Gmail Account Recovery

 

Gmail Account Recovery and Security

This article will help guide one through the process of recovering a lost Google Gmail account and, if needed, securing the account so that is it less likely to be compromised again.

Table Of Contents
  1. Account Recovery Walk-Through
    • Lost Password Recovery
    • Lost Account Name
    • Accounts With 2-Step Verification Enabled
    • G Suite accounts
  2. Additional Recovery Hints and Tips
  3. Other Account Recovery Cases
  4. FAQ About Account Recovery
  5. Securing Your Account
  6. Protecting Your Account Contents
Last updated:  July 2020

Account Recovery Walk-Through

During the course of 2016 Google made significant changes to the process of account recovery. In general it was simplified to a more generic process covering several specific cases. This means that any recovery process you may have used in the past is probably different now, so don't be surprised.

Additional sources of information include the Accounts Help Center and the Accounts Help Forum, both of which support searching for topics of interest.

Let's Be Realistic

Account recovery is designed and works best for the loss of one thing, like the current password. It relies on responsible users keeping accounts secure and recovery options up-to-date so they are easily able to do a verification if required, or prove ownership of a lost account. The more things that are missing (recovery phone, recovery e-mail, past password, known device/location/IP-address) the harder it is to prove ownership. If enough items are missing, don’t work, or have been changed, it becomes impossible to prove ownership and the account is lost.
If you don't have a recovery e-mail or phone configured on the account, or if they have become out-of-date, then you may not have enough to prove ownership and probably can't recover the account.

If the account was compromised and the recovery options changed, then you may not have enough to prove ownership and probably can't recover the account. Fortunately, if it's been less than a week, Google may still use the previously configured phone number for verification.

If it's been more than a few months since you last signed into the account, then you won't have a recently used device/location/IP-address, which will greatly reduce your ability to prove ownership.
Obviously, the above does not imply that account recovery is usually impossible. The intent is to set realistic expectations about how easy account recovery may be based on what information one has available to prove ownership of an account.  Clearly, not all lost accounts are recoverable.

Lost Password Recovery

The recover process can be started in either of two ways:
You should see an "Account support" page where you can enter your e-mail address and click next to start the process.  There is also a "Find my account" link if you don't remember your e-mail address (discussed below).

Account support

You will then be presented with a number of possible ways to regain access to your account or attempt to prove you own it.  The options available are dictated by what recovery options were previously configured on the account.  For example, if no recovery e-mail address was configured, that option will not be shown.  If options were configured but not kept up-to-date, they will be shown but may be useless for recovery.  In the case of a compromised account, the options may be shown, but if they were modified by the hacker they will be useless for recovery.

If the lost account has 2-step verification enabled (https://gmail.googleblog.com/2011/02/advanced-sign-in-security-for-your.html) the process will be a little different as discussed below.  This will also be true if the account was compromised and the hacker enabled 2-step verification to make it harder to recover the account.

The recovery options available may include any of the following questions or actions, and possibly others not listed or pictured below:
  • Enter the last password you remember
  • Get a verification code by text or phone call at <number>  (it doesn't always offer both options)
  • Confirm the  phone number you provided in our security settings
  • Google will send an e-mail containing a one time verification code to <e-mail>
  • Get a prompt on your <phone> and tap Yes to sign in
  • Answer the security question you added to your account
  • When did you create this Google account?  It appears this question has been removed from account recovery (5/2020).
  • If you can, briefly tell us why you can't access your account


Enter the last password you remember Get a verification code by text message or a phone call Confirm the phone number you provided in your security settings Google will send an e-mail containing a one-time verification code Get a prompt on your phone and tap Yes to sign in Answer the security question you added to your account When did you create this Google Account If you can, briefly, tell us why you can't access your account

The majority of the options are based on pre-configured information setup in the account prior to losing access.  So if an option (like a recovery e-mail address) was never configured that option will not be offered.  If you do have a pre-configured e-mail or phone number and select that option, you will be sent a six-digit code to enter.  Entering the correct code may take you to a page to reset the password. Answering enough of the other questions correctly might also take you directly to that page.

Create a new, strong password that you don't use for other websites

It's also possible that even with a pre-configured phone number or e-mail, and after receiving a code, the process may ask you additional questions.  This can happen when Google has noted suspicious activity on the account and needs additional proof of ownership before returning the account.

