Somebody took over my dormant Google account. What should I do?

Topic

New Reply

This is a real-life problem. Several years ago I registered a domain, woodyswindows.com. I set up some email addresses using that domain, but didn’t d
[See the full post at: Somebody took over my dormant Google account. What should I do?]

2 users thanked author for this post.

Elly, Myst

Reply | Quote

Replies

Yes, it’s worth pursuing.

My guess: someone intends to use your old account to phish others – possibly to present them with “patching” opportunities or other nasty recommendations.

If it was one of my old accounts, I’d chase it down and clean it up – and my reputation is nowhere near as valuable a commodity as yours.

10 users thanked author for this post.

GoneToPlaid, rc primak, plodr, petero, Karlston, Myst, woody, GreatAndPowerfulTech, Mele20

Reply | Quote

If it were me I’d register woodyswindows.com (it’s available) for the few bucks and just park it on top of this domain. Protect your brand.

12 users thanked author for this post.

wavy, GoneToPlaid, rc primak, Lugh, JohnW, Karlston, Myst, woody, GreatAndPowerfulTech, Chris B, jabeattyauditor

Reply | Quote

Just did that.

1 user thanked author for this post.

Myst

Reply | Quote

You should at least try. https://www.google.com/accounts/recovery/

1 user thanked author for this post.

woody

Reply | Quote

It will be a long time to get back. I had several clients that this happen to. Google is one of the hardest to work with to recovery your stole account. Yahoo was the easier. Provide name, IP address of last, last time long in, a few old emails, and was back into clients account in a few days. Google will make you jump to several loops. In the past, they had people to contact. Now it is all AI and no person. Google will ask for all the details provide, plus a police report and copy of your drive license and passport or other official documents. File a police report ASAP to protect yourself from future lawsuits with Google refuses to accept that you are the real person of that account. One of my client is now being suit and the police report is only item than might say the judge to dismiss the case.

2 users thanked author for this post.

wavy, woody

Reply | Quote

Sorry to be so dumb, but I didn’t know that a Google account could be in the name of your own domain.  I thought it meant only MyName@gmail.com.

We have a domain name for my wife’s business that is hosted on Network Solutions.  We are only doing email so far and have an “under construction” page for the web URL.

Is it possible to move it to Google?  And should we even do that considering the non-existent customer support?

Anyway, please point me to links for running a domain as a Google account – for my own edification.  I’m only 15 years behind.

Thanks.

Reply | Quote

Is this what you want, Getting Started G Suite Admin Help?

A page from the Email section: https://support.google.com/a/answer/33354?hl=en

Reply | Quote

Anonymous – many thanks.

Reply | Quote

anonymous wrote:

It will be a long time to get back. I had several clients that this happen to. Google is one of the hardest to work with to recovery your stole account. Yahoo was the easier. Provide name, IP address of last, last time long in, a few old emails, and was back into clients account in a few days. Google will make you jump to several loops. In the past, they had people to contact. Now it is all AI and no person. Google will ask for all the details provide, plus a police report and copy of your drive license and passport or other official documents. File a police report ASAP to protect yourself from future lawsuits with Google refuses to accept that you are the real person of that account. One of my client is now being suit and the police report is only item than might say the judge to dismiss the case.

Interesting to hear that. Theoretically at least it shouldn’t be any harder for the true owner to recover an account than it was for the phony owner (phowner?) to take it over. But in my view (since Woody has asked) not taking it back is a mistake. Someone has a reason to want to appear to correspondents as Woody, and probably it isn’t an overwhelming personal imperative to do some good in the world.

GaryK

1 user thanked author for this post.

rc primak

Reply | Quote

Interesting to hear that. Theoretically at least it shouldn’t be any harder for the true owner to recover an account than it was for the phony owner (phowner?) to take it over.

From my experience, it is harder for the true owner to get back in than the phony owner. The phoney owner most likely use a hack from dark net to get into the dormant account which is very easy. I know that I bought a hack to get into a hotmail account that my client got locked out many years back. It was like $10 buck and MS was being a pain to get it resolve. The client had many evidence that it was his account and said that would pay me any amount to get account back. I know that this hack is worth thousands on darknet today since Windows 10 allows greater pay day than before if you get into person account.

