I think Google has done some cool stuff, and I think in a lot of ways they're, at least historically, one of the less evil big tech players.
I gotta say, though, that my experience with trying to get them to sort out any kind of issue with their services makes me reluctant to spend any money with them.
I bought a Pixel phone. As per the sales terms, the phone came with one year of Gemini AI Pro service. Except, the redemption process to get the year of service didn't work for me. I contacted Google, they never fixed it or offered any solution. I simply didn't get the year of service I was promised.
My friend, who bought a Pixel around the same time, also wasn't able to get the year of Gemini they were promised.
That same friend has a Google One subscription, billed through their phone carrier. Recently, Google (or the provider?) discontinued that specific Google One plan, as well as the option to bill via your carrier. This was all covered in an email sent to my friend. As consolation, the email explained, my friend was given the option to switch to a different plan, billed monthly by Google (instead of their phone carrier), with 6 months free. Except, the new plan, and the 6 months free, wasn't selectable as a plan type for their account. So my friend emails Google about it and, to my complete lack of surprise, Google was unwilling/unable to provide any resolution.
At this point, I legitimately don't understand why, unless I had no other option, I would pick Google for services. They clearly put no real effort into resolving any service issues for any customer that's not spending millions with them.
I agree with your sentiment, but I wanted to call out that they've always been just as evil as other big tech companies.
I think their motto of "don't be evil" was some pretty clever PR.
I started questioning it c. 2008 when they ghosted me on resolving an issue with my blogspot site that was a bug in the platform. All I could get was a condescending non-response from a "diamond" volunteer on a forum. They were apparently the gatekeepers to reaching actual support.
Back in the day they bought Feedburner, and merged it with their internal equivalent. In that process, my subscriber list was affected. They apologized and even sent out some swag. That was nice, for a small inconvenience at the time.
I definitely don't think they've ever been super nice, but I still they still have a few much more user-friendly approaches than others. E.g., one of the reasons I bought a Pixel is that Google is one of the only phone makers that manages to have respectable security practices and still respects users enough support them choosing to modify the software on their devices and run alternate operating systems.
Disagree. Even with their issues, they're still less evil than MS, Apple and especially Oracle or Meta.
If they didn't have all their issues (discontinuing products, bad customer service) they'd probably be bigger than MS and Apple combined. But here we are.
Also for better or worse, I pay for bundled Google storage + Gemini and YouTube separately, it's still worth it, even without free months or whatever. And still better than being in MS or Apple's ecosystem.
I think their "Don't be evil" was pretty close to the truth, as much as it can be for large corporations, until around the time Google purchased DoubleClick. That was in 2008, so that seems to match your experience.
Same. Purchased Pixel 9 Pro XL, didn't get my year of Gemini or Google One, technical missuport couldn't be bothered circling between all the investigation steps I did and re-did already and tej "fixes" that have been verified ate not fixing anything.
"Support" agents couldn't be bothered - this feels like AI trapping me in the tarpit maze to save a few USD on the disk storage and infefence cost, effectively scamming me.
Anyone have an idea whether it would be practical to go to small claims court? I'm curious if this is a path consumers can take if a corporation breaks an agreement?
Depends on your jurisdiction, of course. (I am not a lawyer and this is not legal advice, merely my impressions). In the UK this would likely be worth it if the injury is a specified financial amount. So for people who have paid for something and simply not got it, a small claims court is a good bet for getting a refund. A lot of the time however, the injury is in the consequences of relying on one of these companies services, and having it withdrawn without notice, as in the OP. Usually, you want service restored, as that is in fact the least costly action for both sides. But small claims courts (in the UK) do not make that kind of order. In theory you could sue for the financial consequences of the abrupt withdrawal, but I'd guess that's too complicated for a small claim.
> ... my experience with trying to get them to sort out any kind of issue with their services makes me reluctant to spend any money with them.
When you pay for Google Workspace you are the client, not the customer and they do answer phone calls for support. The only two times my wife and I needed them for our SMEs, they picked up the phone and helped us resolve our issues. Super professional too. Haven't needed to give them a call in something like 8 years now.
Don't know about Pixel phone and Google One subscriptions but for SMEs Google Workspace is a godsend: it's incredibly cheap per employee and it's the way out of the Microsoft mediocrity. Everything only requires a browser, no matter the OS (wife works from Linux and now added a Mac Mini, for example): Windows can, at long last, get the middle finger in SMEs.
I'll forever be thankful to Google for allowing me to help many people get rid of Microsoft products, including Windows.
It took me 13 years to get them to unban my adsense account. To this day I still have no idea what happened and have assumed it was a competitor sending fake clicks or something.
