Jabbles3 years ago
Did you follow the steps at https://support.google.com/accounts/troubleshooter/2402620 ?
Gmail has decided that I can't log in with "just" my password. The new password is correct. It then asks me for my old password, which I put in correctly. Then it tells me I can't log in anyway. :(
Occasionally it will give me a QR code to scan. But I can't scan it on my phone, since my phone is logged out.
I can't log in to my recovery account, because (like a fool) I changed the passwords simultaneously. Now both are locked.
Somebody help! My account name is [redacted]@gmail.com (the recovery email should match my HN username). I'm locked out of a decade+ of correspondence, recovery, and historical data.
Edit: the closest solution is to try account recovery, which is what I was doing. :(
I don't want to "spam" the recovery form, since I suspect that will only make it worse.
Edit2: trying Gmail app and Google Authenticator now, to see if that makes a difference. Will update with progress.
Edit3: no dice. Gmail app just loops me to a message saying "Google couldn't verify that this account belongs to you." Clicking on Verify account just loops me back to the login. It doesn't even ask for my old password like before.
I feel sick to my stomach...
- Have you, by any chance, stored some google recovery codes somewhere ?
- Isn't there a "call me and read me a one-time six-figure code" option available in all the login/authenticate option Google provides ?
hope it helps
Trying to recover your account from your friend’s house in another country, or whatever, could be making it worse.
True, no mails no problems, it's a feature not a bug.
I used to think so when I used Gmail.
But switching to Fastmail, I no longer agree that it is "by far" the best. Now I think Gmail is only better by a slight margin, and this margin is so small that it does not justify the drawbacks: Potentially getting locked out with no recourse, certainly getting everything you receive scanned to deliver you the best possible ads, contribute to the email monopoly where the big players decide the protocols.
I find this opinion absurd. It is an e-mail client. Even if it did perform the tasks that an e-mail client needs to perform somewhat better than all other clients, the loss of autonomy makes it a terrible deal, even for non-technical users.
Are you in the EU? Google's DPO or your country's data protection authority might want to hear about it.
Are privacy guidelines in EU countries so well defined that they take terms such as "password for an online service" into their vocabulary?
Even though postfix brings me headaches sometimes, seeing issues people have with google seems as setting it up was a step in the right direction.
The spam filter just broke at some time in the last year. I get 1-2 obvious trash spam in my inbox every day. Literally things with a subject like "You _WON_ !! ** our give_away!"
It’s not just you. Their spam filtering has been broken in general for a while now. Not sure what’s going on. I wonder if the volume of spam has just hit some critical threshold where it costs too much to process every incoming message.
I wanted to switch from Google few times (always postponed it to a "next time"), but reading this today I realized how devastating it would be to get locked out. So in the next few days I will move away from Gmail.
This way there is little possibility of somehow being labeled as fraudulent.
A few months later it suddenly worked again, and I seized that opportunity to move permanently away from gmail. I was lucky. I do not want my access to my online identity to be governed by luck, however, so really advise anyone who will listen to make the move before this kind of sob story happens to them.
"It won't happen to me" - I thought that too, and no doubt so did the OP. Won't it? How much will it cost you if you're wrong?
It now costs me $50/yr to know it won't happen to me and I'm more than happy to pay a fair price for a good product, like I do for everything else.
The real protection is to get your own domain which Fastmail of course supports, so you can point it at a different email provider if worst comes to worst, like ajross's plausible proposition that:
"[...] I'd put the odds of Fastmail failing entirely as a business rather higher that those of any single user having an unresolvable 2FA glitch with a gmail account. In the world of real data and not anecdata, Big Tech is incredibly reliable."
Well that's funny, because I see a desperate post by a gmail user with an unresolvable 2FA glitch (except by screaming for help on tech-oriented forums hoping someone will notice) basically every week, and yet somehow Fastmail isn't out of business yet. And who knows how many "normies" without an HN/Twitter megaphone just silently lose access, weep a bit and give up?
I have no doubt that Google won't actually lose my email data, but if I can't access it and have no recourse then there's no difference in practise.
I have an alt gmail account that I used less frequently. 3.5 years ago I was abroad right after the first wave of COVID, and logging in from a new laptop (no longer have the old one). When I tried logging in with the correct password, it told me I needed to verify an SMS to an old phone number I haven't used in 10 years (7 at the time I suppose).
