How I lost access to my Google Account for a month
I want to start this off by pointing out that I’m in no way a technophobe. I work in technology, and I didn’t so much say my first words as rather I typed them out on a Sinclair ZX Spectrum.
My point is that although I’m an idiot, it’s not because I’m technology-illiterate or something. My idiocy is a gift which supersedes many levels.
On one warm summer’s day, I’d exhausted my phone’s battery playing a little too much The Room 3 and I didn’t have any juice in my portable charger. Probably because I’d already used it to recharge after a The Room session.
I work in Canary Wharf, London, which has ‘smart benches’ that harness solar power to allow you to connect your phone and charge them up.
I don’t trust the things. They’re out there in the middle of the night where Joe Hacker can mess with them and reprogramme them to download all kinds of lovely malware onto any unsuspecting device which hooks up to them. I’m happiest with my wall socket at home, and it’s planet-destroying, carbon-inducing electricity.
But I needed juice.
So I plugged in my portable charger and watched in glee as the light flashed to indicate it was charging. After sitting there with an almost drained phone and half a newspaper to keep me occupied, I unplugged the charger and connected it to my phone.
That’s pretty much where the drama began. My phone turned black and the phone just wasn’t charging. I was mortified. A moment of instant regret, like when you permanently delete a file you really needed, or accidentally setting your co-worker on fire.
In the top right corner, I could see a tiny white cross. The same screen my phone indicates when it’s hooked up to my Samsung Gear VR. My phone thought the charger cable was actually a data connection of some kind.
I delayed my evening plans and went home to charge my phone, hooking it up to my bedroom charger.
The phone wasn’t juicing up with any of my chargers. Different wires, different wall points, nothing. My phone was thirsty but didn’t like the milkshake I had to offer.
After some Googling and trying to uninstall various apps, I decided the only thing for it was to factory reset my phone and start over. No big deal, everything is backed up to my Google Account so I’ll be back up and running in an hour.
I could not have been more wrong.
A combination of things decided to pick this single moment of my life to come together and royally screw me over.
- I have two factor authentication set up on my Google account. However, having just wiped my phone, I no longer had the Google Authenticator app.
- I had recently changed my mobile phone contract and decided to get a new phone number as too many recruiters were bothering me, and I enjoy sending mass-broadcast messages on Whatsapp to advertise things like new fancy digits.
- Once upon a time, I had printed off the backup codes to my Google two factor authentication access and stored them in a safe place. Safe even from myself.
In short, if you have 2FA set up on your Google account, and then lose access to both your mobile number and all your backup codes, you fall into a gap in the matrix akin to purgatory. And Google is God.
Very quickly, all your various devices and computers which you use to access your Google Account realise that you’re a netizen refugee, and immediately build a large wall to keep you out.
When you’re unable to log into your Google Account when you have 2FA set up, you’re offered an ‘Account Recovery’ option where you fill out a form to submit information about your Gmail account to verify who you are.
Do you know the month and year you created your Gmail account? Can you name 4 of the labels you use? How about the 5 most emailed contacts? Or the date when you started using Hangouts?
Though some of the questions seem straightforward to answer, when you no longer have access to your Gmail inbox, everything suddenly becomes very fuzzy.
Who do I email the most? Would it be weird if I put my work email? How about that person I used to email all the time a decade ago but haven’t spoken to in years? And does capitalisation matter for the Labels? And what on earth was my first Android phone, never mind when did I get it.
After submitting the form, which Google comfortingly pats you on the shoulder and tells you that it only needs to be approximate, they then take all that information away and get back to you 3–5 business days later.
Unfortunately, based on the information that you provided, we were unable to verify that you own this email address.
Well. Maybe I didn’t quite remember the date of the first ever appointment I logged in my Google Calendar correctly. Or perhaps I used the rather embarrassing yahoo.com email address that my 13 year old self created as the first backup recovery email when I created my Google account.
Then something miraculous* happened.
*Not so much miraculous as it was dumb luck.
I found out my work laptop was still signed into my personal Gmail account, and so I still had access to my emails!
Though I still had no access to things like Calendar, or the Google Play Store to recover all my paid apps, or YouTube and my subscriptions to educational channels which I’m too busy to ever watch. My hell was slightly relieved that I could at least see emails from Groupon about their latest deals and automated updates from my gym telling me that they’ve not seen me in a while.
But this meant I could now answer all the questions that Google wanted to know answers to in the account recovery process. Brilliant! I’ll have my account back in no time! I could derive my most frequently emailed contacts, and work out the dates when I started using their various service because I’m a massive hoarder and I never delete anything in my inbox.
I resubmit the Google recovery form, sit back and sigh in deep relief and pour myself a whiskey.
4 days pass by, and…
Unfortunately, based on the information that you provided, we were unable to verify that you own this email address.
ARE YOU ACTUALLY KIDDING ME. WHAT FRESH HELL IS THIS?!
Taking a deep breath, I decide that there’s a remote possibility that if I reply to the email, maybe an actual human being will read it.
Just want to verify that I am the owner of this account, as per the recovery form submission I’ve sent to you twice. I have access to my email from my work laptop which thankfully hasn’t signed me out.
I lost access to my Google account because my phone required a factory reset, and I didn’t realise my phone number on my Google Account was out of date, which meant I am no longer able to sign in via 2 factor authentication.