If you can't use or answer a given option, click the "Try a different question" link for the next option.  Of course if you skip too many of the questions you will not be able to prove ownership of the account.  If you aren't given the option to reset the password, the last question will typically ask for a contact address where Google can e-mail you.

Provide a contact email address

Like above, a six-digit code will be sent to that address which you will then enter.  But unlike above, receiving this code does not mean you will be allowed to reset the password.  This step is to verify that you have a valid, working e-mail account that you can access. The answers you provided on the previous pages will determine if you are given the option to reset the password, or if your request is denied.  The message attempts to be clear that the contact email was verified, but that ownership of the account has not been proven (verified).

Google couldn't verify account belongs to you

If you can't use any of the options or fail to prove ownership of the account, you then will receive a message that "Google couldn't verify this account belongs to you".  You can of course try again if you have additional or more accurate information to provide, but if you can't prove ownership of the account, it is lost.  There are no other ways to recover a lost account.

Google couldn't verify this account belongs to you

Lost Account Name

If you clicked the "Find my account" link on the first page you will be directed to a series of steps were you will provide:  a previously configured e-mail or phone, the real name on the account, and a verification code.  If you are successful, you will the receive a list of accounts that match that information and you can proceed to sign in.  You must know both the e-mail/phone and the name on the account.  If you also don't know the account  password, then you will use the above process to attempt to recover it.

Enter any recovery email or phone number associated with your account Enter the name on your Google account Google will send an email containing a one time verification code Google has sent you a verification code to the emailChoose an account


Accounts With 2-Step Verification Enabled

Two-step verification adds an extra level of protection to accounts by requiring a second action or code in addition to the password to sign into an account.  As such, recovery for an account with 2-step verification enabled is a bit more strict.  This can work against the owner if the account has been compromised and 2-step enabled by the hacker.

When 2-step verification is enabled you will see a third screen after providing your account name and password were you need to provide the 2-step verification code via the default method you have configured on the account.  If you are unable to provide the 2-step response, the page has a "Try another way to sign in" link.  It will then list all the options previously configured for the account (this list could be very short if no backup options were configured).  Clicking the last "Ask Google for help..." box leads to another screen listing all the options again along with a few more.

To sign in to your Google Account choose a task from the list below It will take at least 2 days to get back into your account using Google's help

Yes, the above account does have a lot of 2-step verification options configured as I have no intention of getting locked out of my own account.

At the very bottom of the second screen is a link to "Request Google's help".  At this point you will be in the regular account recover process although there may be additional questions available based on options you had configured on your account.  For example:


Confirm the phone number you provided in your security settings If you can, briefly tell us why you can't access your account

If insufficient proof of ownership was provided the "Google couldn't verify.." message will be displayed similar to the standard recover process above.  If sufficient information was provided for Google to investigate further the "Thanks! We're on it." message will be displayed.

Google couldn't verify this account belongs to you We usually respond within 3-5 business days

When Google concludes it's investigation, which can take 3-5 business days (a week real-time), you will be notified at the contact address you provided.

If your request is denied the only option is to repeat the process providing more answers to the questions, or more accurate answers than provided previously.  Simply repeating the process with the same answers will not help.  You must provide more proof of ownership or Google will not return the account.

G Suite accounts

G Suite (formerly Google Apps) accounts are those not ending in @gmail.com and can not be recovered using the standard Gmail recovery procedures. One must contact the Google Apps administrator for the domain who can reset the password allowing you to regain access.

Please contact your domain IT administrator to reset your password



Additional Recovery Hints and Tips

This section contains information and hints that can greatly improve your chances for a successful account recovery.  This section is long and doesn't have any pictures, but it's probably a good idea to read it very carefully.

The account recovery process is composed of a set of factors that Google uses to determine the legitimate owner of an account.  Some you have limited control over, and some you do not.  But understanding them is important to getting through the process successfully.

Factors you can control before the account is lost - presumably you're reading this article because you've already lost access to an account, so it's a little late for these items.  Still, keeping these in mind for the recovered account and any other accounts you have may prevent you from needing to visit this article again in the future.
Account password - write it down and keep it someplace safe.  Everyone thinks they'll remember their password, but many are wrong.  If you keep records of your password a lost account is easily fixed by just looking it up.