Every now and then I'll try logging in hoping they realize that the account is mine, since I have the password, and no one else is logging in (hopefully).
Unfortunately, nothing changes, I still get the requirement to verify with a second device, and I never configured a recovery email for that account.
One day I'm hoping someone will register the old phone number, and I'll be able to smooth talk them into passing the confirmation code to me.
For anyone reading this, do not rely on google services, you'll move cities, change your number, or as OP change your password and _you will get locked out_ with no recourse.
You are no fool. No doubt you are way above average intelligence. This so-called "security" ecosystem of Big-Tech is a dumpster fire of rotting clinical waste. Hope it doesn't spoil your holiday break - and for goodness sake make a New Year Resolution - to quit this madness forever.
“Do you want this account to be extra secure and for us to lock someone out of it with any activity deemed suspicious?”
And then when you don’t click that box they don’t arbitrarily lock your account. But they don’t. Because they’re a dumpster fire company.
For anyone else reading, I'll just say that we all know there are tradeoffs between security and usability and we can actually have a good-faith discussion about that if we want to.
I have never bought into this regressive corporate security model in which my desktop computer is supposedly less trusted than assorted web app accounts. Unless I've opted in to something different, knowing the password should grant basically full access to the account. If there are additional rules around changing the password or other sensitive meta tasks, then those need to be spelled out in a well defined manner, and not punted to some opaque fickle machine learning scheme based on IP addresses, browser vulnerabilities, phase of the moon, etc.
The lockouts are there because of how easy it is, without them, to compromise someone's email access. People leave their email password lying "in the open" all the time (for a very broad definition of "in the open" that includes things like "re-use it in another site that gets compromised, and use the same username on that site so a cross-site attack attempt is basically a free action for an attacker to take"). When a Gmail account is compromised, people lose everything digital because they've routed their entire digital security story through their Gmail and it's a trivial operation to harvest all that data once an attacker has access. So the damage to an individual is massive when a Gmail account is breached. And since Gmail doesn't actually know who a person is, correction of a breached account is extremely painful (consider, for every method Google might add to prove your identity to restore ownership of your account, how a malicious actor could use that approach to steal your account).
I've been on the receiving end of a Gmail lockout (cooked a phone on vacation while my OTPs were stored in an envelope at home), and it sucks. But it sucks less than having my whole digital life story (access to HN, access to every forum I'm on, access to every hosting service I work with, access to every bank account I own) compromised because that Gmail account is the receiving target for every "reset your password" flow of every service I operate with online, and I'm the average use case.
Thus, as long as the total number of hijacking+lockout decreases, it is a useful policy from the utilitarian perspective. Of course, hijacked people don't cry for help as much, and neither they blame Google as much.
People think a better customer service would somehow solve the lockout problem, but they need to understand that customer service has the same hijacking vs lockout problem, and they can only help if they have better identity verification methods available to them - e.g. if Google asked for government ID for opening a Google account, this would work - but if Google did that, people would scream. Without properly established identity verification methods, the customer service can't improve the precision and the recall. Thus, the current choice for the users is to use a better identity verification method - like security keys and using Advanced Protection, as non-phishable auth does not need complex and elaborate heuristic based protection, and set up a chain of recovery accounts, with all accounts using the security keys and/or Advanced Protection.
Why?
You go to your register and point your domain to another email provider, and you’re back in business.
All your previous emails are lost, aren't they? Even you have local backup of them somehow, they are not equivalent to emails saved to your server?
I've done that in the past, don't recommend it unless you have a real need and know what you're doing. It wasn't hard, but just extra work that I wasn't sure was worth it.
I don't know why we ever thought free email was a good idea. Of course Google doesn't care about a free email user. They're just another useless eater out of billions. And yet so many of us (me included, until switching) basically built our whole online existences around gmail.
Email is important. Important things are worth paying for. You have status and recourse if anything goes wrong. Gmail works until it suddenly doesn't and you are reduced to desperate moves like begging for relief on HN. Move away before that happens, and vote with your wallet for fair service for a fair price.
I pay $180/year for Google Workspace and Google still doesn’t care about me.
I'm looking for a good alternative to the office suite, Microsoft has better customer service but not by much and it's not always easy to use cross platform(I wind up using Win, Mac, and Linux weekly and play with FreeBSD occasionally
It's so nice to have my Gmail only for Android and other Google services. It was a big relief.
https://developers.google.com/gmail/api/reference/rest/v1/AutoForwarding
google is good at spam filtering so those accounts became the accounts I give out to people publicly.
tl;dr: Fastmail custom spam filtering needs some time to actually do anything. Now no more 2 spam emails a year get through the filter.
