[AusNOG] Google Recovery Contact

Pete Mundy pete at fiberphone.co.nz
Mon Oct 31 15:02:22 EST 2016

> On 31/10/2016, at 4:48 pm, Chad Kelly <chad at cpkws.com.au> wrote:
> On 10/31/2016 12:00 PM, ausnog-request at lists.ausnog.net wrote:
>> Hi Guys,
>> I have a client that has had their google account hacked and google support is doing nothing to help them get it back. This is the second time this has happened.
>> We go through the password recovery process and get to the point where it asks for a recovery email address. The email address used has been closed and google wont allow it to be re-opened
> Hi This stuff is security 101.
> Your client shouldn't be using another Google account as a recovery email for an already hacked Google account.
> The recovery account should be on a totally separate domain and a separate network  for rather obvious reasons.

But would it have made any practical difference anyway? Wouldn't any hacker worth their salt just immediately change the recovery address upon gaining control of the primary account, thereby rendering any prior recovery address useless?

Wouldn't the better way to mitigate this sort of thing have been to use 2FA?

Pete Mundy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3577 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20161031/36f62d56/attachment.bin>

More information about the AusNOG mailing list