| ▲ | firefax 12 hours ago |
| I wish they'd let me recover my original -- I lost my TOTP generator, and the codes I'd written down in a paper notebook were rejected. I even hunted down the electronic copy in case there was a transcription error -- seemed like some failure in their systems was causing me to lose access despite having followed proper procedures. Lost a decade and a half of correspondence dating back to my teenage years. I had imported my phone number I'd had since I was 16 into voice, and it doubled as my Signal number. I even had a Gsuite subscription so I could use their (admittedly decently) UI to power my firstname @ lastname dot com email address. I will never use their services again, I was really digusted by this failure. |
|
| ▲ | macrolime 11 hours ago | parent | next [-] |
| I had something kinda similar happen to my hotmail account. While I didn't lose access to it, I lost more than a decade of correspondence dating back to my teenage years. The reason was that Microsoft at some point required you to "login" once every 30 days. It seems they only counted logins through their web interface or something like that, so even though I was receiving emails daily, I didn't trigger a "login" in their system. They then deleted all my emails, but I could still login. |
| |
| ▲ | lurk2 10 hours ago | parent [-] | | This happened to me ten years ago. A while later they did the same thing with my Minecraft login that I had purchased before the EULA was in place; I’ve avoided their services like the plague since then. |
|
|
| ▲ | thiht an hour ago | parent | prev | next [-] |
| I had the same issue with my Hotmail address. I know the address and password, but Microsoft won’t let me login. And they ask ridiculous things like, what emails are in the inbox. I haven’t used this address for 20 years, I just want to access the Hotmail address from when I was a teenager. |
| |
| ▲ | jopsen 41 minutes ago | parent [-] | | Send some emails to the address, then you'll know what is in the inbox :) | | |
|
|
| ▲ | fosco 11 hours ago | parent | prev | next [-] |
| I still think about my lost address that I obtained when Gmail was invite only. My family still occasionally CCs it and it drives me nuts, I would pay money to at least have it shutdown so they don’t think I received an email. I had email forwarding to another address when stolen and immediately after it was stolen it had the weirdest messages, I tried multiple ways reaching out to google and it still bugs me I was unsuccessful. I’d love the their of my account to at least have it shutdown |
| |
| ▲ | gleenn 10 hours ago | parent | next [-] | | Maybe you should send it enough mail to fill it up and the it would reject emails? Send a bunch of emails with large attachments and avoid getting marked as spam. | |
| ▲ | firefax 11 hours ago | parent | prev [-] | | I got mine when it was invite only too, I had it a very long time. I use protonmail now -- I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue) | | |
| ▲ | colechristensen 11 hours ago | parent [-] | | >I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue) I also have paid services a lot of money where customer service was nonexistent until I did a credit card chargeback or raised an issue with government regulators. I'm trying to figure out exactly what I want to push my state legislature to encode into law with regards to customer service minimums that would cover anyone doing business in the state, free or paid. | | |
| ▲ | bruce511 6 hours ago | parent [-] | | I'm in the camp that paying makes you a customer. Inversely using a free service makes you a user, not a customer. And as you correctly note, there I'd no "user service" department. You can of course push for any law you like, but I expect laws protecting "users" to be toothless. Basically the TOS will boil down to "we can do anything we like" - which I guess is more or less what they say now. I find it helpful to think of users as distinct from customers because it let's you understand the provider company motivations. For example, Google's customer's are advertisers. Hence they cull services not conducive to advertising. Most startups see VCs as the customer. Their business model is to sell shares to VCs in round after round. Seen in that light their attitude to users is rational and users only exist as props to VC sales. VCs (and founders) are chasing an exit, which is usually acquisition or aquihire. Your use of the service will thus rarely survive the exit. These are not things to be outraged about. They are all completely rational and predictable outcomes. When you use a service, these are factors you should evaluate. |
