your account. For example, if a recovery email address has not been configured, you will not see that option. If the option is configured but not kept up to date, it will appear, but it may be useless for recovery. In the case of a stolen account, you may see an option, but if it is modified by a hacker, it cannot be used for recovery.
If 2-Step Verification is enabled for your lost account
Even if your account was stolen and hackers made it difficult to recover your account using two-factor authentication. The recovery options available may include the following questions or actions and may have other items listed below or not illustrated.
- Please enter the last password you remember
- Get a verification code by text or phone with <number> (not always offering both options)
- Check the phone number provided by the security settings.
- Google sends an email to <e-mail> with a one-time verification code.
- Receive a message from <Phone> and tap Yes to log in.
- Answer the security questions you have added to your account.
- When did you create this Google Account? This question seems to have been deleted from account recovery (May 2020).
- If possible, please briefly tell us why you can’t access your account.
Most of the options are based on pre-configured information settings for your account before losing access. Therefore, if an option such as a recovery email address is not configured, you will not be presented with that option. If you have a pre-configured email or phone number and you select that option, you will be sent a 6-digit code to enter. Entering the correct code will take you to the password reset page If you have answered enough other questions, you can also go directly to that page.
You can also use the pre-configured phone number or email and ask additional questions in the process after receiving the code. This can happen if Google discovers suspicious activity on your account and requires additional proof of ownership before returning the account.
If you can’t use the options given or answer them, click the “Try another question” link for the next option. Of course, if you skip too many questions, you won’t be able to prove ownership of your account. If you don’t get the option to reset your password, it usually asks for a contact address where Google can send you an email in the last question.
A 6-digit code is sent to the address to be entered as above. However, unlike above, just because you received this code does not mean that you can reset your password. This step is to make sure you have a valid email account to access. The answer you provided on the previous page will determine if you are given the option to reset your password or if your request is denied. This message tries to clarify that the contact email has been verified, but the ownership of the account has not been verified (verified).
If the option is unavailable or fails to prove ownership of the account, you will see a message stating “Google cannot verify that this account is yours.” If you have any additional or more accurate information to provide, you can of course try again, but if you can’t prove ownership of your account, that information will be lost. There is no other way to recover a lost account.
Lost account name
Clicking the “Find My Account” link on the first page will take you to a series of steps that will be provided: the previously configured email or phone, the real name of the account and the verification code. If successful, you will receive a list of accounts that match that information and you can continue logging in. You need to know both the email/phone and the name of your account. If you don’t know the account password, try the recovery using the procedure above.
Accounts with 2-Step Verification enabled
- Two-factor authentication adds a level of protection for your account by requiring a second action or code in addition to your password when you log in to your account. Therefore, recovery of accounts using two-factor authentication is a bit more stringent. If the account is compromised and the hacker has enabled step 2, this can happen to the owner.
- When 2-Step Verification is enabled, you will be presented with a third screen after entering your account name and password where you will need to provide your 2-Step Verification Code via the default method you have configured for your account. If you can’t provide a step 2 response, then the page has a link to “Try another login method”. Then it lists all the options you have previously configured for your account (this list can be very short if the backup options are not configured). Clicking on the last “Ask Google for help…” box takes you to another screen listing all options again, along with some additional options.
- Yes, I have a lot of two-factor authentication options configured because the above account does not intend to lock my account.
- At the bottom of the second screen there is a link “Ask for help from Google”. Depending on the options you have configured for your account at this point, you may have additional questions, but the normal account recovery process will go through.
G Suite account
G Suite (formerly Google Apps) accounts are accounts that do not end with @gmail.com and cannot be recovered using standard Gmail recovery procedures. You will need to contact the Google Apps administrator for your domain who can reset your password so you can access it again.
Additional recovery hints and tips
This section contains information and hints that can significantly increase your chances of a successful account recovery. This section is long and without pictures, but it is recommended to read it very carefully.
The account recovery process consists of a set of elements that Google uses to determine the legitimate owner of an account. Some have limited control, some cannot. However, it is important to understand this to make the process successful.
What you can control before your account is lost– Maybe you’re reading this article because you’ve already lost access to your account, so I’m a bit late on these topics. But keep these things in mind for recovered accounts and other accounts you have, so you may not have to revisit this article later.