Recovery options - configure the options available (e-mail and phone) for all your accounts.  And most importantly, keep them up-to-date.  https://support.google.com/accounts/answer/183723

Creation date - (It appears this question is no longer being used in account recovery)  one of the current questions in account recovery is when the account was created. Simply printing or forwarding one of the original "welcome to Gmail" messages to another account for safe-keeping gives you a way to always look it up.
Factors you can control during account recovery - details about the questions asked and how to answer them.
Past password - this should be the most recent password you can accurately remember for the account.  Google does not store a readable version of passwords, so any password you provide must be 100% correct or when encrypted it won't match any entries in the account's password history.

Security question - security questions are no longer supported meaning you can not add or modify them (only delete).  But if you do happen to have one on the account you may have the chance to answer it.  Assume the answer must be accurate (not just close).

Creation date - (It appears this question is no longer being used in account recovery) the account creation date does not have to be perfect.  You can be off by days or perhaps a few weeks, but not by months or years.  Assume plus/minus one month from the actual date will be close enough.  If you don't know your creation date, you may be able to figure it out with some thought.
  • Finding the account creation verification e-mail which would have been sent to another account you owned at the time.
  • Associating the creation of the account with some life event, like graduation, moving, a change in ISP, etc.
  • If it was created as part of a new mobile device setup, check the date on the sales receipt for the device.
  • If the account was created for starting mobile device service, check the start date of your mobile contract.
  • Asking contacts if they saved a change-of-email message sent from the new Gmail account or any other e-mail you sent when the account was new.
  • Checking the creation date of any other accounts opened at the same time, like: PayPal, eBay, Facebook, Amazon, etc. 
  • If you still have access to the account (perhaps from a mobile device still signed in) check the All Mail label for the original account creation e-mail or the oldest messages you still have saved.
But don't start guessing a lot of dates hoping to get lucky. Google can tell when someone is guessing at the date so it won't help.

"If you can, briefly tell us why you can't access your account" - this is not where you submit facts to prove ownership of the account.  This is where you describe what happened when you lost the account.  If it matches the information Google has about what happened to the account it may act as one more bit of proof that it is your account.

Known access type - Google has made it clear that doing account recovery in the same way the account was normally accessed will help a lot with recovery.  Google hasn't clearly documented what all they use, but empirical evidence suggests it's some or all of the following:
  • Browser (perhaps related to saved cookies).
  • The physical computer or mobile device.  If you use an e-mail app/client, then use a browser on that same physical device to attempt recovery.
  • Physical location.  If you always accessed the account from a specific location (home, work, etc) then do recovery from that same physical location.
  • IP address.  Similar to the physical location, although clearly IP addresses can and do change regularly.
If the account was used regularly on multiple devices, try the account recovery process from each of them.

Describe your issue (or a similar field) - Occasionally you will get the option to provide more information to help prove ownership of the account. It is a free-format field of limited length where you can list items that Google can verify. But there are some definite rules about what will and won't help prove ownership based on what Google can and can't use.
  • What to include
    • If you still have access to the account, and what type of access it is (mobile, browser, etc).
    • Why you lost access to the account:
      • Compromised account
      • Lost password
      • 2-step verification lockout due to lost authenticator or phone, and no backup codes
      • "Unrecognized device" challenge
      • "Something unusual" challenge
      • Other security challenge (secret question, phone verification) that doesn’t work
    • More past passwords you remember.
    • Account creation date if that was never asked for during the recovery process.
    • Last time you successfully logged into the account.
    • Devices (computers or mobile) used with the account
    • Locations used to access the account, like country and city.
  • What not to include
    • Anything that requires account access to verify. For privacy Google employees do not have access to user account contents.
    • Anything related to linkage or usage of your e-mail on other accounts/sites you own (like Facebook, PayPal, etc).
    • Anything that might prove your personal identification, like government ID. Proving who you are does not prove you own a specific account.
Remember, only information that Google is able to verify based on account access history and server logs will help.