In point of fact I'd put the odds of Fastmail failing entirely as a business rather higher that those of any single user having an unresolvable 2FA glitch with a gmail account. In the world of real data and not anecdata, Big Tech is incredibly reliable.
[1] Which seems great, btw. I'm actually looking at moving my vanity domain to them as I'm sick of chasing standards trying to host it myself. This is absolutely not a ding at Fastmail.
My point is just that there's no free lunch. Everything breaks, but on balance I'd trust Big Tech to get it right more than little companies like Fastmail or your domain registrar.
"I feel like" is, precisely, the anecdata fallacy at work! You feel that way because you see so many more reports of problems with the big providers. The truth, obviously, is that account management problems like this are present everywhere[1], but the email (or domain) market is dominated by a small handful of players. So you think the tiny ones are better than they are.
[1] Pointing out the pervasive complaints about domain registrars was supposed to drive this home. It's weird you think that somehow doesn't count. All bureaucracies mess up, it's not like email is a special kind of failure.
I think this misses the point. With Fastmail, if they mess up, I can still talk to a human. With Gmail there is no customer support to begin with so you're screwed whenever something goes wrong.
(I know I can set up manual filters. I prefer it to be done for me automatically.)
ok, we are different
How does Fastmail determine which ones are spam?
I used to love that automated categories and had 4 categories. One day I suddenly felt that that was too many and reduced it to two, "Primary" and "Updates" (similar to mail.live.com's "focused" and "other") and found it actually easier to manage my emails. Of course that is still two not one, but just want to say that you might also realize that you don't need so many categories.
Someone needs to lawyer up and make them pay through the nose for stealing access to individual’s personal data that doesn't even belong to them.
Until there is regulation, you’re probably going to be out of luck.
As with all insurance you pay for what you want to risk. It didn’t hurt me much but I still went to daily offsite backups for my mailserver. The biggest gripe was standing up a new mailserver, make sure you keep your software up to date yall
It always seemed silly to me to have the server where your new mails get delivered be the same server as where your email archive lives.
I’ve been on the fence about migrating off Gmail, but after reading threads like this, I put a contingency plan in place. Backups of my Google account are done hourly, and I have a custom domain/workspace account so I can move the domain elsewhere if needed.
About 3 years later I was magically let back in, no idea why but I would try every few months and it just worked one day. Hope it doesn’t take that long for you.
I’m still locked out of my account. December 22nd was the expiration of the domain name I needed in order to unlock it, and it is now gobbled up by another squatting service (Bodi), so I will have to try again next year. They don’t even entertain my offers to buy it.
Let our losses be a lesson to people: get off of gmail asap. They do not care about you. They do not care about the harm they are doing, the memories they are sealing away. All they care about is making money off of your data.
Get off google now. As fast as you can.
I switched to posteo.net recently and have not looked back since, can only recommend a paid email provider. Different level of support and assurance when you are a paying customer.
Not all accounts seem to have this but I did. I do NOT have two-factor and eventually the "try another way" method offered to take me through the android code generation and it let me back in.
> *"Sign in With Backup Codes"*
https://support.google.com/accounts/answer/1187538?hl=en&co=GENIE.Platform%3DAndroid
But seriously, what's next? Switching to IE from Chrome? Back to MS Office from Docs? The more things change the more they stay the same...
I guess for certain things we backup to cloud and for others, we backup from cloud :D
Has lots of features, doesn't require a fast stable Internet connection, and there's no risk of losing your emails because $provider locked you out.
Plus if you have multiple email accounts, it's super convenient to get them all in one place.
Do you still have to fetch mail manually like a caveman or did they make it automatic yet? Does your mail sync between all your devices? I still think it's less likely to get banned from gmail than my local hdds to fail.
Uhh the whole discussion is about exactly this problem which you've decided won't happen to you because ... ?
Thunderbird rules and isn't going away, and makes things like blocking remote images easy (as opposed to gmail where you lose basic UX if you turn it off so most people don't).
What's more, gmail's basic features have really suffered in the last 10+ years. I search 20 years of email in Thunderbird faster and more efficiently than the bloatware POS gmail is now.
