I wish they'd let me recover my original -- I lost my TOTP generator, and the codes I'd written down in a paper notebook were rejected. I even hunted down the electronic copy in case there was a transcription error -- seemed like some failure in their systems was causing me to lose access despite having followed proper procedures.
Lost a decade and a half of correspondence dating back to my teenage years. I had imported my phone number I'd had since I was 16 into voice, and it doubled as my Signal number. I even had a Gsuite subscription so I could use their (admittedly decently) UI to power my firstname @ lastname dot com email address.
I will never use their services again, I was really digusted by this failure.
I still think about my lost address that I obtained when Gmail was invite only. My family still occasionally CCs it and it drives me nuts, I would pay money to at least have it shutdown so they don’t think I received an email. I had email forwarding to another address when stolen and immediately after it was stolen it had the weirdest messages, I tried multiple ways reaching out to google and it still bugs me I was unsuccessful. I’d love the their of my account to at least have it shutdown
Maybe you should send it enough mail to fill it up and the it would reject emails? Send a bunch of emails with large attachments and avoid getting marked as spam.
I got mine when it was invite only too, I had it a very long time.
I use protonmail now -- I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue)
>I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue)
I also have paid services a lot of money where customer service was nonexistent until I did a credit card chargeback or raised an issue with government regulators.
I'm trying to figure out exactly what I want to push my state legislature to encode into law with regards to customer service minimums that would cover anyone doing business in the state, free or paid.
I had something kinda similar happen to my hotmail account. While I didn't lose access to it, I lost more than a decade of correspondence dating back to my teenage years. The reason was that Microsoft at some point required you to "login" once every 30 days. It seems they only counted logins through their web interface or something like that, so even though I was receiving emails daily, I didn't trigger a "login" in their system. They then deleted all my emails, but I could still login.
This happened to me ten years ago. A while later they did the same thing with my Minecraft login that I had purchased before the EULA was in place; I’ve avoided their services like the plague since then.
> I will never use their services again, I was really digusted by this failure
Isn’t this inherent to not choosing an (EDIT: external) account-recovery method?
The flip side to allowing account recovery at Google’s discretion is lessened security for everyone. (Obviously not black and white. And I agree Google should have flexibility for old accounts. But it’s an odd thing to reject a major provider over.)
They did have a method to recover their account that they tried, though - they said that they used the account recovery codes, but that they were rejected. (Those would be the codes that Google gives you when you initially set up 2FA.)
1. You have to own that domain forever, until or at least until you're 100% confident that an email intended for you will never be sent to that domain ever again. Even then, there are security risks with giving up the domain.
2. You give up some privacy. You can use mailbox aliases but it doesn't really matter if all the mailboxes are tied to a domain registered to your name and address.
If you use a password manager like Keepass, you should still be able to log into your other accounts if you lost access and at least with financial institutions you can call, ask that no changes be made with without coming into the branch and showing ID.
Yes, but many companies will also drag their feet, refuse for "security reasons", or you'll just never be able to reach them in the first place because their only support is an AI concierge that tells you the same thing over and over.
As an example Anthropic and OpenAI don't let you change your email address.
My gmail address is first.last@gmail.com. From time to time (and for years) I get someone else’s at firstlast@gmail.com. I thought that a Gmail account that was first.last@gmail also allowed for email sent to firstlast@gmail (no period) to reach my inbox as well.
I’ve received some sensitive/PII content over the years.
I’ve wondered if this person has access to any of my information?
Not necessarily related to this post, but wonder why and how this could happen.
This is so useful. a Gmail account is so much more than just an email account at this point. my first gmail account was made when anonymity and cool email was more of trend than your actual name - so i based upon my favorite book in 2006. 20 years later the account is tied to my oft used primary google voice number so lingers even with obscure and hard to spell email.
i could gave moved my google voice number, but it seems like a convoluted process and have had my number since about Grand Central acquisition.
in my experience, in/out porting with google is super quick and works great. It costs $20.00 IIRC. I port my primary phone number around to avoid unlawful surveillance, handy tool in the bag.
Oh, finally. I’m one of the first.last@gmail folks, which I assumed would never change when I was 13 years old (hah!). Fast forward a few years, I got married, and am stuck with my old name in the address.
You can take this to an extreme (like I do) and use a different email address for every party with whom you communicate. It makes it rather obvious who leaked your email address, and also easy to shut them out (looking at you ActBlue!). It also leads to some amusing personal interactions. I once rebooked a cancelled flight on JetBlue at the ticket counter. When the agent saw my email she said “wow, you must really like JetBlue.” I just nodded but I was laughing inside because it’s definitely the opposite!
