12 votes

[SOLVED] Google logged my mother out of all devices and now she can't login

[SOLVED]

Thank you so much for everyone's support and suggestions, it seems that I may have overreacted a little bit. One of the things that I did was send a form to Google, but the form was not really for this issue, so I wasn't hopeful at all. To my surprise, I received a message just now with instructions to recover the account and change the 2-factor phone number to my mother's current one. The cause of the issue is not clear, but whatever it was, they sorted it out. She is obviously ecstatic, when I went to her house two days ago I couldn't disguise my pessimism.

I set her recovery email to my own and will generate recovery codes shortly, so we're good for now. I instructed her on how to download all her data from Google (it's easier than I thought), just because this made her quite paranoid, and I'll take the opportunity to gradually move my family out of Google, as well as myself. Thanks for being so supportive, this was very stressful, to say the least! Sometimes it's nice to know we're not alone ;)

Original post

So, for some reason Google logged my mother of everything at once: browsers in two laptops and two smartphones (one Android and one iPhone). Trying to recover the account sends a message to a cellphone number she no longer has. I understand Google is basically unreachable, but there must be something I can do, right? We're not famous, but she does pay for YouTube Premium.

22 comments

  1. [7]
    stu2b50
    Link
    You can try to contact google support, if she set recovery questions and still knows the answer that may do the trick. Otherwise, this is the other side of 2-factor authentication: if you don't...

    You can try to contact google support, if she set recovery questions and still knows the answer that may do the trick.

    Otherwise, this is the other side of 2-factor authentication: if you don't actually have the 2nd factor up to date and with you, then, well, there's nothing to differentiate you from an attacker.

    9 votes
    1. [6]
      lou
      (edited )
      Link Parent
      Yeah.... Thing is, I don't think Google really asks if you wish to use 2 factor authentication. I always say no, but I still need my smartphone to log anywhere. That's pretty brutal, specially to...

      Yeah.... Thing is, I don't think Google really asks if you wish to use 2 factor authentication. I always say no, but I still need my smartphone to log anywhere. That's pretty brutal, specially to the non technically inclined. Smartphone are stolen all the time. And every resource to recover the account requires me to be logged in the account!

      Edit: they really should have a disclaimer saying if you lose your phone, you're fucked!, and force you to create recovery codes...

      3 votes
      1. skybrian
        Link Parent
        I don't know what to do to help your mother, but I recommend printing out a page of recovery codes and putting it with your important papers.

        I don't know what to do to help your mother, but I recommend printing out a page of recovery codes and putting it with your important papers.

        8 votes
      2. [4]
        rish
        Link Parent
        Is it possible to get a replacement sim with same number? Here if a phone is stolen we file a police report and get a replacement sim from carrier

        Is it possible to get a replacement sim with same number? Here if a phone is stolen we file a police report and get a replacement sim from carrier

        4 votes
        1. lou
          (edited )
          Link Parent
          Thanks! She don't even know which carrier she was using at the time. We tried one, but it wasn't it. We're going to try calling others. You know, when these services push 2-factor, they really...

          Thanks!

          She don't even know which carrier she was using at the time. We tried one, but it wasn't it. We're going to try calling others.

          You know, when these services push 2-factor, they really should have a disclaimer saying "if you lose your phone, you're fucked". They just sell the security aspect, but the "losing 15 years of emails, files and contacts" aspect is just as scary as being hacked...

          5 votes
        2. [2]
          mxuribe
          Link Parent
          Wow, that almost seems like an alternative attack vector to sim-jacking...but leveraging the police for generating justification document. I can absolutely see the benefit for a law-abiding...

          Here if a phone is stolen we file a police report and get a replacement sim from carrier

          Wow, that almost seems like an alternative attack vector to sim-jacking...but leveraging the police for generating justification document. I can absolutely see the benefit for a law-abiding citizen to be able to leverage this process...but can also imagine nefarious people to abuse this too. Overall, it sucks that providers like google and telcos create such infrastructure that we as users or customers have to do lots of the heavy lifting to protect ourselves and/or coordinate resolutions ourselves. This all sucks, and this scenario is merely the latest sucky situation. (Sorry, clearly i'm grumpy.)