Factors you can NOT control - Google has a lot of information on the e-mail servers about accounts that can be used to help validate an ownership claim on a account.  Google doesn't document any of this but it's possible to guess what some of them probably are.
  • Locations where the account has been accessed in the past.
  • Devices, computers, browsers, clients, and apps used to access the account.
  • They types of account access used including:  web, IMAP, POP3, mobile, etc.
  • The history of account recovery claims made on the account, when and where they were made, what computer/device/location/browser they were made from.  This includes if someone else is also trying to recover the same account.
  • Current access types and usage of the account (if it was compromised and being used by a hacker).
  • And no doubt many more.
The point is that Google knows a lot more about the account than you may realize, and they use that information when an account recovery request is made.

Logistical issues with account recovery - there are a number of other things to keep in mind when doing account recovery
  • It’s not about the number of times you repeat the account recovery process, it’s about providing more and better answers with each attempt. If your submission is rejected, you must work hard to provide more answers, and make the answers more accurate in subsequent submissions. There is no point in repeating the process if you don't have anything new to add.
  • Wait for a response before each new submission. If you are told 1-3 hours, I'd suggest waiting until the next day.  If you are told 3-5 business days (which is a full week real time) give it an extra day or two.
  • If you are not receiving a response, check your Spam or Junk folder on the account you specified for replies. Also make sure you are checking the correct account, the one you verified with a code in the last step of the process.  If you provided multiple accounts during different attempts, check them all.
  • Duplicate submissions, or submissions without waiting for a reply can trigger a submission lock forcing you to wait a few days to try again.
  • Guessing at answers (like the creation date) are probably obvious to Google and can cause the process to stop asking that question.

There may be one other option for simple password recovery if your account wasn’t compromised and you simply forgot your password. If you have your browser setup to remember your account information you may be able to view your saved password. Both Firefox and Chrome allow saved passwords to be viewed in plain-text. If you use another browser that does not permit this, then you can use/install Firefox or Chrome, import your settings, and then check to see if the saved password is accessible. Again, this only works for people who forgot their password due to relying on the browser’s auto-fill function, but if it applies it might be an easier than the above procedures.

Finally, here is a Google help article on "Tips to complete account recovery steps":  https://support.google.com/accounts/answer/7299973

Other Account Recovery Cases

We will assume you went to https://mail.google.com/ and tried to log into your account. It didn’t work and you're unsure what to do next.  The following is a list of common situations or errors and what you should do for each.

Your password does not work - use the “Forgot password?” link on the sign-in page and then follow the instructions.  You may be able to use previously configured recovery options or answer questions about the account to prove ownership.

You do not remember the account name (e-mail address) - use the “Find my account” link on the sign-in page and then follow the instructions.

You are instructed to supply a mobile number to receive a SMS code - follow the instructions provided.  This could include mention of "suspicious activity" or there being "something different" about how you are signing in.  For more information see:  http://www.google.com/support/forum/p/gmail/thread?tid=69a33682180a6d01

"Contact your domain admin for help" - this is a G Suite account (NOT @gmail.com) and you will need to contact your G Suite administrator for help with the account.  https://support.google.com/accounts/answer/181627

"Sorry, Google doesn't recognize that email" - the account does not exist.  It could be due to a spelling error in the e-mail address, or perhaps because the account was deleted.

“Temporary Error...” or "Oops..." or a similar message - see the following troubleshooter for more information:  https://support.google.com/mail/answer/140031

Any messages about being underage - this indicates the system believes you are too young to own a Gmail account (generally under 13).  See:  https://support.google.com/accounts/answer/1333913

Any message about your account being “Disabled” or “Suspended" - typically indicates some abuse, violation of the Terms of Service, or possibly a compromised account. Follow any instruction given or provided links when you try to sign in.  https://support.google.com/accounts/answer/40695

“Google doesn't provide another way to sign in to this account” - typically indicates the account has been disabled. Follow the process for a disabled account recovery  https://support.google.com/accounts/answer/40695

"This account was deleted and is no longer recoverable" - then the account is lost.  There is no way to recover it, and the account can not be re-created.

Some other error not listed above - use the following troubleshooter:  https://support.google.com/mail/troubleshooter/2943007


FAQ About Account Recovery

Q. Why can’t I tell someone private information about my account that they could look up to verify my claim?
A. Account privacy rules are very strict within Google, and allowing employees to look at the contents of an account would be a serious breach of privacy.  You may know enough about the contents of the account to prove ownership, but no one at Google can verify that information.

