Danny's newsletter - Issue #11
Email Account Recovery
A friend once reached out about an account they were trying to recover. The first thing they said was “Can you hack a gmail account?”😂
Now, what actually happens when you go through the account reset flow?
I wanted to write about this in case it helps others that have had this experience or know of someone who has.
The long story short was that their phone broke, and they were trying to set up a new phone. The credentials to the account were forgotten and they couldn’t finish setting it up.
The questions I asked to help were
Did they have a recovery email or phone number?
Did they try to reset the password?
What happens when you go through the account reset flow?
This led to realizing there wasn’t any recovery email or phone number, and resetting it would have to be done another way. I tested this flow myself by choosing “forgot password” and it sent me a mobile prompt to verify it was me initiating this reset flow, and not a malicious attacker. When they tried to go through the same “forgot password” flow it sent a recovery code, but it went to the broken phone, leading to the predicament.
From here, I verified there was the option of recovery without knowing the password or having a recovery email/phone number. There is the option of resetting by typing the last password you remember and verifying your identity through some security questions.
In the end, after some shenanigans they got access to their account. No password cracker needed 😂 .
Even better is no password needed for a login. Check out one of my other posts for more on this.
Remember that Security and Engineering is a lot about minimizing the problem. No one has all the answers, the key is knowing what questions to ask and where to look.