          1. stu2b50
            Link Parent
            You can usually do it without the police, it's called sim swap attacks, and it's one reason why phone 2factor is not that strong. However, it is good to mention that sim-swapping is not a scalable...

            You can usually do it without the police, it's called sim swap attacks, and it's one reason why phone 2factor is not that strong.

            However, it is good to mention that sim-swapping is not a scalable attack pattern, in the end, and so it's not as if sms 2factor is useless - it's still quite significant increases in protection for 99% of people, and 99% of cases. You usually get hacked as just one of a dragnet (in the fishing sense), not as a targeted affair. Here's it's a numbers game for hackers - and going through the social engineering, the time, and the effort of sim-swapping is not realistic in these cases.

            3 votes
  2. [2]
    lou
    Link
    [SOLVED] Read my edit to the original post up above. Thanks, everyone ;)

    [SOLVED]

    Read my edit to the original post up above. Thanks, everyone ;)

    6 votes
    1. skybrian
      Link Parent
      Yay, that's great! Besides downloading your data, configuring multiple ways to log in to important accounts is a good idea. For example, for Github, I have a Yubikey that I often use, but I also...

      Yay, that's great!

      Besides downloading your data, configuring multiple ways to log in to important accounts is a good idea. For example, for Github, I have a Yubikey that I often use, but I also have an authenticator app. And backup codes printed out. (I try to avoid text messages, though, since there are scary stories about hackers getting in through social engineering.)

      These all have different weaknesses. The Yubkey could break, and it's USB2 so sometimes I need an adapter. On the other hand, it's on my keychain. The authenticator app will be lost if my phone breaks, but is sometimes more convenient due to not needing a physical connection. The backup codes are on paper so they can't break, but I keep them at home with important papers, so they aren't with me when travelling.

      Still, one of them should work for the usual reasons of getting locked out. None will help if you're locked out for policy violation (which could be a false positive), so backups are still important.

      5 votes
  3. [5]
    acdw
    Link
    I have no solutions, but I do have commiseration: I keep getting randomly logged out of my work Google account while I'm in the middle of using it, and I have no idea why. It makes 0 sense. I...

    I have no solutions, but I do have commiseration: I keep getting randomly logged out of my work Google account while I'm in the middle of using it, and I have no idea why. It makes 0 sense. I wonder if they're messing with their auth flow for some godforsaken reason.

    5 votes
    1. [4]
      Liru
      Link Parent
      I have that happen sometimes, and in my case, it's basically a super-short corporate-enforced session timeout. It could be different for you, but that's it in my case.

      I have that happen sometimes, and in my case, it's basically a super-short corporate-enforced session timeout. It could be different for you, but that's it in my case.

      4 votes
      1. [3]
        acdw
        Link Parent
        I'm sure whatever's going on with me is somewhere in the vicinity of what you're talking about. I spose I could ask the IT guys ....

        I'm sure whatever's going on with me is somewhere in the vicinity of what you're talking about. I spose I could ask the IT guys ....

        1 vote
        1. [2]
          cfabbro
          (edited )
          Link Parent
          I suspect it is some sort of enforced timeout too... but it could also be similar to the issue several people have had with Tildes, where their browser kept logging them out due to a...

          I suspect it is some sort of enforced timeout too... but it could also be similar to the issue several people have had with Tildes, where their browser kept logging them out due to a malformed/corrupted cookie. Have you tried deleting your google related cookies on your work computer's browser, and then re-logging in to get fresh ones?

          1. acdw
            Link Parent
            oh yeah I tried all the cookies deleted and everything. no idea, hadn't happened in a while tho

            oh yeah I tried all the cookies deleted and everything. no idea, hadn't happened in a while tho

            1 vote
  4. [2]
    skybrian
    Link
    Getting logged out of all your devices at once is not normal, I don't think. (This has never happened to me.) One scenario is if some hacker got in and changed the password or otherwise triggered...