But best of all, I don't use gmail! I never have to worry about the nightmare scenarios presented here and nobody spies on my email (other than the NSA :) )
Oh -- physical backups rule too. From rotating through various drives my email is backed up at least 16 times over.
Anyway, hopefully the google support outsourced to hn channel can help...
This isn’t someone getting locked out because they forgot their password (where I can at least understand why the user is at fault).
Zero customer support, no way to get the number returned and no refund on existing credits for toll services. And to add to the pain, they won’t give me a new GV number because it sees my linked number as a spam source and never sends the confirmation code.
I am done with this outfit.
Edit: MAKE YOUR NUMBER PERMANENT if you don't want to lose it due to 6 months inactivity. It's 20$. Also ported numbers are never recycled. I am happy with GV and will always use it.
You can not imagine the pain of having to recover the three accounts using that number for 2FA.
My tentative plan is to get (another) cheap paygo SIM, stick it in a cell modem attached to a server, and set it up to forward all texts to email/xmpp/etc. Use that for all these longstanding snake oil auths.
Then move my main personal number (used to be a mobile number, now at GVoice) to a VOIP service. At which point if someone can't call/text my personal number because they're using some crappy service (eg Comcast mobile), then too bad, they can figure it out.
[0] I figure Twilio is in this same boat, although I don't have much experience with them?
It helped me in the past.
If you're still using Google products as your primary drivers, then it's entirely your fault.
Do yourself a favour in 2023: drop Google and all the filthy excrement that they produce. There's plenty of much better alternatives, and from a purely market-based perspective Google deserves to rot in hell for all of its sins and shitty products.
As it turns out, Google is not sufficiently convinced that I am in fact the owner of the account, so it refuses to let me download the data. I don't feel inclined to spend time trying to figure out this nonsense, but thankfully none of the information in that account is particularly important. I'll take it as a sign that I should just move away from Google, because next time the information on an account could be actually important, and I'd be screwed.
First, getting to a point where you can actually schedule the creation of a zip takes a lot of clicking around - just to make sure that people won't bump into it unless they're explicitly searching for it.
Second, the process is painfully slow (on purpose). Last time I used it was to download my YouTube subscriptions and playlists to import them into my Piped instance. Even though I only have about 100 subscriptions, and only two playlists with about 20 items each, the process took almost two days to complete. By then I had already made a script that scraped the content from their HTML (and it only took me 5 minutes), and another one that did the same but using the YouTube API. If it takes less than a second to get the playlists and subscriptions of a user, I don't see a single reason why generating a Takeout CSV with the same information should take 2 days. I was determined (and tech-savvy) enough to script my way out of it, but many users just get discouraged and give up the idea of exporting their Google data entirely.
> Automatically create an archive of your selected data every 2 months for one year. The first archive will be created immediately.
While I was waiting on that, I finally paid for a proper email service and migrated my domain, so I have a copy of my Gmail data and a working, Google-free email service now.
It's been unreliable for years.
Some people never learn.
If you left LastPass because of its security flaws, then using Chrome's passwords is a bit like driving a scooter with a pasta pot on your head because you feel like a normal helmet is too unsafe.
You can switch browsers and search engines at the drop of a hat. Primarily email, password manager, and long term document storage, not so much.
This is mostly true for any of the free offerings.
If you're paying for the '…for Business' stuff (perhaps with your own domain), then there's probably more availability for recourse and contacts (especially since they're charging your credit card, so they have some form of link to a real human being).
FYI- It is the exact opposite. There is zero support without multiple support tickets, their UI is full of antipatterns. I get to pay and not only do they scan my emails (they claim they stopped that practice, sure) they also won't allow Google Workspace (formerly GSuite) to utilize features like Google Family. I have a tertiarty public account that right now I can't access because I'm travelling and have run afoul of the Google gods and in the Admin console zero way to force allow a login. And I'm paying for that wonderful granular control.
I for one hope the wave of GPT based AI wipes them off the face of the internet, they are valueless. Their search is a joke now. They've been adversarial to the user community for years and reminds me the terrible taste of a monopolized- because lets face it that's what they are- ecosystem with ZERO concern or care about their end user. <insert lilly tomlin phone company skit here>
I have a little over 500 accounts tied to my Gmail over the last two decades. Moving them is a pain but still possible.
The problem arises when it comes to existing accounts with byzantine financial institutions. Trying to change email addresses that are linked to you as the username is nigh impossible in many cases.