> I think Google has done some cool stuff, and I think in a lot of ways they're, at least historically, one of the less evil big tech players.
It's been a decade since Google broke their promise not to use information gleaned from your use of their services to sell ads.
> Google quietly erased that last privacy line in the sand — literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools.
unfortunately hosting your own email server is nearly impossible if you want reliable delivery. If
you don't care about being put in the spam box then it can work.
They sold me a Pixel phone with a broken battery (I think 6a? Where the battery fails after 400 charging cycles). I got an email and the offer to just get 100$ in cash from them instead of sending my phone away to get it fixed. I never received the money after filling out all the forms. Fuck google.
>I bought a Pixel phone. As per the sales terms, the phone came with one year of Gemini AI Pro service. Except, the redemption process to get the year of service didn't work for me. I contacted Google, they never fixed it or offered any solution. I simply didn't get the year of service I was promised.
I fixed this by deleting the subscription data for Google One (which also refunded me a prorated amount for my Google One plan), and then waiting a day.
It's been [0] days since the last "Cloud provider banned me and I lost everything" article.
Everyone who depends on the good graces of a cloud provider for something (not just Google, but Amazon, Microsoft, Apple, whatever) needs to at the very least, take a moment, and figure out what their plan is when they are suddenly banned and locked out permanently, without any way to contact the company.
Does life just go on, since you don't have anything important hosted there? (Best Case)
Do you lose some precious family photos and use it as a tough learning opportunity to stop doing what you're doing? (Next best)
Do you lose access to your E-mail and are suddenly not able to do 2FA, reset passwords, communicate with the company or the Internet in any way, and so on, and now have to panic?
Do you complain online, hoping that someone in the company sees your post and has the ability to restore your account, which you then continue to use because you learned nothing?
Having an online account suddenly suspended is a real, non-zero, but unlikely risk. You should at least have a disaster plan if you rely on these things for anything important. Or better yet, stop relying on them for important things like your identity or precious files!
> Everyone who depends on the good graces of a cloud provider for something (not just Google, but Amazon, Microsoft, Apple, whatever) needs to at the very least, take a moment, and figure out what their plan is when they are suddenly banned and locked out permanently, without any way to contact the company.
This is one of the most common sentiments I hear expressed on HN, next only to "if you're not building your software business around Claude Code, you're gonna left behind".
"A guy on HN told me one time, 'Don't let yourself get attached to any cloud services you are not willing to walk out on in 30 seconds flat if you feel the heat around the corner.'" -- Robert de Niro
google is worst because normal people with no tech experience can accidentally get banned from the only email account they ever had since 2005 which has all their insurance tax resumes family photo etc , never even understand how it happened , or fix it
> It's been [0] days since the "business I contract with to provide services locked me out of the building we rent, ghosted me, and threw all my shit out" article.
This. There are something like 150 million Americans with a Google account, and these days it is more important than a phone number to have a working email.
Email is a utility. Email companies should be heavily regulated and controlled like phone or other utility companies.
I don't know if I agree it should be regulated like a utility, however I believe contracts and suspensions should require more work than a click of a button.
The ease of suspend isn’t the problem here. It’s that there is functionally no recourse once the suspension happens, justified or not.
The only people who seem to get un-suspended are the ones who can generate news media outrage or who can call their friend who is a director/exec at the company. (Obviously this intuition is flawed, but it’s hurting the reputations of these SaaS providers.)
Americans need a government issued digital signing token to prove their identity digitally. There are a lot of services demanding ID verification these days and use a 3rd party to process driver's licenses and faces. It's super inefficient, full of friction, and probably unregulated (dodgy).
Someone claiming to work for the US Digital Services replied to me here years ago that this was being worked on in relation to the easily compromised SSN but I'd say all bets are off on a consumer friendly government service like that now.
In the case of Google Workspace for our company, I'm using Cubebackup[1]. I've been going through the disaster recovery exercises lately, and thinking about what I've been calling "external backups", which are backups of a service that are stored and restorable outside that service.
It can be surprisingly difficult with a lot of SaaS products (including Google).
Yeah. And every time I see a new "cloud provider banned me and I lost everything" article (i.e: every few days), I always just want to ask the same question(s):
"I'm sure it's very sad that you've lost all your [email|calendar|photos|whatever]... but, were you, a person who has chosen to rely on a service provided by a cloud provider with a track record which goes back well over 15 years of locking people out of their accounts with no recourse for the user, not aware that said provider has a track record of doing so, in some cases without even giving an explanation why?
Were you not aware that the service you were relying on them for was critically important to you? Or were you unaware that the provider of this service has the capability to completely disable the service you're relying on with the simple flip of a switch?