    Getting logged out of all your devices at once is not normal, I don't think. (This has never happened to me.) One scenario is if some hacker got in and changed the password or otherwise triggered it. Hopefully not.

    4 votes
    1. lou
      Link Parent
      Maybe. The password has not changed though.

      Maybe. The password has not changed though.

  5. TemulentTeatotaler
    (edited )
    Link
    How long ago was it that your mother had the number? Have you tried getting in touch with that number, on the chance that it's already been given to someone who might be willing to help out? *You...

    How long ago was it that your mother had the number? Have you tried getting in touch with that number, on the chance that it's already been given to someone who might be willing to help out?

    *You may also want to try a carrier lookup service like this before trying to call them. Not sure how well this would work with MVNOs or in your country.

    Sorry to hear it, I hope you guys are able to recover everything!

    3 votes
  6. [4]
    tomf
    Link
    Have you tried an alternate recovery method (e.g. a backup email)? If she doesn't have that, have you called the number? I'm still trying to convince my parents of this, but it'd be best to her...

    Have you tried an alternate recovery method (e.g. a backup email)? If she doesn't have that, have you called the number?

    I'm still trying to convince my parents of this, but it'd be best to her her onto a proper domain email that you control. If she forgets her password, no problem :) Zoho is a buck a month and well worth it. If you go down this path, pay for everything yourself so nothing can go wrong.

    3 votes
    1. [3]
      mxuribe
      Link Parent
      While i myself have not been impacted by a google lock out (yet), I have been planning to move away from G Suite (way before they announced the closure of the grandfathered free tier)...and the...

      While i myself have not been impacted by a google lock out (yet), I have been planning to move away from G Suite (way before they announced the closure of the grandfathered free tier)...and the constant threat of being randomly locked out was one of the reasons why i am moving to a paid email provider. In my case, i am moving to paid tier on Zoho. I have tested zoho for almost a year (sorry, i was only planning a month or so, but hey life distracts)...and so far, zoho has been great! I highly recommend their paid teir...and its only about $12 USD per year...so quite low pricing compared to other paid providers (though i'm sure there are other paid providers that are good too).

      Also, @lou if you or your mother in fact eventually decide to go to a paid provider - including zoho - do as others have recommended and establish a tight set of recovery and security mechanisms, such as using 2fa/multi-factor auth., separate recovery email, etc. Good luck!

      3 votes
      1. lou
        Link Parent
        Zoho seems to target businesses? I'm not an IT person. What product from them would you recommend? Maybe the free tier is enough for us, but it would be nice to have a company that sees us as...

        Zoho seems to target businesses? I'm not an IT person. What product from them would you recommend? Maybe the free tier is enough for us, but it would be nice to have a company that sees us as clients. Thanks.

        1 vote
      2. tomf
        Link Parent
        yeah, zoho is awesome. I've got two accounts -- one that's a catchall for signups, and then another that is my main. I'm still spam-free with the catchall, which is nice.

        yeah, zoho is awesome. I've got two accounts -- one that's a catchall for signups, and then another that is my main. I'm still spam-free with the catchall, which is nice.

  7. mxuribe
    Link
    I'm so sorry that this is happening to your mother! I do not have a solution for you...but I recall reading a similar scenario on hacker news a few weeks ago, where the person was at least able to...

    I'm so sorry that this is happening to your mother! I do not have a solution for you...but I recall reading a similar scenario on hacker news a few weeks ago, where the person was at least able to make a little progress. I'm sorry i don't have the link to the post on HN...but i did a quick search, and here's another recent one which has links to other stuff too: https://news.ycombinator.com/item?id=30770671

    Admittedly, this might take some more research, but if it helps at all: you and your mother are not alone! Good luck!

    2 votes