Account password-write it down and keep it in a safe place. I think everyone will remember their password, but most of them are wrong. If you write down your password, you can easily fix it by simply looking up the lost account.
Recovery Options-Configure the available options (email and phone) for all accounts. And most importantly, keep it up to date. https://support.google.com/accounts/answer/183723
Creation date– One of the current questions in account recovery is when the account was created. For safe keeping, simply print or forward one of the original “Welcome to Gmail” messages to another account and you will always be able to retrieve it.
Factors you can control during account recovery– Details and answers to your questions.
Past Password-It should be the most recent password you can remember exactly for your account. Google doesn’t store a readable version of your password, so any password you provide must be 100% accurate. Otherwise, if it’s encrypted, it won’t match anything in your account’s password history.
Security Questions-Security Questions are no longer supported and cannot be added or modified (you can only delete them). But if you have an account on your account, you may have a chance to respond. I assume the answer should be correct (not close).
Creation Date– (This question doesn’t seem to be used anymore for account recovery) The account creation date doesn’t have to be perfect. You may not be resting for days or weeks, but not months or years. I’m assuming that a plus/minus one month from the actual date will be close enough. If you don’t know the date you created, you might be able to figure it out with a little thought.
- Find the account creation confirmation email that would have been sent to another account owned at the time.
- Associate account creation with life events such as graduation, moving, ISP change, and more.
- If created as part of the new mobile device setup, check the date on the device’s sales receipt.
- If an account has been created to start the mobile device service, check the mobile contract start date.
- Your contacts will ask if you have saved an email change message sent from your new Gmail account or another email sent when it was your new account.
- Check the creation date of other accounts opened at the same time, such as PayPal, eBay, Facebook, Amazon, etc.
- If you still have access to your account (perhaps from the mobile device, you are still logged in to) check the original account creation email or the full mail label of the oldest message you saved.
- But don’t start guessing a lot of dates just hoping you’re lucky. Google can tell if someone is guessing the date, so it doesn’t help.
“If possible, please give me a quick note of why you can’t access your account.”-This is not where you submit facts to prove account ownership. This is where you describe what happened when you lost your account. If it matches the information we hold about what happened to your account, that account may be your account.
Known Types of Access– Google has made it clear that recovering your account in the same way you normally accessed your account will help a lot in recovery. Google has not clearly documented everything they use, but empirical evidence suggests that some or all of the following are present:
- Browser (may have something to do with stored cookies).
- Physical computer or mobile device. If you are using an email app/client, try the recovery using a browser on the same physical device.
- Physical location. If you always access your account from a specific location (home, work, etc.), perform a recovery from the same physical location.
- IP address. Similar to physical location, but IP address can and does change regularly.
If your account has been used regularly on multiple devices, try the account recovery process on each device.
Description of the problem (or similar field)- Sometimes you will be given the option to provide additional information to help you prove ownership of the account. It’s a free-form field of limited length that allows you to list what you can check on Google. However, there are some clear rules about what Google can and can’t do to help prove ownership based on what can and can’t.
What to include
- If you have access to the account, type of access (mobile, browser, etc.).
- Reasons for losing access to your account:
- Compromised account
- Forgot password
- Two-factor authentication lock due to lost authenticator or phone, no backup code
- “Unrecognizable device” question
- “Strange” challenge
- Other security issues not working (secret question, phone check)
- Remember more past passwords.
- The date of account creation, if not requested during the recovery process.
- This is the last time you successfully logged into your account.
- Device used for account (computer or mobile)
- The location used to access your account, such as country and city.
What not to include
- Anything that requires account access for verification. For privacy reasons, Google employees cannot access user account content.
- Anything related to your email connection or use on other accounts/sites (Facebook, PayPal, etc.) owned by you.
- Anything that can prove your personal identity, such as a government ID card. Prove someone who doesn’t prove they own a particular account.
- The only information we can verify based on your account access history and server logs will help.
Out of Control– Google has a lot of information about the email server about your account that you can use to check claims on your account. Google doesn’t document any of this, but you can probably guess what some of them are.
- This is where you have accessed your account in the past.
- Devices, computers, browsers, clients and apps used to access your account.
- Types of account access used include web, IMAP, POP3, and mobile.