I'm fascinated by this decision you've made - could you please explain the thought process by which you chose to use this service which you have no control over for critical things?"
Come now, are those really the rhetorical questions you'd fling at your Aunt Tillie panicking on the phone, because she can't email anybody or renew her important drug prescriptions or whatever?
Most people expect better because in most other walks of life it is better with some kind of plausible appeal route, and the deficiencies we're discussing don't really get publicized. These service-outcomes are the outliers in need of repair, not the consumers.
> are those *really* the rhetorical questions you'd fling at your Aunt Tillie panicking on the phone, because she can't email anybody or renew her important drug
No - I'd be much less sympathetic to my aunt, because if she's panicking on the phone about not being able to email anyone, that means she's a) ignored my advice and rants for 20+ years and then b) had the gall to call me up to try to have me fix the problem that she created by ignoring me for 20+ years.
But I'm not actually really talking about regular people losing their personal email where they happen to keep a few sort-of important things that are relatively-easily replaced/transferred into a safer system. Those people I can sort-of understand, and don't really need to ask my questions - the answer is simple: "I never thought about it until now".
But aunt Tillie doesn't call herself an "entrepreneur" and doesn't rely on the existence of her gmail account for the survival of a business, and she especially doesn't have a blog where she whinges about the fact she did that.
I'm talking about people who should know better, who should be smart and considering things like "what are the existential threats to this business I'm trying to run?", who use gmail for vital business functions like payroll, and who tie their auth for everything else to their google (or whatever other shitty cloud service) accounts.
> the deficiencies we're discussing don't really get publicized
Yeah I'm afraid I'm going to have to challenge this assertion - I've seen variations on this article about ten thousand times. The post I was replying to was pointing out that they've also seen this article about ten thousand times. The vast majority of people that I have mentioned this problem to (and I do that a lot!) have responded with "oh, yeah, I've heard about that happening to people".
And another thing: my questions are not rhetorical. I am genuinely curious about the thought process that leads to these decisions. See, I didn't actually have to see this article even once - what I did was I gave it about 10 seconds thought, and came to the conclusion that relying on unaccountable third parties for mission-critical business infrastructure is an existential risk. This all seems very obvious and straightforward to me. Perhaps I'm some kind of super genius? I'm doubtful about that.
> These service-outcomes are the outliers in need of repair, not the consumers.
It's both. I agree that there should be some recourse. Show me a thing I can sign to bring in a law requiring all companies to post a phone number where a user can speak to a human and I'll sign it and have everybody I know sign it too.
But if you're not giving any thought to who controls your vital data and you lose it as a result of that, that's at least 50% your fault.
If a service offers "Login with Google/Apple/Facebook/etc" you should never do that if they offer a username/password. It just increases the single point of failure. Avoid places that only offer the "Login with Foo" if at all possible (looking at you Tailscale).
As an ex-googler, the only reason I was comfortable keeping even my personal email there was because I could reach out internally if there was a problem. I left Google, and left gmail behind too.
> Avoid places that only offer the "Login with Foo" if at all possible (looking at you Tailscale).
Tailscale is the only serious company that I can ever recall offering /only/ third party login. It's bit bizarre on the face of it. Anyone know the reason?
Curious isn't it, especially as it's such a bad fit for their product - authenticating with GitHub in order to ssh made the whole thing so much more painful than it needed to be. I subsequently tried switching to using a passkey when that became an option, but it's not possible to make the passkey user the owner of a tailnet created by a GitHub org user, so I'm stuck with two users in my Tailscale and can't delete the GitHub org user. It's the main thing that keeps me looking for a reliable alternative to Tailscale.
I think I read somewhere (but could be wrong) that it was because they didn’t want to own any “authentication” services. Their infrastructure was zero trust (as in they don’t hold any passwords or private keys), just a discovery server for different devices.
My other annoyance lately is companies that don't let you set a password. It's either passkey only (which I'm not sold on, yet), or "we'll email you a login link". Great, now I have to wait for the email to show up, click the link, hope it doesn't expire if I get distracted while waiting, and then also delete your emails, sometimes multiple times a day?
I genuinely feel like there is something happening where hackernews articles come in bunch/reference-to-each-other :]
So one of the comments on one hackernews post on front-page almost somehow always refer to something within a hackernews post on the same front-page. I have seen this witnessed too many times that it might be time to name this phenomenon.
We offer Login with Google and Login with Facebook on our apps. The fun part is both FB and Google started blocking Selenium and any other automated agents from logging in. So basically there's no way to run end to end tests that confirm the login flows using FB or Google, which have wrinkles that our normal login doesn't hit.
