It is being reported that Google has provisions to allow you seven days to recover your gmail account if it has been hacked.

For those with gmail accounts, it might be worth your time to read this: https://www.forbes.com/sites/daveywinder/2025/04/23/gmail-hack-attack---google-says-you-have-7-days-to-act/

Some excerpts:

Quote:

---

A Google spokesperson has also told me that anyone who finds themselves locked out of their Gmail account following a successful attack, where the hacker has changed their account password and recovery methods, still has seven days in which they can undo the damage and regain access to that hacked account.



...

Gmail spokesperson Ross Richendrfer told me that in those situations where an attacker has compromised a Google account and changed the password, or even added a passkey, to prevent the legitimate owner from being able to access it, acting quickly is the key to successful recovery. Obviously, using "phishing-resistant authentication technologies, such as security keys or passkeys," in the first place, as Richendrfer advised, is highly recommended to prevent finding yourself in this situation in the first place. But if you do, then all hope is not lost.

...

even if the attacker has changed your recovery telephone number, Richendrfer advised that you have 7 days in which that number can still be used to regain control of, and access to, your Gmail account. The same applies to your recovery email. "When you change your recovery email," Richendrfer said, "you may be able to choose to get sign-in codes sent to your previous recovery email for one week.

---

Read the whole thing.

I have a gmail account even though I hardly ever use it. I do have a recovery e-mail on there but I don't currently have 2FA. I'm tempted to add it. I do have 2FA for other things, though, using FreeOTP.

Tailgate88 said:

---

You should enable MFA on everything possible. It is not 100% but cuts your chances of being compromised by something like 90%. I use Authy myself, except I do use Microsoft Authenticator for MS accounts. I manage multiple O365 and Azure/Entra/Whatever tenants for various customers and it does work well for that.

---

What I don't like about MFA or 2FA is that it often requires the use of a cell phone. It's not unusual for me not to have my cell phone with me.

Mega Lops said:

---

eric76 said:

---

What I don't like about MFA or 2FA is that it often requires the use of a cell phone. It's not unusual for me not to have my cell phone with me.

---

Congratulations on being an edge case.

Extra Extra Read All About It!

Old man starts thread, bashes first helpful response!

---

When you start using a different password for every site and passwords that are generally in the 20 to 30 character range, let us know. From my point of view, 12 character passwords are low hanging fruit. My passwords tend to have an estimating time to crack in the billions of years or even greater.

As it turns out, I do have 2FA enabled on my gmail account, but by sending an e-mail to my ProtonMail account, not to my cell phone.

And, for what it's worth, there are potentially serious issues with using your cell phone for that. If your cell phone is hacked, then they have much easier access to your gmail account.

As well as anything else tied to it including bank accounts, credit cards, ... .

cryption said:

---

You know who never has your phone? The dude who bought your password from a leak site

---

Consumer phones are so easy it doesn't seem likely anyone would want to bother cracking passwords to steal a phone.

As another poster said, with a strong password and 2FA (even if it's phone) and alerts set up properly, you are going avoid getting hit in any of the major leaks, which is where 99% of the unauthorized access comes from.

If it happens outside of that, you are being targeted -- which likely means you showed some other major vulnerability. No one is wasting time on you unless they know you are a big fish.

If a thief wants in your house, they are going to get in your house. The trick is not making your house a target.

It's a rare story of someone's major balance getting snatched that involved an intricate use of sim cloning. It's either a common password with no 2FA, or some degree of social engineering.

And if LastPass taught us anything, there's vulnerabilities even in what you think should be secure.

I used Authy for years, until they dropped browser plugin support and the linux client went away. Ente is what I use now, it's available cross platform and for your phone, and syncs between them.

SMS is the worst MFA in my opinion. I would rather have it go to an email acount that's protected with an authenticator for MFA.

One thing that might be worthwhile is to hand your gmail account to a colleague and have them change the password, telephone number, and other account details. Then wait a day or two and begin recovering your account.

That way, if you have trouble recovering it, your colleague can help by changing the details back again for you.

Any good security plan actual should include experience recovering from a simulated attack. War games can be extremely useful.

Personally, I hate having to carry a cell phone. I got an ell phone years ago for MY convenience. Now I have to carry one for EVERYONE ELSE'S convenience.

I look forward to the day I retire and don't need this damn thing anymore

You can do you mfa codes through some password managers like Bitwarden (I know they do it), but it does devalue some of the advantages of MFA as using a second device provides better security. With that said, some is better than none!!!

Burdizzo said:

---

Personally, I hate having to carry a cell phone. I got an ell phone years ago for MY convenience. Now I have to carry one for EVERYONE ELSE'S convenience.

I look forward to the day I retire and don't need this damn thing anymore

---

This.

I did have a cell phone "holster" that carried i on my belt. It broke a couple of months ago and so I've been carrying the cell phone in my denim vest pocket, but it keeps falling out.

At the rate that I keep dropping it, it's going to fall out and break, fall out into water, or get lost. Then I'll be out of luck trying to log onto accounts with MFA/2FA.

Tens of thousands of people work in SCIFs and/or SAPFs for government work who have access to the internet but aren't allowed to bring any wireless devices so it's really not that rare of an edge case.

That being said I believe Google lets you set up a crib sheet of challenge codes you can print off and if they give you the code on the left you can give them the code on the right to verify your account.