Update, Oct. 08, 2024: This article, originally published on Oct. 07, now includes updated advice on how attackers bypass 2FA protections and steps to mitigate these threats before your Gmail account is compromised.
If you browse through any Gmail support forum, whether on social media like the Gmail subreddit or Google’s official Gmail community help, one question repeatedly comes up: “My Gmail account has been hacked. How can I recover it?”
While there are always some questionable posts seeking ways to hack into others’ accounts, most requests appear to be genuine pleas for assistance. For example, a post on the Gmail subreddit on Oct. 06 shares a common scenario: “A friend’s Google account was stolen. The hacker changed the recovery phone number and email.” The poster notes that the friend had enabled two-factor authentication and asks if it’s possible to recover the account now, or if it’s a lost cause.
The good news is that it’s still possible to recover a Google account, even if the hacker has bypassed or altered most, if not all, of the security and recovery measures in place. As one user responded to a suggested solution, “The person who stole the account changed the recovery email and phone number to their own and disabled all other recovery options.” Despite this, recovery is still feasible.
How to Recover a Stolen Gmail Account After a Hacker Changes Everything
Despite the frustrations expressed by many regarding the recovery process, Google offers substantial assistance for recovering your account, even if it has been stolen and recovery details have been altered. In fact, there is an entire section of Google support dedicated to securing a “hacked or compromised” account. I believe that those who claim these steps are ineffective may not have followed Google’s instructions carefully or waited the necessary time for the process to complete.
It is recommended to use a device that you have previously used to access your Google account or check Gmail or another Google service. The same advice applies to familiar locations from which you have accessed your Google account before. Google suggests using the same browser, such as Chrome or Safari, on a laptop or tablet if your smartphone has been stolen, and accessing it from your home or workplace. This can help expedite the recovery process by assisting Google in verifying your identity.
You should also answer the password questions as accurately as possible, even if the hacker has changed your current password to lock you out of your account. Google advises, “If you’re asked for the last password you remember, enter the most recent one you recall.” The more recent the password, the better, so use the one that the hackers changed from. If you can’t confidently remember any previous passwords, take your best guess, according to Google.
You may encounter a message indicating that your account is on a security hold. This often results in a delay between submitting the recovery request and the processing of that request. While some users find this frustrating, it’s a proactive measure, so patience is essential. “Account recovery requests can be delayed for a few hours or several days,” Google explains, “depending on various risk factors.”
Google has also informed me that for users whose accounts have already been hacked and whose second-factor and recovery options have changed, it may be possible to use the original information in certain situations. “Our automated account recovery process allows users to use their original recovery factors for up to 7 days after they change,” the spokesperson noted, “provided those factors were set up before the incident.”
Finally, if all else fails and the account holder has an active YouTube account, many users have found that reaching out to YouTube support, including through social media, often results in direct assistance for recovering their account when it seems all hope is lost.
How Hackers Bypass Gmail 2FA Protections
One issue frequently mentioned by Gmail users seeking help in online forums is that the two-factor authentication (2FA) protections they had in place were altered by the hacker who compromised their Google account. This raises several questions, but perhaps the most significant is how the 2FA process was bypassed in the first place.
I recently reported that developers of well-known info-stealer malware, including Lumar, Lumma, Meduza, Rhadamanthys, StealC, Vidar, and Whitesnake, have been releasing updates claiming to have circumvented Google’s cookie-stealing protections. Some of these malware variants reportedly can crack account 2FA in under 10 minutes, despite Google enhancing protections in Chrome 127 to include application-bound encryption. This feature encrypts data linked to app identity, similar to macOS and Keychain, to combat such attacks.
The theft of cookies from your browser, specifically session cookies, allows hackers to effectively bypass your 2FA protections. By obtaining a cookie that validates a user session after the 2FA step has been completed, the attacker gains complete control over that session—giving them the ability to change your Gmail recovery options, 2FA settings, and more. So, what can you do to mitigate this type of attack?
How Google Mitigates the Session-Cookie Infostealer Threat
A Google spokesperson stated, “This type of attack is well-known, and we have built-in defenses such as high-frequency cookie rotation, device-bound session credentials, and risk-based re-authentication to keep users safe. Furthermore, the best defense against attacks like these is to use an operating system like ChromeOS, which is secure by default and has no known vulnerabilities to this type of malware.”
It’s also advisable to consider using passkeys, which Google is actively promoting for adoption across online services. According to Google, passkeys are “resistant to phishing and other online attacks,” making them more secure than SMS, app-based one-time passwords, and other forms of multi-factor authentication.