> We offer Login with Google and Login with Facebook on our apps.
This has the nefarious side effect of allowing Google or Facebook to track people across the Internet and apps. Webmasters like you are, often for no imperative reason, complicit of this by providing such login options.
App developers have repeatedly stated that offering those options increases user account creation. There is lower friction to using “login with <big tech>” than to create username/password creation flow. My guess is that most of the world hasn’t figured out a password manager workflow that works for them (or they aren’t willing to pay for it).
This is an issue that regulators need to address. Asking small businesses to forego the significant impact on their business of not implementing common features that users demand is not a good solution to public policy failures.
I don’t know what the exact revenue/growth difference is, but if my paycheque depended upon getting more users to sign up, I don’t think I could justify making it into a political stance when Google isn’t going to notice my tiny boycott.
I work for a university. It came down as a requirement from above because our most important users are older (rich) donors who struggle with even basic login.
Dealing with Google is a nightmare. I'm one of the volunteer sysadmins for https://forum.buildhub.org.uk/, a DIY and self-build forum. For 10 years it ranked very well on Google, particularly in the UK, and then on 28 December 2025 it disappeared from Google's index.
Nothing has helped, the Google forums are tumbleweed and there's no one to reach out to for what could be an algorithm change or something gone wrong. I'm a paying Workspace customer and it's made me think I need a backup plan in case I'm ever suspended. Reports like this don't encourage.
> Nothing has helped, the Google forums are tumbleweed and there's no one to reach out to for what could be an algorithm change or something gone wrong.
The own-brand forum (Google, Microsoft, Apple) seem to be infested by netizens from lower-income countries trying to build online customer support portfolios by providing utterly useless answers.
That, or trying to game the system and getting shortlisted for a free trip to Google HQ for one of their contributor summits.
I am genuinely curious if anybody knows of a non-trivial problem being solved on one of these forums, at least for a huge company that’s palming off customer support. It just feels like screaming in to the void, only for someone to (deliberately?) misinterpret your question and give you some generic advice.
It depends on what you call "non-trivial". I found answers on how to circumvent dumb macos bugs on Apple forums at least twice in the last 6 months. One related to displays, I was about to return a new USB-C monitor which wouldn't turn on. A silly issue, but it's a bug on my book, I wouldn't find the answer on the docs.
That counts! I suppose I’m lucky enough to know of more reliable resources (macadmins.org Slack is an excellent community), and so I turn to them after reading more than a couple of threads on the Apple Support Community. Perhaps it has improved or I never dig deep enough.
I’d be at a complete loss for any obscure Windows issue though.
Once upon a time at Google: The year was 2013, and I'd been selected to be among the first 8,000 people to get Google Glass. I had to go to Google HQ in NYC from my home in Virginia to get it and be instructed 1:1 on how to use it. I was given a toll-free phone number to call for support by a Glass expert, available 24/7/365.
Not only did they answer immediately whenever I had even the smallest problem or question: I twice broke my Glass, and each time I'd call the support number to ask for a replacement.
Google's policy was that no matter how you broke it or how many times it happened, they'd replace it free. They'd immediately send a box to return the broken device (prepaid) and a couple days later a brand new Glass would arrive.
Billions in profit may unblock scaling customer support beyond scrappy startup minimums
However (and I loathe this logic) if you can get the marketplace to accept that minimal level, and the brand harm is inconsequential, why not pocket the savings
You were a volunteer employee. The very least they could do is make sure you can keep doing the job.
I think organizations have a very hard time staying motivated once the product’s concern has moved away from any one team. While you test the product for them there’s likely people whose jobs depended on you and 7999 others doing so. But eventually a product will be considered shipped and all the various talent now pays attention to what’s next.
That's fascinating. The stabilization is surprisingly good. And there's a kind of out-of-focus pulsing that happens to the video periodically. I'm wondering if that might be your pulse against the Glass, abruptly moving the Glass in a way that its stabilization couldn't compensate for.
I bought the Google 3-pod wifi system when it first came out. There was an 844 number for support on the back. I remember calling it when I didn't understand something and got an instant pickup by support staff.
With this comment in mind, I just now called that same number with an instant pickup telling me they no longer take support calls at that number.
Yep, monopolistic loss leaders can feel great when they're showering you with expensive marketing, right up until they reliably pull the rug in an effort to screw everyone or recoup their losses.
It was only a few years ago that they offered all of their Stadia subscribers a full refund for every dollar they ever spent on the platform. By this point their reputation for customer service was well and truly known, but colour me surprised when I received a not insignificant sum credited to my bank account from Google.