I’ve provided all the details you’ve asked for in the account recovery form and I’ve yet again received notification that I’ve not provided enough detail. This is really hampering my ability to get anything done, and all my contacts and Google Play apps are linked to my Google account and I would like access back asap.
A few days pass and I hear nothing back.
At this point, my relationship with Google has soured to a level comparable to a break up with a girlfriend who still owns your favourite shirt. You want the shirt back, but she’s not answering your calls or messages, and there’s a good chance that if you turn up at her door demanding it back, the police will probably be called.
Now it did occur to me that the last resort here is to print a placard and hold it up indefinitely outside Google’s London offices until someone comes down to talk to me. Though this is probably something which might also get me arrested.
I realised however, before I became that crazy person on the street yelling some nonsense about flawed account recovery processes and watching everyone cross to the other side of the street to avoid me, that I hadn’t yet exhausted all options open to me.
Now a lot of people don’t really understand what Twitter is for or how it’s relevant to them. But I know exactly what Twitter is for. It’s for hassling large faceless corporations when something to do with their product isn’t quite working right.
My first Tweet to @Google was ignored. But I’m not one to give up so easily, so a day later I tried again. And then, success!
I decided to let go of the hurtful typo of my 4 letter first name. It’s not like I’ve ever mistyped and ended up at foofle.com. Which, evidently, I’m not the only one as Google appears to own that domain.
Google sent me yet another form to fill out, but this one appeared like it would be read by an actual person, who might have compassion and mercy when casting their judgement upon me. Or at least check the proof I provided that I wasn’t some evil hackerzoid trying to seize control of a Google account to enact global horrors with. For obvious reasons, I’m not disclosing the proof here.
It wasn’t quite as straight forward as I’d hoped. For whatever reason, Google couldn’t find the form I’d submitted and I had to resubmit 3 times before their Twitter team confirmed they’d finally gotten my submission.
At this point, I was 3 weeks in with no full Google account access and had started gathering quotes for placard printing.
A week passed by, and then it happened.
Appearing in my backup email inbox, the relief swept over me in waves. A slow, but sure realisation that I had affirmation of who I was. A confirmation from the world that I have an identity again and re-exist within the system. I was no longer an outcast in the online world. I could continue to be. I don’t know who you are Rod, but I owe you a pint.
I signed into my Google account on my home computer for the first time in a month, sighed a breath of relief and smiled happily for the those glorious 15 seconds before my hard drive failed and I was served a blue screen of death.
Do These Things
If you have 2 Factor Authentication set up on your Google Account (and you really should), then let me be a cautionary tale to you. There are several things you can do to avoid going through the issues I had to go through.
My downfall was not keeping the backup codes safe. A printed copy now lives in the same fireproof box I keep my passport, birth certificate and my signed copy of Even Worse by “Weird Al” Yankovic.
Also keep soft copies of the backup codes in very secure places. I now keep mine in my password management tool (linked to an email address nobody knows about but me), which I have secured as much as I can and have ensured that I have a fool proof way to access even from my own idiocy should I somehow lock myself out of that.
Avoid keeping your backup accounts in less secure places like online storage, unless you’re very confident that it’s safe from hacking there. And, for heaven’s sake, don’t store a soft copy of your backup codes in your Google Drive. You’re not helping yourself by doing that at all.
Get a Backup Phone
Whenever I’m flat hunting, or job searching, I always ensure I give out the mobile number of my backup phone. This means that when I secure the perfect apartment/job, I can just switch off the phone and I’m done. No hassle of weeks of phone calls and messages explaining to estate agents and recruiters that I’m no longer in the market.
The same backup phone can be used to get access to your Google Account should you no longer have access to your primary device. Doesn’t need to be anything fancy (I use an old but trusty Nokia 3310. My Snake game is on fleek) but something you can just stick in a drawer and pull out should you lock yourself out your Google Account.
Beware Social Engineering
In my exhaustive online searching of people who’d lost their Google Account access, one thing kept cropping up — Social Engineering.
It doesn’t matter how secure you are with your online profiles, or how paranoid you get about never losing access to any key accounts. Here’s the kicker though — if someone wants to get access to your account, they probably can work out how.
Ever tweeted your phone company to complain about something? Or do you like their Facebook page? Even better, is your mobile phone number in the signature of your emails? Congrats, you’ve just let the world know which network you’re with.
From this, a hacker can build a profile from your online habits and use your social networks against you to convince your phone company that you’re having a little trouble with your phone number and have a different sim card registered to your account.
And then, you’re pretty much in a rough place.
Lifehacker has a great guide on some of the things you can do to protect yourself from social engineering, but my key takeaway has been to delete any emails which contain sensitive bank account information, and talk to your phone company about additional protection on your account with them.
I learnt the power that Google has over my life. It stored all my contacts’ phone numbers and email addresses. The apps I used. The calendar I run my life off. The login auth for several third party services. I surrendered more about myself to Google than I should ever been comfortable with.
Originally I didn’t care — I accepted this is the age we lived in. We are the products of Google, Facebook, Microsoft, etc who monetize us and our data. But when we lose access to the data which we own, life becomes much more difficult in an age where everything is much more connected.
I’ve since learnt to diversify and become much less reliant on a single service. Don’t let your life become so reliant on a single Technology Goliath. When something happens and you need to migrate all your data away, it should be a quick and easy process for you to do so.
The final words of Q from the James Bond series have always resonated with me.
“Always have an escape plan.”