Tell HN: Attackers using Google parental controls to prevent account recovery

Someone I know just had their Google account compromised, but the normal recovery methods don't work for an interesting reason: the attacker has made the account into a "child" account subordinate to an attacker-controlled "parent" account. This apparently blocks the ability to use any of the Google account recovery methods (backup phone number or email address etc) without parental consent.

Apparently this person I know isn't alone, if you search you can find other people reporting they've been victims of this. And of course, Google support is nonexistent for ordinary users, so there's no real recourse. Let this be a warning about the consequences of ill-thought-out "child safety features"?

18 points | by TazeTSchnitzel 1 day ago

2 comments

  • muzani 21 hours ago
    I wonder if there's some hack here where you set yourself up as a parent account for a non-existent child so your account can't be childed.
  • ifh-hn 1 day ago
    Let this be a warning of using a Google account for anything important full stop. Same for Microsoft, Apple, or any of the big tech companies.
    • Jeremy1026 21 hours ago
      So, what is your proposed alternative? Roll your own everything? Put your trust in a dozen small companies with no reputation?
      • ifh-hn 13 hours ago
        Yeah, actually that's what I do. I pay for important services and choose companys where that actually respond to you. Email, calendar, etc I pay fastmail, for example. But really you can't avoid having to trust someone/thing.

        As much as possible though I don't use services at all for important things. My photos for example are not in the cloud. And I have backups where that is not possible. Do I have a Google account? Yes I have many. What would happen if Google locked me out of one? Nothing I'd move on because I don't care.

        You can't eliminate the risk but you can do things to limit it, and that starts with recognising Google/apple/Microsoft don't give a shit about you or your data. And you are not worth their time if their systems flag your stuff for deletion.