- Records of account recovery claims for accounts, when and where they were created, on which computer/device/location/browser. This includes when someone else wants to recover the same account.
- Account’s current access type and usage (if hacker hacked and used it)
- And there is no doubt about more.
The point is that Google knows more about your account than you do, and we use that information when requested to recover your account.
Logistics issues related to account recovery– There are many other things to keep in mind when performing Gmail account recovery.
- It’s not about the number of times you repeat the account recovery process, it’s about giving you a better answer every time you try. If your submission is rejected, you will have to work hard to provide more answers and provide more accurate answers in subsequent submissions. If there are no new items to add, you don’t have to repeat the process.
- Wait for a response before each new submission. If you are told 1-3 hours, it is better to wait until the next day. If you receive a notification 3 to 5 business days (1 week in real time), please provide 1 to 2 additional days.
- If you do not receive a response, please check the spam or junk folder of the account you specified for a response. Also, make sure you are verifying the correct account that you checked with the code at the end of the process. If you have provided multiple accounts during other attempts, check them all.
- Duplicate submissions or submissions without waiting for a response will trigger a submission lock, requiring you to wait a few days to try again.
- Guessing the answer (e.g. creation date) is obvious to Google and can make the process do not ask that question anymore.
If your account is not compromised and you simply forgot your password, there may be other options for simple password recovery. If you have set your browser to remember your account information, you can see your saved passwords. Both Firefox and Chrome can view saved passwords in clear text. If you’re using another browser that doesn’t allow this, you can use/install Firefox or Chrome, get the settings and see if you can access the saved password. Again, this only works for those who have forgotten their password, relying on the browser’s auto-fill feature, but if it applies, it may be easier than the procedure above.
Other account recovery cases
Suppose you went to https://mail.google.com/ and tried to log in to your account. It didn’t work and I don’t know what to do next. Here is a list of common situations or errors and what you need to do for each.
- Password doesn’t work. Use “Forgot your password?” Click the link on the sign-in page, then follow the instructions. You can prove ownership by using previously configured recovery options or by answering questions about your account.
- I can’t remember my account name (email address). Use the “Find My Account” link on the login page, then follow the instructions.
- You will be instructed to enter your mobile phone number to receive the SMS code. Follow the instructions provided. This may include references to “suspicious activities” or may have “different things” about how to log in. For more information, see http://www.google.com/support/forum/p/gmail/thread?tid=. 69a33682180a6d01
- “Contact your domain admin”-it’s a G Suite account (not @gmail.com) and you need to contact your G Suite admin to get help with your account. https://support.google.com/accounts/answer/181627
- “Sorry, Google can’t recognize the email”-The account does not exist. This could be because of a misspelling in your email address or because your account has been deleted.
- ‘Temporary error…’,’Sorry…’ or similar message-see the following troubleshooting tools for more information. https://support.google.com/mail/answer/140031
- All messages to minors-indicates that the system thinks the user is too young to own a Gmail account (usually under 13). Reference: https://support.google.com/accounts/answer/1333913
- A message stating that an account has been ‘retired’ or ‘paused’ generally indicates some abuse, violation of the Terms of Service, or possible account theft. Follow the link provided or provided when attempting to log in. https: // support.google.com/accounts/answer/40695
- “Google doesn’t provide any other way to log in to this account”-usually indicates that the account has been disabled. Follow the process to recover a disabled account. https://support.google.com/accounts/answer/40695
- “This account has been deleted and can no longer be recovered”-then the account will be lost. There is no way to recover, and the account cannot be re-created.
FAQ about Google account recovery
Q. Why can’t I tell others about my personal information about my account that can be viewed to verify my claim?
A. Account privacy rules are very strict within Google, and allowing employees to view the contents of your account is a serious privacy violation. You may know enough about the contents of your account to prove ownership, but no one at Google can verify that information.
Q. Why isn’t account recovery a comment section where I can add additional information to prove my claim?
A. As above, it is a violation of account privacy for an employee to look into the account for additional information provided.
Q. Why can’t I simply talk to someone about this issue?
A. Unfortunately, Google does not provide real-time support for free Gmail products (see: http://mail.google.com/support/bin/request.py?contact_type=contact_policy). You need to use the recovery method provided. There is also the fact that even if you can talk to someone else, you have to answer the same questions to prove ownership of your account.