|
|
|
|
| ▲ | Beijinger 5 hours ago | parent | prev | next [-] |
| Gmail is a throwaway email. I lost my SIM and hence can't log in anymore. Never ever rely on Gmail. |
| |
| ▲ | markdown an hour ago | parent [-] | | Huh? Are phone numbers tied to physical sims in your country? You can't just ask the phone company to give you a new sim with the same number? | | |
| ▲ | dijit 36 minutes ago | parent [-] | | If you’re on a contract that can work. If it’s a PAYG sim card then you’re out of luck without the PUK code, which, if you’ve lost the sim then you have most assuredly lost (or never had). PAYG is a lot more common in parts of western Europe than contracts. People associate contracts with “overly expensive” phone deals. |
|
|
|
| ▲ | rr808 37 minutes ago | parent | prev | next [-] |
| Wait a second - if you have gsuite it isn't a regular gmail account. Did you talk to gsuite team? If you even paid there is real support. |
|
| ▲ | valiant55 10 hours ago | parent | prev | next [-] |
| I had this issue with my alternative account. Despite my main account being associated (not by recovery, I think this predates that feature), and most messages being forwaded to my main I was never able to successfully recover the credentials. |
|
| ▲ | JumpCrisscross 11 hours ago | parent | prev | next [-] |
| > I will never use their services again, I was really digusted by this failure Isn’t this inherent to not choosing an (EDIT: external) account-recovery method? The flip side to allowing account recovery at Google’s discretion is lessened security for everyone. (Obviously not black and white. And I agree Google should have flexibility for old accounts. But it’s an odd thing to reject a major provider over.) |
| |
| ▲ | subscribed 9 hours ago | parent | next [-] | | You can have all the right details and recovery methods but if at some point they request you to provide the code they sent to the phone you don't have for the last 10 years......... That's it. | | |
| ▲ | TacticalCoder 8 hours ago | parent [-] | | > if at some point they request you to provide the code they sent to the phone you don't have for the last 10 years AFAIK once 2FA is up, you can remove your phone number from GMail. I know it takes time to set up a recovery account (in case the account is inactive for x months), to remove a phone number, etc. but if one's GMail is important it could be worth doing both now if it hasn't already been done. |
| |
| ▲ | Sophira 11 hours ago | parent | prev | next [-] | | They did have a method to recover their account that they tried, though - they said that they used the account recovery codes, but that they were rejected. (Those would be the codes that Google gives you when you initially set up 2FA.) | | |
| ▲ | firefax 9 hours ago | parent | next [-] | | When I first got the account, my cell phone was a recovery method. Later in life I imported the cell into google voice... thus when the recovery codes failed, there was no other option. | |
| ▲ | JumpCrisscross 11 hours ago | parent | prev [-] | | Sorry, I meant an external recovery method. Another e-mail address or a phone number. | | |
| ▲ | subscribed 9 hours ago | parent [-] | | Another email address is useless. Another phone humber only works if you didn't lose that phone. | | |
| ▲ | ashv 4 hours ago | parent [-] | | Why would another email address be useless? | | |
| ▲ | ncann 3 hours ago | parent | next [-] | | I had email address X (gmail) that I hadn't logged into for a long time. One day I tried to log in to it. Correct password, but Google, for some reason, simply decided there's something suspicious about my login and blocked it. X had Y as the "recovery email", and I had access to Y, and I indeed received an email from Google sent to Y that it blocked a suspicious login to X. However, THERE WAS NO WAY TO USE Y TO GAIN ACCESS TO X. Google simply did not offer that option for X, and I had no idea why. | |
| ▲ | Flimm 2 hours ago | parent | prev [-] | | Google doesn't allow you to recover a Google account using only your recovery email address. Despite its name, the recovery email address is not used to recover Google accounts AFAICT, it's only used to receive notifications about security-related events. |