Quite a few institutions won't let you use an email that comes from protonmail or a custom domain. So, many times I'm forced back into using a Gmail address to prevent a whole host off other issues
Last year I was notified by Audi that my email address had been compromised in a data breach. As the spam volume to that mailbox increased, I decided to change it. I discovered that I cannot change the email address associated with my Audi account. When I contacted their Technical Support group, they advised me to delete the whole account (which failed), and create a new one.
As in, they check "if domain != 'gmail.com' { fuckyou(); }"? Or as in "they MTAs are not very good and just don't deliver email"?
I have accounts in the US, EU and Asia due to family, etc. and this kind of restriction is fairly common in EU/Asia
Interesting; I can't say I recall ever encountering such a restriction anywhere, including banks, and I have or had bank accounts in a number of European (and other) countries. I've encountered other problems, but not this. Not that I'm doubting your experience of course; just interesting I never had problems with it.
I do a lot more business in cash locally as a result. Finding a good local bank that will let me physically show up to deal with problems with my money was the hardest part due to the massive consolidation in that industry, but the result is that I am more connected to my community and more resilient to many types of problems.
If you do not like Fastmail, still get your own domain for emails.
I'm now considering switching to Fastmail or Tutanota.
Or even run my own mail server. I used to do that until a couple of years ago, but I eventually got frustrated by all the dumb rules that Google and Microsoft (but mostly Microsoft) set in place to discourage people from running their own servers.
However, given the amount of time that I've already spent to debug the Proton bridge and open PRs to fix their sh*t, I must acknowledge that running my own Postfix server and spending a couple of hours to set up the right DNS records would have probably saved me a lot of time (and money).
Your email is your most prized possession. It is more important than your credit card number. At least you can call your bank if someone steals it. Also, _ALWAYS_ use your own custom domain for emails. Do not host it @someone-else.com
Stop using a free service from a terrible company that can lock you out at any time and, for Heaven's sake, stop recommending it to non-technical people!
Excepting loved ones, there is not much of a choice is there?
If you help set them up in a way that covers all the basics (personal domain, mail hosted at one of the current batch of paid, reliable parties like fastmail.com), then whenever something goes wrong, or whenever the friction to do something (anything!) is too high, it's not only your fault, but they'll lose trust in anything that doesn't look like a megacorp.
The other alternative is to just point them to Apple/Microsoft/Google where everything just works¹, and when things go tits-up (which, statistically speaking, only happens to a small percentage of people) they'll just blame that faceless megacorp, knowing full well that real choice is limited to those with technical know-how (or direct access to them).
I dislike the status quo, but aside from making sure I and my family aren't stuck like this, I don't see much leeway to change it.
1: It doesn't. But it will feel like it does, which is all that matters, and when it doesn't work, they'll just blame themselves.
What the poster can do in the future is enable 2FA on his Google accounts as that seems to streamline password recovery. At minimum add a phone and backup codes. Even better add a couple yubikeys (and maybe drop the phone after adding yubikeys because phones are super easy to compromise)
Same goes for GitHub.
I dream of a day when the US government retakes the mantle of consumer protection. Proposed regulation #2 (after eviscerating privacy violation) is that all services must meet certain customer service standards, including having a way to get to a human being.
I know I am dreaming hard here, but there once was a time when consumer protection was on the rise...
No way other than paying a trivial $1.67/month for Google One.
After losing my own 10 year old Gmail and running around the internet hunting down employees for 5+ months only to get a canned automatic response.
I learned to not trust any service. Ever.
I've even been hacked by rouge employees of fortune 500 companies. Only because of my experience I was able to get my account back after being hacked for 5 - 10 minutes.
Backup yo shit fam. - IT guy who has been backing up to 3+ different hard drives since 2008.
Backups don't help with the painful (and sometimes barely possible) migration of your accounts to a new address, updating contacts, loss of mails that arrived after you were locked out, et cetera
Much like PayPal stealing from millions of Americans for a full decade+
Can't backup money either. That doesn't stop these policies of zero human support and only infinity robot responses from remaining until today.
Writing a law and getting it passed to curtail this behavior absolute nonsense.
Complaining about the next 1000000 people to lose access without doing 1 single thing about it. Sign me right up!
Still important to raise awareness, these posts certainly help and make it harder for google apologists to deny it (a few years ago there was a lot more victim blaming in the comments of these threads).
I felt the need to point it out because backups were brought several times here as a defense against OPs scenario which they aren't.