I do this as well, and occasionally people get confused and think I work for the company I'm interacting with (enterprise@myname.com is close enough to myname@enterprise.com, I guess.) I usually don't bother to correct them, in case it gets me better treatment :)
Stay tuned I have a pretty cool project I plan on launching very soon. It takes the email alias to the next level, using them as meta tags to actually allow users to trace the source of shady data exchanges. I'm working on the guide and I'm hoping to actually start a community effort here to hold companies accountable for responsible use of PII
Everybody knows name+something@ maps to name@ so it’s trivial for bad actors to strip the plus part and just spam you directly, losing the per-correspondent distinction.
Which is covered by GP's second suggestion. I add short random password-like strings to these aliases to thwart spammers who might be trying obvious aliases, turning e.g paypal@example.com into paypal.nsi873g@example.com
I love this feature and wish something like it would come to Gmail.
I can't rely on iCloud Mail anymore due to its overly aggressive silent spam filtering. Not great if you're trying to log into an account, and you can't receive the recovery emails for that account.
;) I was a by-invitation-beta in 2004, trust me. Even then spammers knew about the +1234 trick too. The earliest throwaway forwarders suffered from explosive growth and spam netblocks and their queue times varied greatly. The golden age of Viagra and recruiters selling prospect lists to randos. I retreated to gmail for the SPOP and because my original address was Tech Contact for 100+ domains from 1994-2000. Thousands a week. If I was smart I'd have used it as a honeypot to feed a spam blocking service.
I have a separate email I only use to get government and public services (gas, electricity) stuff and it still receives a few hundreds of spam a week. At this point I kinda feel whitelisting the mail I want to read is the only sane option, so getting hundreds or thousands of spam mail makes little difference, while managing a portofolio of addresses is a chore.
Wow this is massive, but will come down to whether you switch to another existing address you have. That is you have example1@gmail.com and example2@gmail.com. The first one has all your decades of data and second is name you've reserved etc. With handles you can release one and use on another account so hopefully option to do the same. Or if they could just update their account migration to support migrating all historic data that would accomplish the same.
That would have been nice to have during transition. Creating a new account and updating 3rd parties was a huge pain and never got close to 100% completion.
Seems useful. But what I really want is a way to merge google accounts, over the course of history I created 3 of them and would really prefer just a single one
Fun fact, if someone knows your email address and clicks “forgot my password” it sends a push notification to the Gmail and YouTube apps asking to confirm or deny the sign in request. They can click that hundreds or thousands of times per day. I know because it happened to me, so I moved all of my accounts off of the email and deleted my YouTube account. :) peace out Google. Thanks for tolerating a completely insane UI, and not allowing me to turn this setting off. I can’t imagine what it’s like for the elderly who have to navigate this completely enshitified landscape.
Could this be a sign that Google is starting to think again?
For an organisation that often does deeply intelligent things, they spend such a lot of time treating their users unnecessarily poorly because obvious implications seem not to occur to them.
I think they know about them they just don’t care enough to spend money on fixing them. They are still primarily an ad company today and their users are still primarily the product not customers.
It's incredible that in 2025, Google has sprung for "basic competency" after operating a bad email service for 24 years.
In my case, many years ago I changed my last name. (Turns out a lot of women also do this when they do things like... get married. But also for a progressive company everyone's purchases being permanently locked to their deadname seems... bad.) But all of my Android apps, my entire digital life at the time, was permanently locked to my old name. I had another account I created as a mail forwarder but if people sent an invite to it for a Google thing it wouldn't connect to my real account, and obviously there was an added security risk of someone stealing my forwarding account.
I remember talking to Yonatan Zunger about this problem during the Google+ era and it seemed to be renaming an account wasn't something the company was capable of.
I never really had this issue because I used Google Suite with a domain. (That’s what it was called back then.)
So I can have email aliases under that domain, and even choose the alias for outgoing email.
However! This creates an extra security hole. Once I was SIM-swapped (when the attacker calls up a phone company and convinces them to redirect sms to their SIM). I had used it as a second factor at GoDaddy and had to act fast. GoDaddy had already allowed the attacker to authenticate with the sms (dumb!) and port the domain name. I realized what was happening only because the attacker sent “test” emails to my email at the domain. Had they not done that, I might have been none the wiser. I called GoDaddy and got them to cancel it, thankfully. Otherwise they’d have reset passwords armed with email AND phone number.
Since then I use the non-SMS SECOND FACTOR on most services, as NIST had been recommending
for a decade now.
