Update, Oct. 08, 2024: This story, originally published Oct. 07, includes new advice regarding how attackers bypass 2FA protections and how best to mitigate these dangers before a hacker can exploit your Gmail account.
Search any of the Gmail support forums online, from social media platforms such as the Gmail subreddit or the official Gmail community help from Google itself, and one question comes up time and time again: my Gmail account has been hacked, how can I recover it?
Disregarding the inevitable dodgy attempts at uncovering some magic way to hack into someone else’s account, the majority are still likely to be genuine requests for help. Take this example, published to the Gmail subreddit Oct. 06, which is analogous to many: “A friend of mine’s Google account got stolen. The hacker changed the recovery phone number and email address.” The poster explains that the friend in question had enabled two-factor authentication and asks if anything can be done to recover the account now, “or is he cooked?”
The good news is that it’s still entirely possible to recover a Google account even if, as in this case, the hacker has managed to evade or change most, if not all, the security and recovery protections that were in place. Even if, as the poster replied to one suggested solution, “whoever stole the account changed the recovery email and phone number to their own and disabled all other recovery methods.”
How To Recover A Stolen Gmail Account After A Hacker Changes Everything
Google does, despite the negative opinions of many people seemingly frustrated by the process, offer lots of help in recovering your Google account, even in the case of it being stolen by someone who has then changed your recovery details. Indeed, there’s a whole section of Google support devoted to securing a “hacked or compromised” account. I suspect that most people who say these steps don’t work haven’t followed the instructions provided by Google precisely and waited the allotted time for the process to complete.
It is advised to use a device that you have used before to access your Google account or check your Gmail or another Google service. The same tip applies to a familiar location from where you have previously accessed your Google account. Google recommends using the same browser, such as Chrome or Safari, on a laptop or tablet if your smartphone has been stolen and doing so from your home or work location. This can speed up the recovery process by aiding Google in verifying your identity.
You should also answer the questions about passwords as precisely as possible. This applies even if the hacker has changed your current password to lock you out of your account. “If you’re asked for the last password you remember,” Google said, “enter the most recent one you recall.” The more recent, the better, so use the one the hackers changed from. “If you can’t confidently recall any previous passwords: Take your best guess,” Google said.
You may see a message telling you your account is on a security hold. A delay is often put in place between making the recovery request and processing that recovery claim. While some people get annoyed by this, it’s a proactive measure so you should be patient. “Account recovery requests can be delayed for a few hours or a number of days,” Google said, “depending on a variety of risk factors.”
Google has also advised me that when it comes to users whose accounts have already been hacked and whose second-factor and recovery factors have changed, it’s possible to use the original information in certain cases. “Our automated account recovery process allows a user to use their original recovery factors for up to 7 days after it changes,” the spokesperson said, “provided they set them up before the incident.”
And finally, if all else fails and the account holder has a YouTube account up and running, many users have found that contacting YouTube support, including the by way of social media, has often resulted in them being given direct help to recover the account where all has appeared lost.
Here’s How Hackers Bypass Gmail 2FA Protections In The First Place
One of the problems highlighted by Gmail users seeking support in online forums is that the two-factor authentication protections that they have in place have been changed by the person who has hacked their Google account. This raises several questions, but perhaps the most pertinent is how that 2FA process was bypassed in the first place.
I recently reported that the developers of notorious info-stealer malware, including Lumar, Lumma, Meduza, Rhadamanthys, StealC, Vidar and Whitesnake, have all been releasing updates that claim to have bypassed Google’s cookie-stealing protections. Some stated that they could crack account 2FA in less than 10 minutes. This is despite Google having upgraded the protections found in Chrome 127 to include application-bound encryption, which, similarly to macOS and Keychain, encrypts data tied to app identity, introduced to combat just this kind of attack.
This theft of cookies from your browser, specifically session cookies, enables hackers to bypass your 2FA protections effectively. Owning a cookie that validates a user session after the 2FA step has already been completed gives the attacker complete control over that session—complete control to go and change your Gmail recovery options, 2FA, the lot. So, what can you do to mitigate this type of attack?
How Google Mitigates The Session-Cookie Infostealer Threat
A Google spokesperson said: “This type of attack is well known and we have built-in defenses, such as high frequency cookie rotation, device-bound session credentials, and risk-based re-authentication, that keep users safe. Additionally, the first line of defense against attacks like this is to use an operating system like ChromeOS that is secure by default, without known vulnerabilities for this type of malware.”
It is also wise to consider using passkeys, which Google is helping to drive the adoption of across online services, as these are “resistant to phishing and other online attacks,” Google said, “making them more secure than SMS, app-based one-time passwords and other forms of multi-factor authentication.”