If you already have another Google ID or your partner/spouse/relative, upgrade to one of Google's paid service such as the Google One. Now, talk to a human customer care for Google One and seek help. I was able to talk a real person with an issue with Google One and the person on the other end knows a whole lot of details (which I was not expecting to be a regular information).
Yes, that might cost you one month's of Google One but worth a try.
Btw, I have never figure out how to talk to a person even when I have 3+ Google Workspace for Business accounts.
You don't have to like them, but the fact is the there are many many smart and competent people working on these systems trying to do the best for all users of Gmail and Google Accounts. Every day there are hundreds of very bad people around the world trying to gain access to Gmail accounts to do very bad things using that access. All the worst parts of humanity have found their way to leverage it. Balancing security and user-friendliness is one of the hardest problems in tech and it's impossible to do perfectly.
It seems from this thread that the OP did regain access and it didn't take that long.
Edit: I worked at Google for a few years, including on Gmail, and know that the people there really do care about all these things. But I left in the summer, no longer their employee.
Either way, I found a solution to that on one of those Google user support forums: I had to not try and log in to the account for approximately 40 days. After that, it'd let me log in with just the password again. This is apparently because Google keeps flagging the account of getting attacked and requiring a second authentication factor for some reason and the timer for that keeps getting reset after a failed challenge for one of the account recovery factors. After something between 30 and 40 days, I could log in to the account with just the password again.
Edit: Have not tried again for quite while. Maybe they change it some day? Well I have given up all hope and try to avoid them as much as I possibly can.
What's more likely:
A) That i get locked out of Gmail for some byzantine reason I can't get out of B) That for whatever reason (new card, I'm in the hospital, whatever) I forget/am unable to renew my domain and it gets sniped.
The real issue is that whatever registrar you choose can also arbitrarily lock you out of your account. But one would think being a bit smaller company, having less surveillance tentacles into things like phones, and having a less homogeneous userbase would keep them in line.
So it's a good practice to save old passwords. Some password managers make it easier by having a password history feature, usually on the account's detail page.
I recommend watching the "Talks at Google" channel on youtube to see the kinds of things that interest the people at Google.
I use pobox.com to forward my primary domain. Right now I have mail forwarded to their "mailstore," which is essentially a lite version of Fastmail.com (Fastmail owns POBox, or the other way around, don't remember), but I can forward to multiple mailboxes. It costs $50 a year, just like Fastmail, but I think it's a little more flexible, at least for my needs.
I've never had Google as a primary email account. I do have a few Gmail accounts, but that was to reserve them with my name, as opposed to ever giving the addresses out.
>I use pobox.com to forward my primary domain
Customer since 1996 and primary email address since 1999 because my college address closed at graduation. Since then my email has been hosted at ISPs, at various other providers, and at a Google Apps site, but it doesn't matter because the pobox address never changes. My college address works again, but I've long since used the pobox address in too many places to mass migrate away.
Years ago, before it got "corporatized", Pobox's FAQs had one entry that went something like:
Q: How do I know you'll be around in the future?
A: How do we know you'll be? Ha, didn't think of that, did you?
Someone at Google PLEASE, PLEASE, make it enough for a registered phone number to reset the password. I got my phone number with my passport, it is the last thing that don't need any verification. Why is it not necessary? AND stop sending verification email to the email address I am recovering. It is a sick joke.
But both accounts do nothing but forward to my fastmail account where I have rules setup for them. So it was a giant nothingburger for me. If they're so secure even I can't log into them, whatever.
I don't trust google with anything of mine. I used to use their online spreadsheet app to track house bills, but moved it to my local share where I use libre office instead, solely because I'm aware of how likely it is I get locked out of everything at some point.
Everyone should treat google like they treat their laptops: With the assumption that it can die at any given time and so backups are critical.
Please let them know my recovery account (another gmail, FirstnameLastname) is also locked.
Edit: I'm back in to my recovery account!! Just enabled 2FA to avoid getting locked out again.
My main account is still locked, but it let me verify via my old password, new password, and recovery email code. The message says that they still need to verify more, but I should look for an email to login within 48 hours.
Fingers crossed!
Obviously I'm re-working my email solution as we speak... starting with backing up my Google data!
Lots of good recommendations in this thread. Learn from my mistakes. It can happen to you!!
This is definitely I (personally) wish we could do better, I feel embarrassed and very slightly partially responsible whenever I see our support failures making the front page of HN.