How to recover a Hacked Gmail Account

From RoyalWeb
Revision as of 12:34, 12 April 2011 by Wjhonson (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The below article is copied here under the Creative Commons Attribution 3.0 License The citation to the original article is

What to do next if your account has been disabled or blocked for any reason.

Contents

How to Get Help

The propose of this article is to help guide you through the process of recovering a lost account and (if it was lost due to hacking) re-securing it so that is it less likely to be lost again.

There are other sources of information including the Gmail help center http://mail.google.com/support/?hl=en and the GMail help forums http://www.google.com/support/forum/p/gmail?hl=en both of which support searching for topics of interest.

Please note that you can not recover your account by posting to the Gmail help forum or by adding a comment to this article. You must follow the procedures outlined below. This is not a support forum, so please do not try to enlist any specific advice here.


How to Recover Your Account

We will assume you went to https://mail.google.com/ and tried to log into your account. It didn’t work and you found your way here. You need to start with the following decision tree to determine what actions you need to take to recover your account.

If your password does not work, use the "Can't access your account?" link which will direct you to do a password reset:

https://www.google.com/accounts/recovery?service=mail

If you can not do a password reset, you will be directed to the Account Recovery Form:

https://www.google.com/support/accounts/bin/request.py?ara=1

Or the same form for accounts with 2-step verification enabled:

https://www.google.com/support/accounts/bin/request.py?contact_type=two_step_recovery

If you are told the account does not exist, it may have been deleted by the hacker, so use the Account Recovery Form to try and recover it:

https://www.google.com/support/accounts/bin/request.py?ara=1

If you are instructed to supply a mobile number to receive a SMS code, you need to follow the process as described here:

http://www.google.com/support/forum/p/gmail/thread?tid=69a33682180a6d01&hl=en

If the account is disabled, under maintenance, or locked down, you will be directed to the proper form or provided a link to contact Google.

There is a help article that you can also use to walk through the process of account recovery. It handles more specific cases than the above which is a more general guide. You might find it more useful if you are not sure just what you should do for your specific case.

http://mail.google.com/support/bin/answer.py?hl=en&answer=46346

Doing a password reset is the easiest way to regain access to an account. But it can fail if you forgot your secret question, if the recover e-mail address is no longer valid, or it the account was compromised and that information changed.

The Account Recovery Form is the alternative method. It is important that you complete as much of the form as possible, and that the information be as accurate as you can make it. If the form is rejected you can try submitting it again. You can re-submit it as many times as you want, but always wait for a reply to each submission before submitting again. If you don't receive a reply, check your spam/junk folder (especially if it's a non-Gmail account).

It's very important that as you repeatedly submit the Account Recovery Form that you fill in more of the blanks with more accurate information. There is some threshold of correct information you need to prove ownership, so a rejection means you need to supply more. Submitting the same form with no additional information multiple times does not help.

While this system works for many people, there are some cases where it can be very frustrating. But don't give up. There's nothing you can do (like deleting the account) until you re-gain access to it and since Google does not offer live one on one support for the free Gmail product directly these are your options.

Also realize that the more complicated account recover process (that very few people need to use) is one of the trade-offs for not being forced to provide a lot of personal information when you create the account (that everyone has to do). Many people prefer this for privacy reasons.

Hints for successful account recovery

  • It's not about the number of times you submit the Account Recovery Form, it's about providing more and better answers with each attempt. If your submission is rejected, you must work harder to provide more answers, and make the answers more accurate in subsequent submissions.
  • Wait for a response before each new submission (be sure to check Spam). Responses could be delayed as much as 24 hours but you should wait a full 48 hours before submitting another form.
  • If you are not receiving a response, check your Spam or Junk folder on the account you specified for replies. Also double (triple) check that you correctly spelled the e-mail account name.
  • Duplicate submissions, or submissions without waiting for a reply can trigger a submission lock forcing you to wait a few days to try again.
  • Make your best guess on every field of the form. You never know what will help.