2 users thanked author for this post.

GoneToPlaid, gkarasik

Reply | Quote

Good point.

GaryK

Reply | Quote

With regards to Windows 10, that is rather scary.

Reply | Quote

I’d try to get the email back. If it’s not longer used, then I’d get it back and shut it down. Like one of the other comments said, it could be used for phishing. I tend to close accounts I no longer use. Because you can’t hack an account that doesn’t exist. But that’s just me.

2 users thanked author for this post.

Lori, Myst

Reply | Quote

Could be I’m misunderstanding how all this works, but if I shut down an email address, say bill@b*******.com, doesn’t that make it available to someone else to use?

GaryK

2 users thanked author for this post.

Lugh, Myst

Reply | Quote

I suppose if it’s a custom domain. But you might be right. I didn’t think about that. But if it’s something like a regular gmail address, then Google doesn’t let you re-register it, I don’t think.

Reply | Quote

You are correct, Gary.

The only way someone could take over bill@b*******.com is if you also let the domain registration lapse for b*******.com—then someone else can register the domain & put whatever @b*******.com email addresses they like, incl bill@b*******.com

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

2 users thanked author for this post.

woody, gkarasik

Reply | Quote

PLEASE see Brian Krebs (KrebsonSecurity.com) for 01/22/19 and 02/04/19 posts on similar
issue with dormant domains at GoDaddy.com and the 2016 work by another security researcher that he references. You have done so much good for so many for so long. Your reputation is invaluable and protecting it is imperative for all of us who trust you.

1 user thanked author for this post.

jburk07

Reply | Quote

Interesting. (Brian’s posts always are.)

Jan 22 – Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com – talks about spammers using long-established domains that aren’t picked up by automated spam filters as “bad” sources.

Feb 4 – Crooks Continue to Exploit GoDaddy Hole – talks about the same hole at GoDaddy:

exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

I don’t use GoDaddy, thank heavens, and I re-registered woodyswindows.com before anybody else could snatch it. Still, man, it’s a vicious world we live in!

5 users thanked author for this post.

jburk07, Elly, rc primak, Kirsty, Myst

Reply | Quote

When you set up the gmail account tied to that domain, did you include any personal details or attached credit card for payments?  I would seriously worry about identity theft.  While most dormant email accounts are used to phish, your details could be used to apply for credit, etc.

 

 

Reply | Quote

Nope.

I’m very cautious about spreading that kind of info around.

Reply | Quote

cyberSAR wrote:

If it were me I’d register woodyswindows.com (it’s available) for the few bucks and just park it on top of this domain. Protect your brand.

Good advice if you might use the domain for something in the future.

However… How far are you going to take this brand protection?

woodyswindows.net, woodyswindows.org, woodyswindows.biz, woodyswindows.50otherTLDs?

woodyswindowsadvice.com, woodysofficeanswers.com, woodysAnythingTechieYouFancy.com, …

Such sledgehammering to crack nuts is fine for big companies whose tech & legal depts need to show how much extra money they can spend, but for anyone else it’s a mugs game.

You probably already know that anyone can send email which appears to come from woody@woodyswindows.com, right? They don’t need to take over anything belonging to you. Same with woody@askwoody.com or any other address. If you’re not familiar with this, look up Email spoofing.

That said, woodyswindows.com is a good domain name worth having, you could use it eg to market your books.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote

Very familiar with spoofing. I host over 300 websites and own about 100 domains myself. In this case, with it being a domain Woody had before, for $10 I think it was the fastest, best way to deal with it. Also should make it easier to get straight with google as he is listed as the domain owner. Honestly, if the person who took over his old gmail account was attempting to do something really nefarious he was a fool to not register the available domain himself.

4 users thanked author for this post.

woody, rc primak, Lugh, gkarasik

Reply | Quote

Oh yeah. I know spoofing well. Too well. 🙂

Reply | Quote

Lugh wrote:

cyberSAR wrote:

If it were me I’d register woodyswindows.com (it’s available) for the few bucks and just park it on top of this domain. Protect your brand.

