I write a lot about Google security, and that which involves the most popular free email platform on the planet, with 2 billion active users, Gmail, in particular. Sure, much of this will focus on the latest vulnerability alerts, and threat campaigns, as well as the occasional compromised Gmail passwords warning. I will always include advice as to how to mitigate the risk of any attack, much of which comes from Google itself. When I hear from readers that they are being locked out of their Gmail account by hackers and are unable to get back in, no matter what, that’s a concern. When Google informs me that it is “looking into it” and will issue specific guidance “in the near future,” that’s even more so. Here’s what you need to know about the Gmail hack attack that prevents you from regaining access to your account, and how to best protect yourself from becoming yet another victim.

Hackers Lock Down Compromised Gmail Accounts Using Parent And Child Protections

As regular readers will likely already know, I entered the world of cybersecurity as a hacker in the 1980s. Hacking is not a crime, quite literally so back then, as there were no laws that specifically applied to the act of unauthorised network intrusion. Criminal hacking is quite another thing altogether. So, when I read about a Gmail user who had not only been compromised but found themselves locked out of their account with seemingly no chance of recovery, my hacker brain started to engage. How could this be, I wondered, given that there are so many ways to get account control back, even if an attacker has changed your password post-compromise. And then the chicken clucked, the bell rang, and the penny dropped: this was a very clever bit of hackery involving the use of a feature meant to protect accounts, not hold them hostage.

A Google user posted a plea for help to the Gmail subreddit that explained how an attacker had changed his age to 10 on his account profile and then added it to a family account under the attacker’s control. Ten years old being younger than the account had actually existed for, it is 12 years old apparently, might, you would have hoped, set off some Google alarm bells in these days of advanced AI protections, but no. By adding the compromised account to a family account and making it a child one, the actual owner found themselves totally locked out and unable to use any of the myriad recovery options provided by Google. The icing on this particularly smelly cake was that the attacker then demanded the victim send a bunch of gift cards to get the account released. “TL;DR: Account accessed, placed as a child in a Google family, and locked out,” the victim concluded, “please help.”

As the thread developed, others confirmed that the use of a child account is becoming a common tactic among hackers, and recovering from it appears impossible. “You would think that changing people’s date of birth on their accounts should require a forced re-auth and not be doable without providing all authentication factors,” one wrote, quite sensibly.

Google Is Looking Into Gmail Account Post-Compromise Threat

Perhaps the most astute comment in the subreddit thread was someone suggesting that Google had probably not anticipated such a situation. This does seem likely, although it’s a very unfortunate error if so. I reached out to Google to ask for advice for the victims of this hack attack lockout issue, and a spokesperson told me that the security team was looking into it as a “a known post-compromise action some hijackers take.” Google stressed, however, that it is also a fairly uncommon one. I suspect, however, now that the tactic is becoming known in online forums, that more attackers will deploy it. “Look for more detail and specific guidance from us on this in the near future,” the Google spokesperson said, sharing the following core guidance for stopping account takeovers in the meantime:

• Turn on two-step verification and adopt passkeys.
• Double-check that only current/available phones or numbers are associated with accounts, and regularly review what devices are associated with them.
• Set up recovery information, like a recovery email or phone number, or use the recently announced recovery contacts feature.

Remember, the best way to prevent an attacker from locking you out of your Gmail account in this way is to prevent them from compromising it in the first place. You know it makes sense, so get that Google passkey set up now.