|
|
|
| |
| ▲ | loloquwowndueo 11 hours ago | parent | prev [-] | | op said they had recovery codes but they didn’t work. |
|
|
| ▲ | nomilk 2 hours ago | parent | prev | next [-] |
| > seemed like some failure in their systems was causing me to lose access despite having followed proper procedures. I had the same problem with GitHub's backup codes not working: https://news.ycombinator.com/item?id=35735996 |
|
| ▲ | kalaksi 3 hours ago | parent | prev | next [-] |
| Whoa, I noticed something similar. I was updating my password or something a few years back and decided to test the backup codes too. They didn't work. I don't know what went wrong but that got me worried a bit. |
|
| ▲ | iamthejuan 3 hours ago | parent | prev | next [-] |
| This is exactly what happened to me on Dropbox, where even the backup codes did not work. |
|
| ▲ | DetectDefect 10 hours ago | parent | prev | next [-] |
| Back up your seeds! Aegis for Android lets you do encrypted exports. |
| |
| ▲ | xeonmc 9 hours ago | parent [-] | | Or just write down the TOTP seed on paper backups instead of backup codes. | | |
| ▲ | jonway 4 hours ago | parent [-] | | Works for google (should!) but man there are some platforms that don’t expose the Totp code, or let you redisplay it! Sometimes they make you remove the old one before you can make a new one, too. | | |
| ▲ | jopsen 39 minutes ago | parent | next [-] | | Few, but screenshot the qr code and print it out. Even Facebook supports totp it's just well hidden. | |
| ▲ | cuu508 3 hours ago | parent | prev [-] | | So don't put it off until it is too late -- if you haven't already, regenerate and copy TOTP seeds to paper now. When you set up TOTP on a new account, copy the TOTP seed to paper then and there, resist the "I'll do this later". | | |
| ▲ | fc417fc802 22 minutes ago | parent [-] | | If it isn't backed up it doesn't exist. Corollary (likely unpopular I'd hazard) - hardware token implementations that I can't back up to paper don't exist as far as I'm concerned. |
|
|
|
|
|
| ▲ | ryukoposting 11 hours ago | parent | prev | next [-] |
| Yikes. This post is an unsettling reminder that gmail is a single point of failure in my personal and financial security. |
| |
| ▲ | cedws 11 hours ago | parent | next [-] | | Email services in general. My worst nightmare is my email provider (which isn't Google) going dark and losing access to everything. | | |
| ▲ | saint_yossarian 11 hours ago | parent | next [-] | | You can use a custom domain with most providers, so when they go dark you can at least migrate to another one. | | |
| ▲ | cedws 10 hours ago | parent | next [-] | | Two things about fronting with your own domain: 1. You have to own that domain forever, until or at least until you're 100% confident that an email intended for you will never be sent to that domain ever again. Even then, there are security risks with giving up the domain. 2. You give up some privacy. You can use mailbox aliases but it doesn't really matter if all the mailboxes are tied to a domain registered to your name and address. | | |
| ▲ | JackeJR 3 hours ago | parent | next [-] | | For (1) you can prepay i think up to 10 years? And every year you just prepay 1 year again and you will have 10 years to remember that you forgot to pay a domain registration bill. | |
| ▲ | fragmede 10 hours ago | parent | prev | next [-] | | Whois privacy is basically standard these days, no? | | |
| ▲ | fc417fc802 11 minutes ago | parent | next [-] | | Doesn't completely solve the problem. You now have to pay per (unaffiliated) alias since each requires an independent domain. You also become extremely vulnerable to data breaches because rather than learning that foo@provider is john.doe@provider with IP xxx you instead learn that foo@domain is John Doe, phone number, street address, credit card, etc. This issue goes far beyond email alone. The ICANN domain system effectively rents a string out to you on a temporarily basis and mandates that an Impressum be attached to it. It's a deeply flawed scheme when viewed from the context of both historical hacker culture as well as the fundamental values of a free and open society. | |
| ▲ | NewJazz 6 hours ago | parent | prev [-] | | Yes but all of your aliases would be under the same domain so one could surmise that the same person uses the domain. | | |