I saw it mentioned in a comment elsewhere in this thread, but the level of service you get really seems dependant on which pocket of Google is responsible for the product you happen to be using. Unfortunately Workspace is a giant pocket with many billions of users with suboptimal and/or perpetually exhausted support.
This should be illegal. Megacorps eat more and more of our life and regular people are increasingly at mercy of these hostile entities. They should be pushed more against. If we can't have proper anti monopoly splits like AT&T, then at least ways to prevent them exerting too much power are long due. If you provide an essential service, responsibility should match that.
Funny because I have dyslexia and read excreting power as exerting power, and then had to read your "Exerting" underneath 4 times to understand the mistake. I guess it's the phonics, dyslexia is so weird tho, ha.
Hey do you have certain fonts that are better? I was working with a dyslexic student last week trying to find fonts that work better for his online classes. All the research pointed towards a handful that didn't seem to really improve processing for the student.
They tried all sorts with me in school, I seem to recall it's related to trying to add shadow to hint to the brain the direction the letter should be etc. I found it more annoying than helpful. Probably a very unpopular opinion but I think teaching someone with dyslexia to read and write neurotypically is probably unhelpful and finding audio visual learning methods is a considerably better way to have them retain knowledge. I think you can get to a basic level of competency but speed and recall, at least with me, never really came. One thing I found once that was cool was an app that present each word at a time only in the center of the screen, but it felt extremely mechanical I was so focused on the words once I was done there was basically no meaning left if that makes sense. I'm autistic with dyscalculia also, FWIW. I mostly think in sounds, pictures and movies, for whatever reason my brain doesn't have a great framework for symbols that don't have those things inherently attached to them. ¯\_(ツ)_/¯
The EU’s heart is in the right place, which can only rarely be said of the US.
But the EU’s approach is often backwards. When product managers have to ask the government if it’s ok to ship a feature, something is wrong. When the government responds that it can’t say in advance, you’ll just have to ship and see if you get fined, something is really seriously broken.
If a company is about to produce millions of physical products, I think it is quite ok if they first check with the government to see if that is a good idea.
Same with social media features that are rolled out to millions of users.
If the EU was prepared to give advance permission, that would make sense. It would be slow ("Hey we want to rename 'username' to 'login'" -> "we'll get back to you in a couple of months"), but it would make sense.
But, if you'll re-read my comment, my complaint is that the EU will not pre-clear features. They will only punish after the fact if they decide it was a bad feature.
And that's even assuming you're correct that the bureaucrats themselves know what is a good idea. Which I'm skeptical of. I think they're more likely to be correct than, say, Facebook... but that's a pretty low bar.
There needs to be a law that every cloud-based service which has accounts for more than (say) 1% of population, must have a physical service counter presence in every major town staffed by an employee who must be empowered to resolve all account access issues.
Notice how phone carries manage to have a shop in every little strip mall, you're never more than a few miles from the nearest one. Google takes in far more revenue, can easily afford the same. Or they could even just partner with the phone carriers and have a staffed desk in every tmobile/at&t/verizon shop.
I recently had to go through the recovery flow for an admin account and it was wild. Despite Google manually unlocking the account and giving me a reset link, every login was forced to authenticate via SMS using the (removed) phone number. Luckily I was able to get a hold of it and get the code, but even after adding a TOTP and security key 2FA, further logins still required SMS.
It feels like the security team made this change to reduce account hijacking but it's at complete odds with the recovery flow and modern security practices. Better hope your phone number doesn't get hijacked or recycled because it's the key to your account now, security keys be damned.
Google enabled 2FA on my Gmail account without any prior notice. I have the username, password, recovery email, and all emails from the account are forwarded to my Fastmail, but I can't ever log into the account again because it is trying to do 2FA by SMS to a number I don't have.
I've tried everything to find someone inside Google to fix this, but so far no luck. At least with Meta you can find someone on a forum like Swapd who will take a small bribe to fix these issues.
Very similar situation. I could even see information being sent to the recovery email. So, when the time came to setup my business, I chose Zoho and avoid Google whenever possible.
My SO has identical situation. Identical. She still receives emails for this account because she set forwarding years ago, I still get notifications because I'm set as a recovery account, but without the phone she doesn't have for the last 15 years we have no way of logging in.
We have everything else but this alone is not enough.
You could try logging into Gmail just to the point before the SMS is sent, then phone the number you used to have and speak to the current owner. Apologize that you forgot to take the number off your account and so they are receiving text messages meant for you, but you would like to get one more message from them and they won't be bothered anymore. Then you will switch to a new number on your Gmail and they will not receive your messages. Many people will be happy to help a stranger if you are nice and polite to them.