Q. Why isn’t there a comments section in account recovery where I could add additional information to prove my claim?
A. Like above, it would be a violation of account privacy for an employee to look in the account to verify any additional information supplied.

Q. Why can’t I simply talk to somebody about this?
A. Unfortunately, Google does not offer live support for the free Gmail product (see: http://mail.google.com/support/bin/request.py?contact_type=contact_policy). You must use the recovery methods provided.  There is also the fact that even if you could talk to someone, you would still have to answer the same questions to prove ownership of the account.

Q. Why can’t Google lock the account to protect it from any more damage or outgoing spam.
A. Google may disable an account if they notice suspicious usage or if the account is being used to send out spam. But again, privacy concerns would prevent them from simply locking an account because someone claims it’s theirs and is compromised. In addition, since there is no live support, there is no one to even make such a request to.

Q. I had a really long password of random strings that would be impossible to guess. How was my account compromised?
A. Google (as most e-mail providers) have blocks to prevent trying lots of passwords to guess the correct one (brute-force attacks). Most accounts are compromised by harvesting passwords other ways. While a secure password is important, it’s only one in a long list of things needed to keep any online account secure.  This article has more information on this topic:  http://gmail-tips.blogspot.com/2012/01/how-not-to-get-hacked.html

Q. But I’m very careful with my password. I don’t give it to anyone except an official request from Gmail.
A. Unfortunately if you provided your password in response to any e-mail (even claiming to be from Google/Gmail) then your password was harvested by phishing. It’s very common, and can trick even the most careful people.

Q. I'm not getting any reply after submitting my account recovery information.
A. First, make sure you are using a valid, working contact e-mail address that you check regularly for any replies. Also, check the junk/spam label in case any reply was miss-filtered. Then try again. You might also try a different contact e-mail address.

Q. My contacts were deleted by the hacker, how do I recover them?
A. Deleted contacts can now be restored to any point in the last thirty-days: https://support.google.com/mail/answer/1069522

Q. My e-mail history was deleted by the hacker, how do I recover it?
A. Have you looked in All Mail and Trash for the missing information? Have you used Search to try and find it? Unfortunately, messages deleted from Trash or Spam can not be recovered. If you would like to request Google attempt to recovery messages deleted by a hacker, see: https://support.google.com/mail/troubleshooter/4530113

Q. My account was deleted by the hacker, can I recover it?
A. The account recovery process can sometimes restore a recently deleted account. That is your only option in this case.  But if you are told that "This account was deleted and is no longer recoverable" then the account is lost.

Q. I don’t care about the account, can I just get the e-mail history or the contacts from it.
A. Unfortunately, you have to be able to access the account in order to transfer any information out of it. This means you need to try and recover the account first.

Q. I don’t care about the contents, I just need the e-mail address back because I have other things linked to that address.
A. Account names are never re-used, so you can’t re-create the account. So to get the name back you will have to try and recover the account.

Q. Can I find out who did this? Can anyone prosecute them?
A. About the only information you have available is the list of the last 10 IPs to access your account (see the Details link below the Inbox). But given how easy it is to fake IPs, and how inaccurate they are, it’s unlikely that more than a general location can be determined. In general, law enforcement is not interested in a simple compromised account, and Google is not a law enforcement agency. Bottom line is: one’s energy is better spent on recovery and re-securing the account.

Q. Isn’t what the person did illegal? Can I sue them or get them arrested?
A. Any legal questions should be asked of local law enforcement or an attorney. Google is neither of those and can not advise you on any actions.

Q. Can I find out what they did in my account while they had access.
A. There are no account activity logs available, so you can’t find out for sure. If there is spam in your Sent Mail, they you know they used the account for that. But there’s no way to know if or what messages they may have looked at, so take appropriate precautions.