Q. Why can’t Google lock my account to protect it from further damage or outgoing spam?
A. Google may detect suspicious use or deactivate an account if that account is being used to send spam. However, due to privacy concerns, it simply fails to lock the account because someone claims it is their account and has been stolen. Also, since there is no live support, there is no one to even make such a request.
Q. I have a really long password with random strings that are hard to guess. How was my account stolen?
A. Google (most email providers) blocks you from entering a lot of passwords to guess the correct password (brutalist attack). Most accounts are compromised by collecting passwords in different ways. A secure password is important, but it’s one of the many things you need to keep your online account safe. This article has detailed information on this topic.
Q. But my password is very careful. I don’t give it to anyone other than an official request from Gmail.
A. Unfortunately, if you provided your password in response to an email (including those claiming to be from Google/Gmail), your password was leaked by phishing. It’s very common and can trick even the most prudent people.
Q. There is no reply after submitting account recovery information.
A. First, make sure you are using a valid and valid contact email address that checks for replies regularly. Also, check the junk/spam label if your reply is filtered incorrectly. Then try again. You can also try using a different contact email address.
Q. A hacker deleted my contact. How do you recover?
A. Deleted contacts can now be restored at any time in the last 30 days. https://support.google.com/mail/answer/1069522
Q. A hacker deleted my email history. How do you recover?
A. Have you looked for missing information in your entire library and trash? Have you tried searching using search? Unfortunately, messages deleted from Recycle Bin or Spam cannot be recovered. To ask Google to recover messages deleted by hackers, see https://support.google.com/mail/troubleshooter/4530113.
Q. A hacker deleted my account, can I recover it?
A. The account recovery process can sometimes restore recently deleted accounts. This is the only option in this case. However, if you see the message “This account has been deleted and can no longer be recovered”, your account will be lost.
Q. I don’t care about the account. You can only import email history or contacts.
A. Unfortunately, you need to be able to access your account to transfer information from your account. That said, you must first recover your account and try.
Q. I don’t care about the content. You only need to get the email address back because there is something else linked to that address.
A. The account name will not be reused, so you cannot re-create it. So, to get the name back, you need to recover your account.
Q. Can anyone know who did this? Can anyone prosecute them?
A. The only information available is a list of the last 10 IPs that can access your account (see details link below inbox). However, given how easy and inaccurate it is to forge an IP, you can’t find out more than the usual location. In general, law enforcement agencies are not interested in simple stealing accounts, and Google is not law enforcement. The bottom line is that you spend more energy recovering and securing your account again.
Q. Isn’t that what he did is illegal? Can you sue or arrest them?
A. All legal questions should be directed to local law enforcement or attorneys. Google is neither, nor can we advise on any action.
Q. Can I see what I have done with my account while I have access?
A. I don’t know for sure as there is no account activity log available. If there is spam in your Sent Items, you have used that account. But there is no way to know which message you’ve seen, so take appropriate precautions.
Q. How was my account stolen?
A. There are many ways to collect passwords and steal accounts, but the most common are:
- Multiple websites use the same password. A less secure site is hacked to get a user database (email and password) and then try all of them. Hackers can gain access to their email accounts if the user hasn’t used their own password.
- Phishing emails that request account information or direct you to a phishing website. Don’t ignore this as the message is far more convincing than you might imagine using text copied from an actual Google email or online form.
- Use of computers infected with key loggers or other malware (most common on public computers such as schools or libraries) to record login information.
When to get your account back
The process of resecuring your account actually consists of two parts: (1) securing your Gmail account and (2) securing the Google Account holding your Gmail account. Both parts must be completed. Otherwise, changes made by others may be missing and your account may be compromised or accessed again.
- Google has created a Gmail Security Checklist that you can use to check your Gmail account and other related security settings. https://support.google.com/mail/checklist/2986618?rd=1
- Google has also created account security checks that perform similar functions at the account level. https://security.google.com/settings/security/secureaccount
Here are some of the more important nougat items above. This isn’t a replacement for doing both, but it can help (don’t forget) to quickly get the most important things to work so you can do the two checks above later.
- First, scroll down to the bottom of the Gmail page and check if there are other sessions logged into your account (‘This account is open in another location 1’). Then click on “Details” labeled “Last Account Activity” (below/right) and then click “Log out from all other sessions”.