The other option is to contact the phone company and explain, asking an open ended question if there is any way they could help you, with the permission of the current owner of the number, to get one more text message and move your Gmail to a new number. It doesn't sound in any way like you are trying to pull a scam, so they might help.
If you’re operating Google workspace without a well oiled Enterprise behind the scenes, a single admin account is a single point of failure.
I had this happen a couple years ago when I was migrating to a different domain. The only difference was all of the authentication that I supplied Google said was an adequate and I got into some sort of a login loop where Authenticator, SMS, DNS record nor pass key would provide enough authentication for me to get in.
I got the automated got bought to finally send me the mythical form, after completing that I was told that they were unable to authenticate me further. I ended up emailing their support multiple times and threatening lawsuits multiple times when I got a magic call from a human at Google. They also sent me the link that put me into a login loop however after chatting with them for nearly an hour I got a different magic login link form which appeared to work.
I can't believe I'm praising Microsoft (Office365) here but it actually has a track record of actually having support, support people that you can talk on the phone with and knows how to navigate the dark corners of their convoluted systems and actually solved my problems (even if it was caused by Microsoft's horrific UI in the first place).
An article here a couple of days ago said that the automation behind the scenes in Azure is piss poor and the whole thing is held together by thousands of contractors manually fixing the endless failures.
On the plus side, it does mean they have thousands of people who know how to fix problems.
At Google there is one guy who knows how to fix the problem.. he's a monk who is also in 700 different teams and the only one who remembers how the systems were built. You have to climb all the way up to his mountain abode, hope that he is home and pray that he will hear your cries and help you
Any painful automation story feels very different from their customer service. MS has always been superior to their competition with customer service - especially paid service contracts - because it's far closer to their identity: very long-term, tightly integrated enterprise. Google has never had this; even the idea of paying for support came very late (and reluctantly) to them.
> MS has always been superior to their competition with customer service - especially paid service contracts - because it's far closer to their identity: very long-term, tightly integrated enterprise. Google has never had this; even the idea of paying for support came very late (and reluctantly) to them.
If we're comparing cloud services, surely GCP has customer service? I can't imagine any big enterprise using it otherwise.
I tried to read it assuming the blog post author is a hacker. The hacker could have stolen an OTP device with DNS access, but couldn't steal for the phone number (so they removed it, there was no explanation why phone number is removed). And honestly, how else could they prove they are legit? What if they really are a hacker?
It would be cool if Google (and other media giants, especially IdP ones) had an office where you could bring your passport and verify it's you. I don't think there is.
I’d hate for the “government-name” verification to become a requirement, but I’ve long wished services would at least offer that as an optional add-on. For certain important accounts, I’d be eager to place my government identity on file with the company ahead of time.
The Americans have done something kind of interesting along those lines, as far as an in-person IDV option to establish e-government accounts [0]. You start account setup online, then take a barcode to a post office along with your identity documents.
I have to imagine it’s hard to make a commercial case for such a system, though… especially these days with so much momentum toward the approach I resent—that is, requiring ID checks just to be online in the first place.
Now try and read it assuming that instead of a screw up, this user was actually hacked. How do they recover?
Honestly, if you are using Gmail as your primary email I could probably ruin your entire year. I could just try and hack you (not even successfully) and Google will just shut down your entire life rather than attempt to work out who's right.
> I could just try and hack you (not even successfully) and Google will just shut down your entire life rather than attempt to work out who's right.
Had this happen to me. Fortunately the 'attacker' wasn't actually trying to do this, so damage was limited, but it's chilling when you think about what some motivated script kiddy can do with your Google account just by requesting password resets.
It is quite frankly ridiculous that you need to be in the "in-group" to get things like this resolved and it is not the first time this has been reported, be it Google or Meta or any other big tech corpo.
These players MUST be regulated or treated like utilities; hoping the EU will ratchet up the pressure even more.
Google's customer support is interesting. Its definitely a case where you'll sometimes hit pockets of the company where clearly there was someone who made it their life's work to fix this bad reputation they have; while other pockets make it clear that they deserve the reputation.
I had a Nest subscription that became a total mess. If you've ever tried to use Nest before, or are coming from a legacy Nest account, and/or also have a Workspace account that somehow got wrapped up in the mess, you'll understand how much of a clusterf Nest is for the Google ecosystem. I had signed up for this subscription on a personal Google account, cancelled it, but was still being charged for it, and the credit card being used made me think it was getting charged on my Google Workspace account (which isn't officially supported, and would never let you sign up for it, but DID share an email address with my legacy Nest account I had migrated into the non-Workspace personal account I was using for Nest).