Q. How was my account compromised?
A. There are many ways passwords can be harvested and account compromised, but the most common ones include:
  • Using the same password on multiple web-sites. A less secure site is hacked and they get the user database (e-mail and password) and then just try them all. If the person did not use a unique password, the hacker gains access to the e-mail account.
  • Phishing e-mails that ask for account information or direct you to a phishing web-site. Don’t dismiss this because the messages are a lot more convincing that you would imagine, often using text copied from actual Google e-mails or on-line forms.
  • Use of a computer that is infected with a key-logger or other malware (most common for public computers like at a school or library) which records your login information.
For more information about how accounts can be compromised see the article: http://gmail-tips.blogspot.com/2012/01/how-not-to-get-hacked.html

Securing Your Account

When You Reclaim Your Account

The process of re-securing an account actually consists of two parts:  (1) securing your Gmail account, and (2) securing the Google account that holds your Gmail account.  Both parts must be completed or changes made by someone else may be missed allowing the account to be compromised or accessed again.

1.  Google has created the Gmail Security Checklist which can be used to check your Gmail account and some other related security settings: https://support.google.com/mail/checklist/2986618?rd=1

2.  Google has also created and Account Security Checkup which performs a similar function at the account level:  https://security.google.com/settings/security/secureaccount

What follows are some of the more important parts of the above who items.  This is not a replacement for doing them both, but may be helpful to address the most critical items quickly allowing you to perform the above two checks at a later time (just don't forget).

Getting Started
Begin by scrolling to the bottom of your Gmail page and see if there are any other sessions signed into your account (“This account is open in 1 other location”). Then click the word “Details” where it says “Last account activity” (lower/right) and then “Sign out all other sessions”.


Sign out all other sessions

Now change your password to anything reasonable but without worrying too much about how secure it is because you are going to change it again. See the first section in Account Security below.  Next check all the following items and verify that they are set correctly.

Note: in the following “Settings” is accessed using the Gear icon in the upper/right of the Gmail window. If you using the Basic html version of Gmail, then “Settings” will be one of the choices along the top.

Note:  in the following pictures "Filters" will probably be "Filters and Blocked Addresses" since Gmail now has a blocking function.

Note:  in the following pictures "Accounts and Import" may be just "Accounts" in some cases.

Settings

Also note that you may have to scroll down on each specific page to find the referenced setting.

Potential Spam
Settings that could result in spam being attached to outgoing e-mail.
  • Settings -> General -> Signature
    Make sure nothing as been added, and be sure to scroll down in case additions aren't visible.
    Settings->General->Signature

  • Settings -> General -> Vacation Responder (or Out Of Office Reply)
    Make sure it's disabled and empty.
    Settings->General->Vacation responder
E-mail Theft
Settings that could result in the theft of e-mail (perhaps without any indication that it is happening).
  • Settings -> Forwarding and POP/IMAP -> POP Download
    It is best to disable it unless there is a clear need for it.
    Settings->Fowarding->POP Download

  • Settings -> Forwarding and POP/IMAP -> IMAP Access
    It is best to disable it unless there is a clear need for it.
    Settings->POP/IMAP->Forwarding

  • Settings -> Forwarding and POP/IMAP -> Forwarding
    Forwarding should be disabled or verified that the forwarding addresses are correct.

  • Settings -> Filters
    No filters defined, or at least no filters that forward or delete e-mail.
    Settings->Filters

  • Settings -> Accounts and Import -> Send mail as
    Make sure it is using your correct e-mail address, and delete any unrecognized entries.  Also click the "edit info" link on the right and verify each entry you have (including the default one) do not have a reply-to address set to an account you do not own.
    Settings->Accounts->Send mail as
Account Security
Settings that improve the security of the account as well as make it easier to recovery a lost account.

Please note that the path used below (Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page]) to get to account settings can be accessed directly by using the direct link to account settings:  https://myaccount.google.com
  • Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page] Sign in & security -> Signing into Google -> 2-step verification 
    For additional account security, enable 2-step verification, and be sure to save a set of backup codes as instructed during setup.
    Direct link: https://accounts.google.com/b/0/SmsAuthSettings#devices
    Settings->Accounts->Other Google Account settings

Now that your account is secure, check again for other sessions logged in. If there is still another session on the account, repeat the above until you successfully get everything secured while no one else is logged in. Now that the account is fully secured and you've verified no one else is logged in, you may want to change the password one last time.

And don't forget the Gmail Security Checklist and Account Security Checkup mentioned above.

Additional Information
Tags:
Previous Post Next Post