There may be one other option for simple password recovery if your account wasn't compromised and you simply forgot your password. If you have your browser setup to remember your account information you may be able to view your saved password. In Firefox, you can use: Tools->Options, Security, Saved Password, Show Passwords. If you use another browser, then (install and) open Firefox, use File->Import to import your settings and then check to see if the saved password is accessible. Again, this only works for people who forgot their password due to relying on the browser's auto-fill function, but if it applies it might be an easier than the above procedures.


FAQ About Account Recovery

Q. Why can't I tell someone private information about my account that they could look up to verify my claim? A. Account privacy rules are very strict within Google, and allowing employees to look at the contents of an account would be a serious breach of privacy.

Q. Why isn't there a comments section on the Account Recovery Form where I could add additional information to prove my claim? A. Like above, it would be a violation of account privacy for an employee to look in the account to verify any additional information supplied.

Q. Why can't I simply talk to somebody about this? A. Unfortunately, Google does not offer live support for the free Gmail product (see: http://mail.google.com/support/bin/request.py?contact_type=contact_policy). You must use the recovery methods provided.

Q. Why can't Google lock the account to protect it from any more damage or outgoing spam. A. They will lock an account that the detection system identifies as being compromised and sending out spam. But again, privacy concerns would prevent them from simply locking an account because someone claims it's theirs and is compromised. In addition, since there is no live support, there is no one to even make such a request to.

Q. I had a really long password of random strings that would be impossible to guess. How was my account compromised? A. Google (as most e-mail providers) have blocks to prevent trying lots of passwords to guess the correct one (brute-force attacks). Most accounts are compromised by harvesting passwords other ways. While a secure password is important, it's only one in a long list of things needed to keep any online account secure.

Q. But I'm very careful with my password. I don't give it to anyone except an official request from Gmail. A. Unfortunately if you provided your password in response to any e-mail (even claiming to be from Google/Gmail) then your password was harvested by phishing. It's very common, and can trick even the most careful people.

Q. My contacts were deleted by the hacker, how do I recover them? A. Deleted contacts can now be restored to any point in the last thirty-days: http://mail.google.com/support/bin/answer.py?hl=en&answer=1069522

Q. My e-mail history was deleted by the hacker, how do I recover it? A. Have you looked in All Mail and Trash for the missing information? Have you used Search to try and find it? Unfortunately, messages deleted from Trash or Spam can not be recovered. If you would like to request Google attempt to recovery messages deleted by a hacker, see: http://mail.google.com/support/bin/answer.py?hl=en&answer=8256

Q. My account was deleted by the hacker, can I recover it? A. The Account Recovery Form can sometimes restore a recently deleted account. That is your only option in this case.

Q. I don't care about the account, can I just get the e-mail history or the contacts from it. A. Unfortunately, you have to be able to access the account in order to transfer any information out of it. This means you need to try and recover the account.

Q. I don’t care about the contents, I just need the e-mail address back because I have other things linked to that address. A. Account names are never re-used, so you can’t re-create the account. So to get the name back you will have to try and recover the account.

Q. Can I find out who did this? Can anyone prosecute them? A. About the only information you have available is the list of the last 10 IPs to access your account (see the Details link below the Inbox). But given how easy it is to fake IPs, and how inaccurate they are, it's unlikely that more than a general location can be determined. In general, law enforcement is not interested in a simple compromised account, and Google is not a law enforcement agency. Bottom line is: one's energy is better spent on recovery and re-securing the account.

Q. Isn't what the person did illegal? Can I sue them or get them arrested? A. Any legal questions should be asked of local law enforcement or an attorney. Google is neither of those and can not advise you on any actions.

Q. Can I find out what they did in my account while they had access. A. There are no account activity logs available, so you can’t find out for sure. If there is spam in your Sent Mail, they you know they used the account for that. But there’s no way to know if or what messages they may have looked at, so take appropriate precautions.