Good advice if you might use the domain for something in the future. However… How far are you going to take this brand protection? woodyswindows.net, woodyswindows.org, woodyswindows.biz, woodyswindows.50otherTLDs? woodyswindowsadvice.com, woodysofficeanswers.com, woodysAnythingTechieYouFancy.com, … Such sledgehammering to crack nuts is fine for big companies whose tech & legal depts need to show how much extra money they can spend, but for anyone else it’s a mugs game. You probably already know that anyone can send email which appears to come from woody@woodyswindows.com, right? They don’t need to take over anything belonging to you. Same with woody@askwoody.com or any other address. If you’re not familiar with this, look up Email spoofing. That said, woodyswindows.com is a good domain name worth having, you could use it eg to market your books.

All true. How far should we go to protect ourselves? How much should we spend in time and money? How much inconvenience should we subject our users and clients too? I always told my clients that, practically speaking, their security walls needed only to be a little higher than the desire of people to get over them. The same goes for your house. How much do you spend to keep people out? And we all know deep down that ultimately, if someone wants to get in badly enough, they are going to get in no matter what we’ve spent.  Where do we draw the line? This is what makes security consulting so interesting a career.

In this particular case, though, Woody has a specific, aggressive move to counter: Someone actively took over a particular account that they could have used to impersonate him in a phishing scam that could have included a web site. We have to assume there is a nefarious purpose to this, and that specific move has to be blocked. Woody also has to be on his guard for more attacks, at least for a while.

GaryK

Reply | Quote

gkarasik wrote:

for your house. How much do you spend to keep people out?

I don’t know offhand how much of my taxes go on the police & court services. That’s what keeps people out, not locks etc—ref any city or country where government has broken down.

gkarasik wrote:

Woody has a specific, aggressive move to counter: Someone actively took over a particular account

Agreed, and responding definitely has a feel-good factor to it. Who knows, it may also have a practical benefit—we’ll never know what the perp intended.

I seriously doubt it was as nefarious as others here seem to think though, or perp would have grabbed the domain name first which would make him secure to pursue his interests. It was more likely a regular almost-automated harvesting of addresses where they were able to guess the password—ie to become one of many millions such.

Woody, if you want to get the account back:

Setup the address on your new domain—not on Gmail or any external service, but directly on your server. Then you should be in a position to communicate with Gmail from the actual address you’re trying to reclaim.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

1 user thanked author for this post.

woody

Reply | Quote

I agree that Woody is best advised to protect this domain, and the email address associated with it, because it was formerly registered in his name.

Not saying it should have to be this way…but…

Re-registering the domain should allow him to regain control. I am surprised that the alleged attacker/spammer/phisher failed to register the domain! 🙂

But if it had been a domain that Woody was never affiliated with, it might have been a case of “who cares?”. “Not my circus, not my monkeys”!

Windows 10 Pro 22H2

1 user thanked author for this post.

gkarasik

Reply | Quote

And of course, if you do get your account back, make sure you enable 2FA on it to prevent this from happening again.

1 user thanked author for this post.

woody

Reply | Quote

If I recall, when I set up the Google account, there wasn’t any 2FA available. But you’re absolutely right, nowadays.

Reply | Quote

I lost my gmail account since I switch my IP provide. I had one main account and backup recovery account, both with google. After I moved, I got a different IP provide since different area. Just a few blocks apart. I could never get back into those accounts. I contact google and they said I need to use the recovery email. I tried but could not log in since restore was link to main account. It was a circle to try to get in. I gave up after 6 months trying to get accounts back and open a new account. Two years later some hacker got in and start to email my contacts. One of them ask me went I got my old account back. I told them never. I contact google and got the same round around as before. I had to tell all my contacts to ignore any emails from my old account and block it. It is not easy for the real owner to get back into their account. It is easy for the hackers to get in and do what they want.

Reply | Quote

It is not easy for the real owner to get back into their account. It is easy for the hackers to get in and do what they want.

That is true. Hackers have it easier than real owner. The new security is more work for the real owner than the hackers.