I personally recommend using a username+alias@gmail.com which gmail and others support, with a different but easy-to-remember alias per site, so social attackers can’t even correctly say your email to the dude on the phone.
Michael Terpin, a guy I know, got $27 million dollars in crypto stolen a decade ago by a SIM Swapper and sued AT&T for it. Not sure if he won… he moved to Puerto Rico to avoid taxes and brought Brock Pierce and other crypto bros with him LOL.
Lost a decade and a half of correspondence dating back to my teenage years. I had imported my phone number I'd had since I was 16 into voice, and it doubled as my Signal number. I even had a Gsuite subscription so I could use their (admittedly decently) UI to power my firstname @ lastname dot com email address.
I will never use their services again, I was really digusted by this failure.
I use protonmail now -- I think the "free" model enables providers to shrug and go "hey you don't pay us" (if there is support at all -- I've never been able to speak to a human about this issue)
I also have paid services a lot of money where customer service was nonexistent until I did a credit card chargeback or raised an issue with government regulators.
I'm trying to figure out exactly what I want to push my state legislature to encode into law with regards to customer service minimums that would cover anyone doing business in the state, free or paid.
Isn’t this inherent to not choosing an (EDIT: external) account-recovery method?
The flip side to allowing account recovery at Google’s discretion is lessened security for everyone. (Obviously not black and white. And I agree Google should have flexibility for old accounts. But it’s an odd thing to reject a major provider over.)
1. You have to own that domain forever, until or at least until you're 100% confident that an email intended for you will never be sent to that domain ever again. Even then, there are security risks with giving up the domain.
2. You give up some privacy. You can use mailbox aliases but it doesn't really matter if all the mailboxes are tied to a domain registered to your name and address.
As an example Anthropic and OpenAI don't let you change your email address.
Note that I'm not even talking about trying to send email FROM a self-hosted account, but trying to get someone else to send email TO such an account.
I’ve received some sensitive/PII content over the years.
I’ve wondered if this person has access to any of my information?
Not necessarily related to this post, but wonder why and how this could happen.
No. They have just told someone your email address, and that someone has sent you stuff.
i could gave moved my google voice number, but it seems like a convoluted process and have had my number since about Grand Central acquisition.
name+service@gmail.com or service@myowndomain.com
...to figure out where the spam originated?
Just be aware that this may be very confusing to customer support agents: https://news.ycombinator.com/item?id=32475178
https://support.apple.com/en-us/105078
I can't rely on iCloud Mail anymore due to its overly aggressive silent spam filtering. Not great if you're trying to log into an account, and you can't receive the recovery emails for that account.
I have a separate email I only use to get government and public services (gas, electricity) stuff and it still receives a few hundreds of spam a week. At this point I kinda feel whitelisting the mail I want to read is the only sane option, so getting hundreds or thousands of spam mail makes little difference, while managing a portofolio of addresses is a chore.
For an organisation that often does deeply intelligent things, they spend such a lot of time treating their users unnecessarily poorly because obvious implications seem not to occur to them.
In my case, many years ago I changed my last name. (Turns out a lot of women also do this when they do things like... get married. But also for a progressive company everyone's purchases being permanently locked to their deadname seems... bad.) But all of my Android apps, my entire digital life at the time, was permanently locked to my old name. I had another account I created as a mail forwarder but if people sent an invite to it for a Google thing it wouldn't connect to my real account, and obviously there was an added security risk of someone stealing my forwarding account.
I remember talking to Yonatan Zunger about this problem during the Google+ era and it seemed to be renaming an account wasn't something the company was capable of.
So I can have email aliases under that domain, and even choose the alias for outgoing email.
However! This creates an extra security hole. Once I was SIM-swapped (when the attacker calls up a phone company and convinces them to redirect sms to their SIM). I had used it as a second factor at GoDaddy and had to act fast. GoDaddy had already allowed the attacker to authenticate with the sms (dumb!) and port the domain name. I realized what was happening only because the attacker sent “test” emails to my email at the domain. Had they not done that, I might have been none the wiser. I called GoDaddy and got them to cancel it, thankfully. Otherwise they’d have reset passwords armed with email AND phone number.
Since then I use the non-SMS SECOND FACTOR on most services, as NIST had been recommending for a decade now.
I personally recommend using a username+alias@gmail.com which gmail and others support, with a different but easy-to-remember alias per site, so social attackers can’t even correctly say your email to the dude on the phone.
Michael Terpin, a guy I know, got $27 million dollars in crypto stolen a decade ago by a SIM Swapper and sued AT&T for it. Not sure if he won… he moved to Puerto Rico to avoid taxes and brought Brock Pierce and other crypto bros with him LOL.