Critical Security Alert

Last week I got a worrying email in my Gmail account.

Either this was a genuine Google email, or it was a phishing attempt. What’s especially worrying is that it suggests someone actually has my password!

I wasn’t born yesterday, so the first thing I did was hover my mouse over the “Check Activity” button. But that seemed to lead to a Google domain. I copied the URL into Notepad and had a look:

That’s definitely a legitimate Google domain. I clicked through, and it wanted me to sign in.

But here’s the thing, it wasn’t my regular account. Instead it used a personal domain that I’ve had for a number of years (certainly pre-dating Gmail). And while it’s true that I’ve since added that domain to Gmail to allow me to use Gmail to send and receive email to that address, I still use my overall Gmail account to sign into Google services.

This was odd.

One thing was certain, and that was that I was unable to sign in. I had two attempts at a password and then Google stopped me.

The process to reclaim the account was based around getting a verification code sent to the email which worked fine, but then being asked when I set up the account by month and year.

This I honestly didn’t at first know. I got my Gmail account quite early on, chasing an invite from a friend who worked at Google I recall. Or maybe it was another tech-savvy colleague who got one and then was able to invite me. Either way, that would have been my Gmail account, not my personal domain.

I tried again to recover the account, and I think I even now know the password. But I was unable to recover the account.

So I started Googling.

The best guess was this thread with some responses by someone with the same problem, receiving the same alerts.

He thinks it’s an old Google Answers account. That was a service that let you either post questions or provide paid-for answers. It began in 2002, crucially before Gmail was created (2004). Therefore in creating an account you would have had to use a non-Google email address. I’d have certainly used my own one.

I have an email from a precise date confirming that I’d set up a Google account then. However since Google’s automated account recovery service dropdown only goes back to 2004 – i.e. after the date I created the account, I can’t recover it via that method.

Now on the one hand, I don’t really need this account. I happily use my main Google Account to which I’ve applied plenty of security, but those security alerts worry me that someone, somewhere is attempting to break into this account. I can’t lock it down, delete it altogether, or do anything about it.

They’ve now had at least two attempts to get into it, and they seem to have a password. I suspect the email/password combination comes from another leak sometime. I used to commonly use the same combination a bit too much.

Outside of the automated account recovery process, I an aware of no phone or email resource that allows Google account recovery. So I’m kind of resigned to getting these Google security alerts on a regular basis, and being powerless to do anything about them.

[UPDATE – July 2018] I’ve continued to receive these emails over the months, but I can’t recover the account to delete it entirely or do anything else with it. Very frustrating.