Reply | Quote

Recently received notices from Google that they were set to delete one of my “Google Apps for Your Domain” account (now G-Suite) I had similarly parked in an attempt to preserve the then free 50-user status (as Google now charges $5/user/month). But when ‘recovering’ the account prior to the delete deadline I now found the account would only allow one user.  Not very useful, so ended up deleting it.

Reply | Quote

The hacker or one of his buddies in Eastern Europe will be in touch to see what you will pay to get your identity back.

Reply | Quote

I don’t understand something: Since the recovery email is now set to woody@askwoody.com according to the screenshot, which I assume Woody controls and has controlled all along, why doesn’t Woody just reset the password on the Google account and log back into the account to regain control of it?

Furthermore, Woody now owns the woodyswindows.com domain again, so he can change the DNS entries so that all mail sent to [anything]@woodyswindows.com will now go to him.  Right?  Which should be another way to change the password.

What am I missing?  Can someone please explain?

Thank you!

Reply | Quote

Because the folks who took the account changed the recovery email.

Reply | Quote

You naturally assumed all the links you were asked to click through were legit.

Is there a possibility the whole thing’s an elaborate scam to get you to log into things and in the process grab your real credentials?

-Noel

1 user thanked author for this post.

woody

Reply | Quote

Done the police report? If yes, then also contact your local FBI office.

Reply | Quote

Hi Woody,

Do you own woodyswindows.net? If not, then woodyswindows.net appears to be tied to IP address 192.254.234.208 which is WEBSITEWELCOME.COM which is in Houston, TX. See and search in the list of web sites which use this IP address in:

http://ip-www.net/192.254.234.208

Note that woodyswindows.net does NOT show up when searching for it using ICANN WHOIS. See:

https://whois.icann.org/en/lookup?name=woodyswindows.net

It appears that your woodyswindows.com is now registered through WhoisGuard, Inc. which is in Panama. Here is the ICANN lookup:

https://whois.icann.org/en/lookup?name=woodyswindows.com

I see that woodyswindows.com was registered through or by Namecheap.inc which also is in Panama.

Any email for @woodyswindows.com doesn’t show up as pwned.

Best regards,

–GTP

Reply | Quote

Hi Woody,

I figure that you have reused a password more than once, or that you previously used a short password somewhere which was easy to crack even if a hacked web site stored hashed password information. I suggest that you check all of your old and current email addresses on the Have I Been Pwned web site.

Personally, here is what I do…

I never use any password manager program, as I don’t and will never trust such programs six ways from Sunday.

I do use a file which contains my login and password information for all web sites which require login and passwords, yet within the file, I never use the words “.com”, “login”, “password”, or similar. This file is saved on my computer with a file name which gives no hint as to its contents. Additionally, this file is saved in a location which is not indexed by the Windows indexing service. The Windows indexing service, while convenient, is malware’s best friend if the malware’s goal is to obtain login and password information for web sites. The upshot is that any malware will have a really hard time trying to find this file if it and its contents are not indexed. On top of all of this, my AV program will alert me if any new or unidentified process tries to access this file, or tries to access Firefox’s encrypted password file. Yeah, I mostly only use Firefox for browsing the web.

Additionally and every time after closing my web browsers, I always run CCleaner to eradicate everything from my web browsers in terms of sessions and history. I also do this in order to insure that no web browser silently remains running after I have closed the web browser. Yes, there are sneaky Javascript tricks which can be used to keep a web browser silently running in the background after the user thought that they closed the web browser.

Best regards,

–GTP

1 user thanked author for this post.

woody

Reply | Quote

Of course, that file should be encrypted too otherwise it’s still an open door…

Reply | Quote

GoneToPlaid wrote:

Namecheap.inc which also is in Panama.

Namecheap’s HQ is in Los Angeles, it’s hosting division HQ & legal dept are in Phoenix, and it’s a Delaware corporation—all USA.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote

GoneToPlaid wrote:

Do you own woodyswindows.net?

No, he doesn’t. It’s owned by a small window installation & repair business in Texas, Woody’s Windows.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote

GoneToPlaid wrote:

It appears that your woodyswindows.com is now registered through WhoisGuard, Inc.

It can’t be. WhoisGuard is not a domain registrar.

Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD

Reply | Quote