Q. How was my account compromised? A. There are many ways passwords can be harvested and account compromised, but the most common ones include:

  • Using the same password on multiple web-sites. A less secure site is hacked and they get the user database (e-mail and password) and then just try them all. If the person used the same password, the hacker gains access to the e-mail account.
  • Phishing e-mails that ask for account information or direct you to a phishing web-site. Don't dismiss this because the messages are a lot more convincing that you would imagine, often using text copied from actual Google e-mails or on-line forms.
  • Use of a computer that is infected with a key-logger or other malware (most common for public computers like at a school or library) which records your login information.


When you reclaim Your Account

Begin by scrolling to the bottom of your Gmail page and see if there are any other sessions signed into your account ("This account is open in 1 other location"). Then click the word "Details" where it says "Last account activity" and then "Sign out all other sessions". Now change your password to anything reasonable but without worrying too much about how secure because you are going to change it again. Next check all the following items and verify that they are set correctly.

Note: in the following “Settings” means “Mail settings” as found under the Gear icon in the upper/right of the Gmail window. If you still have the old layout, then “Settings” will be one of the choices along the top. If you have the older “Settings” link, some of the paths below will be slightly different.

Account Security

  • Settings -> Accounts and Import -> Change Account Settings -> Change Password [pick a new secure password]
  • Settings -> Accounts and Import -> Change Account Settings -> Change password recovery options [verify secret question, SMS and recovery e-mail address]
  • Settings -> Accounts and Import -> Change Account Settings -> Other Google account settings -> Email Address -> Edit [verify your name and other settings]
  • Settings -> Accounts and Import -> Change Account Settings -> Other Google account settings -> Authorizing applications & sites [Revoke Access to any sites listed]
  • Settings -> Accounts and Import -> Change Account Settings -> Other Google account settings -> Using 2-step verification [Enable 2-step verification]


Potential Spam:

  • Settings -> General -> Signature [make sure nothing as been added]
  • Settings -> General -> Vacation Responder [make sure it's disabled and empty]


E-mail Theft

  • Settings -> Forwarding and POP/IMAP -> POP Download [disabled]
  • Settings -> Forwarding and POP/IMAP -> IMAP Access [disabled]
  • Settings -> Forwarding and POP/IMAP -> Forwarding [disabled or correct address]
  • Settings -> Filters [no filters that forward or delete e-mail]
  • Settings -> Accounts and Import -> Send Mail As [make sure it is using your correct e-mail address, delete any unrecognized entries]


Additional Information


Now that your account is secure, check again for other sessions and change the password again to something extremely secure. If there is still another session on the account, repeat the above until you successfully get everything secured while no one else is logged in.


How to Protect your Account Information in the Future

As some people learn, even when a compromised account is recovered sometimes the hacker has deleted the e-mail history and/or the contacts. Unless you have backed up that information to your local computer, it may well be lost forever.

You can use an e-mail client (like Thunderbird, Outlook or Pocomail) to download the messages to your computer, or you can use a backup utility like: http://www.gmail-backup.com/ (which I use) or http://www.mailstore.com/en/mailstore-home.aspx or the paid utility http://gmailkeeper.com/

Once the messages are saved to your computer, you can include them in your normal computer backup, or you can manually save them to an external device (like a USB drive).

Whatever backup method you choose, make sure it either gives you access to the messages (like an e-mail client) or a well-defined way to do a restore (like gmail-backup). A backup you can't view or restore isn't a backup at all. And if it's a manual process make sure you do it on a regular schedule as a badly out-of-date backup isn't of much value either.

You may also consider opening another account to test the restore function as well as to have an alternate e-mail address in case your primary account is compromised again.

You may also want to backup your contacts with Export. There is also a Labs feature to allow you to export your filters as a backup, or you can simply copy/paste them from Settings->Filters and e-mail the definition to yourself so you can re-create them if needed.


Please note, this is a help article, NOT a support forum. If you ask questions about how to recover your account in the comments section below they will NOT get answered. Yes, this applies to you too. As you can see, several people below have issues with reading comprehension. Don’t you be one of them.

Personal tools
MOOCOW
Google AdSense