- Now change your password to something that makes sense, but don’t worry too much about how secure it is because you will change it again. See the first section of Account Security below. Next, check all of the following items and make sure they are set up correctly.
- Note: Access it using the gear icon at the top/right of the Gmail window then under “Settings”. If you’re using the default HTML version of Gmail, ‘Settings’ is one of the options at the top.
- Note: Gmail now has a blocking feature, so in the following picture, “Filter” will be “Filter and Blocked Addresses”.
- Note: In the following picture, “Accounts and Imports” may be “Accounts” in some cases.
- Also, you may have to scroll down on each specific page to find the referenced settings.
- Settings that allow spam to be attached to outgoing emails.
- Settings -> General -> Signature
- Make sure no items have been added, and if you don’t see more items, scroll down.
- Settings -> General -> Vacation Respondent (or Out of Office Response)
- Make sure it is disabled and empty.
- Settings that could lead to email theft
- Settings-> Forwarding and POP/IMAP-> POP Download
- It is best to disable it unless there is a clear need.
- Settings-> Forwarding and POP/IMAP-> IMAP access
- It is best to disable it unless there is a clear need.
- Settings-> Forwarding and POP/IMAP-> Forwarding
- You need to disable forwarding or make sure the forwarding address is correct.
- Settings -> Filter
- There are no filters defined, or at least no filters to forward or delete emails.
- Settings -> Accounts and Imports -> Send mail to the following address
Make sure you are using the correct email address and delete any unrecognized items. Also, click the “Edit info” link on the right and make sure that each item you have (including the default one) does not have a reply address set to an account you don’t own.
This is a setting that improves account security and makes it easier to recover lost accounts.
- The path used below (Settings -> Accounts & Imports -> Change Account Settings -> Other Google Account Settings [New Page]) can be accessed directly using a direct link to Account Settings. https: //myaccount.google.com
- Settings -> Accounts & Import -> Change Account Settings -> Change Password
- Choose a new secure password.
- Direct link: https://myaccount.google.com/security/signinoptions/password
- Settings -> Account -> Change Password
- Settings -> Accounts & Imports -> Change Account Settings -> Change Password Recovery Options
- Confirm your mobile phone number, recovery email address, and secret question/answer (if any).
- Direct link: https://accounts.google.com/b/0/UpdateAccountRecoveryOptions?hl=en&service=mail
- Settings-> Accounts-> Change Password Recovery Options
- Settings -> Accounts & Imports -> Change Account Settings -> Other Google Account Settings [New Page] Privacy & Privacy -> Privacy
- Check the name and other settings.
- Direct link: https://myaccount.google.com/privacy#personalinfo
- Settings -> Account & Import -> Change Account Settings -> Other Google Account Settings [New Page] Login & Security -> Connected Sites & Apps -> Apps Connected to Account -> Manage Apps
- Revoke access to sites that are not recognized or absolutely necessary.
- Direct link: https://security.google.com/settings/security/permissions
- Settings-> Accounts-> Other Google Account Settings
- Settings -> Accounts & Imports -> Change Account Settings -> Other Google Account Settings [New Page] Login & Security -> Login to Google -> 2-Step Verification
- For added account security, you need to enable two-factor authentication and save a set of backup codes as instructed during setup.
- Direct link: https://accounts.google.com/b/0/SmsAuthSettings#devices
- Settings-> Accounts-> Other Google Account Settings
Your account is now secure, so double check the other sessions you’re logged into. If your account still has other sessions, repeat the process above until everything is secure, without anyone else logged in. Now, if you’ve verified that your account is fully protected and no one else is logged in, it’s a good idea to change your password last time.
Don’t forget also the Gmail security checklist and account security check mentioned above.
Protect account content
Sometimes hackers delete email records and/or contacts even when a compromised account has been recovered. Unless you back up that information to your local computer, you can lose it permanently.
There are many ways to back up your Gmail account, and there are several tools that can help. A free utility that supports backup and restore of Gmail and Google Apps accounts with full label support https://github.com/jay0lee/got-your-back/wiki (Got Your Back or GYB) would be the best for Gmail. Will. Ability to run as an automated scheduled task. Save the file to your local computer so that it can be included in a normal computer backup.