Google is 'looking into' a devastating Gmail attack that locks users out of their accounts with no way to recover.
Updated December 7 with more information regarding managing a Google Account with Family Link, the parental safety feature that threat actors are abusing to lock hacked Gmail users out, seemingly with no fix available from Google to recover their accounts.
I write a lot about Google security, and that which involves the most popular free email platform on the planet, with 2 billion active users, Gmail, in particular. Sure, much of this will focus on theof any attack, much of which comes from Google itself. When I hear from readers that they are being locked out of their Gmail account by hackers and are unable to get back in, no matter what, that’s a concern. When Google informs me that it is “looking into it” and will issue specific guidance “in the near future,” that’s even more so. Here’s what you need to know about the Gmail hack attack that prevents you from regaining access to your account, and how to best protect yourself from becoming yet another victim. As regular readers will likely already know, I entered the world of cybersecurity as a hacker in the 1980s. Hacking is not a crime, quite literally so back then, as there were no laws that specifically applied to the act of unauthorised network intrusion. Criminal hacking is quite another thing altogether. So, when I read about a Gmail user who had not only been compromised but found themselves locked out of their account with seemingly no chance of recovery, my hacker brain started to engage. How could this be, I wondered, given that there are so many ways to get account control back, even if an attacker haspost-compromise. And then the chicken clucked, the bell rang, and the penny dropped: this was a very clever bit of hackery involving the use of a feature meant to protect accounts, not hold them hostage.that explained how an attacker had changed his age to 10 on his account profile and then added it to a family account under the attacker’s control. Ten years old being younger than the account had actually existed for, it is 12 years old apparently, might, you would have hoped, set off some Google alarm bells in these days of advanced AI protections, but no. By adding the compromised account to a family account and making it a child one, the actual owner found themselves totally locked out and unable to use any of the myriad recovery options provided by Google. The icing on this particularly smelly cake was that the attacker then demanded the victim send a bunch of gift cards to get the account released. “TL;DR: Account accessed, placed as a child in a Google family, and locked out,” the victim concluded, “please help.”As the thread developed, others confirmed that the use of a child account is becoming a common tactic among hackers, and recovering from it appears impossible. “You would think that changing people’s date of birth on their accounts should require a forced re-auth and not be doable without providing all authentication factors,” one wrote, quite sensibly.Google’s support pages confirm that Gmail users can create a Google Account for their children, at least those who are under the age of 13, and then manage that child’s account using the family link feature. This ’supervised’ account gets access to Google search, the Google Chrome web browser and, importantly, Gmail email products. Adding a child account is simple: Open the Family Link app, select your child’s profile, add the child and follow the on-screen instructions. The parent can set up controls to aid with such supervision, and the child in question can choose to let the parent manage the account. Which is where the threat actors come in, as there are no children, only them. They choose, unsurprisingly, to let the supposed parent manage any and all child accounts, giving them full control over such things as Google Account information including, you guessed it, password changes. “If you change your child’s password,” Google said, “they get signed out from their devices.” Perhaps the most astute comment in the subreddit thread was someone suggesting that Google had probably not anticipated such a situation. This does seem likely, although it’s a very unfortunate error if so. I reached out to Google to ask for advice for the victims of this hack attack lockout issue, and a spokesperson told me that the security team was looking into it as “a known post-compromise action some hijackers take.” Google stressed, however, that it is also a fairly uncommon one. I suspect, however, now that the tactic is becoming known in online forums, that more attackers will deploy it. Actually, it may well be ‘uncommon’ but it certainly isn’t something that has just happened. I have managed to find online pleas for help from Gmail users facing the same family link, account now a child, lockout issues dating back a year or more. One would have hoped this might have been enough time for Google to start taking this seriously and perhaps be looking into it well before now. “Look for more detail and specific guidance from us on this in the near future,” the Google spokesperson said, sharing the following core guidance for stopping account takeovers in the meantime:Double-check that only current/available phones or numbers are associated with accounts, and regularly review what devices are associated with them.It’s unclear at this time if the recovery contacts feature would be the answer to the issue of an attacker locking a genuine user out of their hacked Gmail account by changing their identity to that of a child and putting them under the parental supervision within the family link feature. That said, setting up the recovery feature would make a lot of sense in light of this new story and will help in many cases, even if it proves not to be the answer here. The Recovery Contacts setting enables Gmail users to choose trusted contacts, family members or close friends to provide help if ever they find themselves locked out and unable to receive a recovery code. “It’s a simple, secure way to turn to people you trust when other recovery options aren’t available,” Google said at the time of the security measure’s announcement. Remember, though, the best way to prevent an attacker from locking you out of your Gmail account in this way is to prevent them from compromising it in the first place. You know it makes sense, so get that Google passkey set up now. Using a Google passkey really can stop most account takeover attacks stone dead. “Google research has shown that security keys provide a stronger protection against automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” a Google spokesperson told me. Passkeys are inherently more phishing-resistant because users cannot be tricked into handing over passkeys to a malicious actor, it really is that simple.
Gmail Hack Gmail Recovery Gmail Acknowledges Account Hack Wioth No Recovery Gmail Security Gmail Account Hack Google Looking Into Devastating Gmail Hack Attack Google Account Google Account Hacked Google Account Recovery
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Make these 4 CD account moves before 2026, experts sayThere are multiple, smart CD account moves to make now that will better position you for financial success in 2026.
Read more »
Meta promises it’ll soon be easier to recover your hacked Instagram accountTech Product Reviews, How To, Best Ofs, deals and Advice
Read more »
Chrome can now autofill details from your Google accountChrome can now access your contact info from your Google account to autofill online forms and is getting better at filling out international addresses.
Read more »
Trump Account Vs. 529: Which Is Better for College Savings?The president's name-branded plans come with a $1000 seed contribution from the federal government.
Read more »
Chrome Can Use Google Account And Wallet Data To Speed Up AutofillChris started blogging about tech by accident when he figured out his passion for consumer electronics, especially mobile devices, and telling stories could be intertwined.
Read more »
The Lingering Impact of Trauma: A Personal AccountThis article explores the author's experience with chronic neck pain and its potential connection to a childhood surgery, highlighting the enduring effects of trauma and the complexities of physical ailments. The piece examines how past medical procedures and their long-term consequences can contribute to present-day health issues, prompting reflection on the body's resilience and vulnerability.
Read more »