| ▲ | cromka 2 hours ago | parent [-] | | You can usually setup several domains. Some domains are very cheap to register, so you can register some inconspicuous, universal, email provider-sounding domain and add aliases at will. |
|
| |
| ▲ | dangus 9 hours ago | parent | prev [-] | | 1. A little money solves this. You can register for 10 years at a time. Any decent registrar will blow up your email near your domain’s renewal date regardless of renewal status. 2. Whois privacy solves this. Free from any decent registrar. |
| |
| ▲ | 3eb7988a1663 11 hours ago | parent | prev [-] | | That is moving the point of failure to the domain registrar. Which is probably less likely, but you are always relying on someone. | | |
| ▲ | dunk010 11 hours ago | parent | next [-] | | I think that the point here is that your domain registrar will pick up the phone if there is a problem, where Google clearly will not. | |
| ▲ | UltraSane 9 hours ago | parent | prev [-] | | I use AWS to register the domain and AWS supports up to 8 different MFA factors. I have totp and 4 different passkeys registered |
|
| |
| ▲ | firefax 11 hours ago | parent | prev | next [-] | | If you use a password manager like Keepass, you should still be able to log into your other accounts if you lost access and at least with financial institutions you can call, ask that no changes be made with without coming into the branch and showing ID. | | |
| ▲ | cedws 10 hours ago | parent | next [-] | | Yes, but many companies will also drag their feet, refuse for "security reasons", or you'll just never be able to reach them in the first place because their only support is an AI concierge that tells you the same thing over and over. As an example Anthropic and OpenAI don't let you change your email address. | |
| ▲ | fph 2 hours ago | parent | prev [-] | | If you use a password manager like Keepass, you can put your TOTP into it as well. With both a password and a keyfile it's still two factors, technically. |
| |
| ▲ | tcfhgj 10 hours ago | parent | prev [-] | | Worst case you need to self host | | |
| ▲ | Hemospectrum 10 hours ago | parent [-] | | Great when it works. Too many senders will only deliver to widely used hosts, and silently fail for anything outside their tiny allowlist. Note that I'm not even talking about trying to send email FROM a self-hosted account, but trying to get someone else to send email TO such an account. |
|
| |
| ▲ | UltraSane 9 hours ago | parent | prev [-] | | Realizing this is why I bought my own domain name and pointed the mx records at Gmail. This way I can change it to different mails servers if needed, even self hosted. One useful thing you can do is configure Gmail to forward mail to unknown address to a known one. So I can create addresses like Facebook@ultrasane.com or Amazon@ultrasane.com, etc |
|
|
| ▲ | globular-toast an hour ago | parent | prev | next [-] |
| > I will never use their services again, I was really digusted by this failure Was there ever really an agreement that they'd be storing your cherished memories for decades? I still treat email the same way I've done since the 90s. Your email provider is just a cache but you download and backup the messages yourself. Hopefully this has been a wake up call for you. If you care about data then you need a copy that you control and have a good backup plan. |
|
| ▲ | iwontberude 4 hours ago | parent | prev | next [-] |
| You think that sucks, my childhood angelfire is gone. |
| |
| ▲ | cuu508 3 hours ago | parent [-] | | Try contacting their support. They did help me regain access to my late 90s angelfire account, even though the original email address I had used was long dead. |
|
|
| ▲ | trollbridge 9 hours ago | parent | prev | next [-] |
| I'm paranoid and print off my TOTP key for each account I make that might matter in any way. |
|
| ▲ | UltraSane 9 hours ago | parent | prev | next [-] |
| Save a picture of the TOTP QR code and print it out. |
|
| ▲ | TacticalCoder 8 hours ago | parent | prev | next [-] |
| > I will never use their services again, I was really digusted by this failure. Without such measure anyone with your password could "reset" your 2FA. The solution to "I may lose my 2FA" is not to make GMail a 1FA: it is to configure beforehand your GMail so that if your account is inactive for 6 months, access to your account is given to a person of your choice. It's so that a death spouse (for example) can eventually access the account. |
|
| ▲ | khana 9 hours ago | parent | prev [-] |
| [dead] |