They had to escalate the problem a couple times, which took ~24 hours. Once that happened, their rep had it resolved in minutes, and refunded me two months on the subscription.
The biggest piece of advice I can give when dealing with Google is: Never be weird. You cannot ever put yourself in a situation where your account isn't like the other billion accounts they have. If you do, something will go wrong and its rolling the dice on whether you'll ever reach someone who can help you. If you've used Google enough, you know: Their multifactor settings are weird. You cannot set it up exactly how you want; it'll always trigger some auth method you didn't configure but they have "LATENT KNOWLEDGE" you should be able to authenticate with, like a phone number you configured six years ago, or gmail installed on a tablet that's 400 miles away, and you can't turn it off, even on Workspace.
My favorite bit of Googleism: Go to any site you sign in with Google SSO and watch the URLs in the eight redirects it has to do before it signs you in. You'll see a "youtube.com" in there. Even on a Workspace account. Youtube.com is a load-bearing website in their core auth flows.
Mess of a company. I hope they invest some effort in improving things, but I was saying the same thing in 2018. They probably won't.
> like a phone number you configured six years ago
I've put in a heroic effort to make sure they never get a phone number, specifically so they can't start handing my account over to the first clown who simswaps me, and have been successful. Unfortunately, this makes my account weird, which as you noted is fatal.
> My favorite bit of Googleism: Go to any site you sign in with Google SSO and watch the URLs in the eight redirects it has to do before it signs you in. You'll see a "youtube.com" in there. Even on a Workspace account. Youtube.com is a load-bearing website in their core auth flows.
I assume that's just because they need to set a cookie on the YouTube domain in case you visit YouTube later on the workspace account, and not "load bearing"in the manner you insinuate
You do not hit YouTube directly. You hit Google's frontend server which then does internal routing. Likely it would be able to route around it. Or rather, the auth part of YouTube is not the same as all of the other parts of YouTube. For big tech companies like Google, a website is not one single binary that serves requests, but a ton of services handling different things (and some of those services being caching so it doesn't show things down as you might think). It is highly unlikely that the main services comprising YouTube as a video streaming site would bring down Google auth
Google needs to understand that watching this nightmare scenario play out over and over again is actively destroying trust in their platform. When your email, authentication, documents, payroll, and CRM all flow through a single provider and that provider can lock you out overnight with no meaningful recourse, you’ve invited customers to place their entire digital presence into a house of cards. The fact that this same story surfaces almost daily should be a wake up call to existing and prospective customers. Every unresolved lockout is one more reason to start planning an exit. Google has led the effort to lower the bar so much that it’s commonplace and somehow acceptable to ghost paying customers who youve locked out or even worse bounce them through a gauntlet of AI chat bots with the illusion that you are even aware of the damage you’ve caused.
Yeah, loss of a google account in certain cases can destroy entire small businesses and there's no recourse. In the old world we had extremely deep bodies of case law around utilities and commercial leases and road access, insurance and all kinds of things to make business operation legally predictable, but for the digital equivalent it's still the wild west and everyone just throws up their hands like its unavoidable.
Imagine being homeless, and your Gmail account is your online identity for what little financial presence you have, and how in the world can you recover from its loss?
On the surface it seems like it would be a good idea for all these users who were suspended to do a mass arbitration like what happened to Uber to get them to start taking it seriously, this comes up like monthly people getting account pulled up from under them and impacting business. Maybe there a legal differences or something
https://www.mbelr.org/mass-arbitration-how-ubers-own-alterna...
I don’t disagree, but the reality is SaaS is the model that most companies depend on and these risks exist everywhere.
If your business is dependent on services you need to take a modicum of effort to protect yourself - the posts author was literally walking around with his entire business at risk from him dropping his phone or having it pickpocketed.
At the end of the day, the protagonist in this story is mad because Google won’t allow him to social engineer access to his company. He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.
> He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.
Are we reading the same blog post? He had his password, 2FA authenticator set up, and backup codes -- everything Google asks you to have to be on the "golden" auth path.
He only deleted his SMS authentication path (one thing I don't understand is how he was able to do this in the first place without being logged in), which is in any case the least secure method of 2FA. Also, It should be fairly obvious that SMS is not expected to work seamlessly while traveling, how is this not a scenario that's hit by millions of Google users worldwide?
We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.
The SMS only fallback is when other things have failed and they suspect that there’s been a takeover. Microsoft does something similar to tie it to some tangible thing. I’m not excusing Google. Their exception handling is poor at best. I’ve seen issues at customers where phones left in flight get flagged because of GPS disruptions due to Middle East conflicts, for example. (Phones flagged as having been in Syria or Russia can be kryptonite) One scenario was a VIP whose kid was in Europe with their other parent and the VIP’s tablet, signed into work email.
Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.
Point is, this type of shit happens and you should have a contingency.
> Point is, this type of shit happens and you should have a contingency.
Let's work through what the contingency could have been. Always make sure you buy international roaming everywhere you go? Always be able to switch your MX records (from a provider whose account isn't tied to a Google-controlled email)?
They seem to get increasingly less practical to be honest. People travel all over the world everyday, this shit shouldn't be hard for a company like Google that supposedly ingests mountains of data.
More to the point, I think email has become sort of a fundamental right given how much of your identity depends on it. Companies that control this sort of identity foundation need to be heavily regulated, and perhaps nationalized.
Ok, sure man. In the meantime before the Lenin of our age appears…
In this case, don’t run around with a business account with a single user with admin privileges. Segregate privilege. Don’t share a phone number with other accounts. Don’t use SSO as the key to your business.
If you run a business you need to manage risk. If a customs officer thought he looked funny and seized the phone, he’d be boned as well.
> I removed my phone number from the account. I am travelling to the UK for a short period and did not want to have roaming on my Australian phone.
So for my own notes, removing a phone number from my Google account before travel will risk account suspension. Hope OP resolves it, but also need to make sure this never happens to me.
Instead of getting more dependant on Big Tech's AI products, I think the perfect use for AI is develop tools and workflows that decouple one from Big Tech.
I keep paying ElevenLabs for 3 years after some early AI agent project where I used it as my payment data is bound to a google account associated with a phone number that expired in the meantime. I thought adding the google authenticator to the account and switching to it as a secondary authentication method from the phone number would allow me to cancel the subscription, but for some reason Google insists I verify using the expired phone number...
> On Saturday, April 4, at 5:06 AM, I received a notification saying my authenticator had been removed. It hadn’t. The authenticator was still active on my phone - it was the recovery phone I had removed. Google apparently conflated the two.
This is a massive bug here. I was also surprised recently that Google won't let you enroll multiple Authenticators. If we had functional security regulations I think there would be some pretty large fines for Google's error here.
This is why I do full Google Takeout every 2 months and have my own domain with Workspace. I don't rely on cloud file storage. The calendar is important, but I could switch easily.
IMO, the worst part of this is Workspace support is immune to ANY explanation. I mean, credit card companies are well used to "is this your transaction?" emails.
I guess one way to protect yourself from this would be to use another IAM solution for SSO login to Google Workspace, but is there any reasonable choice for small businesses other than Entra ID or Okta?
I was a long time k8s skeptical, but I think it's solid now. If there's good support for keycloak for k8s with support for backups I wouldn't think twice.
Not sure the state of keycloak now, but it was a lot of work to manage keycloak configs with the IaC pipeline. That could have gotten better now, but I think having access to the data is important because migration might not be trivial if for instance a provider starts acting up.
Instead of Keycloak, I would recommend giving Kanidm a try: It's much more lightweight and covers most of what you usually need (one notable exception being SAML).
These kind of stories led me to explore de-googling my digital life. And honestly its been a fun journey and given meaning and purpose to my homelab. 100% recommend. Own your digital life, run local, reclaim the web.
Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.
In my experience Google Workspave support is very good. I’ve always been able to get a knowledgeable person on a call to debug issues without much difficulty.
But yea, if you’re locked out of your admin account, that’s another story. Very sjmilar to if you get locked out of your AWS root account. It’s a nightmare to recover.
> Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.
It sounds like the mistake here is not appointing another Super Admin, and making sure they don't use their account for day to day needs. Or just having two Super Admin accounts controlled by the same person, heh.
I can't see how not using one's Super Admin account wouldn't prevent tripping some kind of fraud lockout that's impossible to recover from.
Randomly, I just remembered that I lost a GCP account because I tried logging in from Laos, and they asked me for the front and back photos of a payment card that I used ages ago that I didn't bother making scans of before it was lost. Urgh.
Make a primary super admin (admin@ whatever) and only log into it for admin purposes. Make an actual user (you@) for day to day line of business work. This has the benefit of making some categories of spear phishing and xsrf attacks harder if the account that gets compromised doesn't have root.
It doesn't address this thread's concern that a single Super Admin could be locked out with no recourse, since Google's customer support is horrendously bad.
So you're saying for a simple setup of 1 user, you really need to pay for 2 users. The admin account and the real user you want to use, which doubles the cost.
Just had to fix an AWS account lock out this morning. Why? Despite having a $0 balance and payment info on file, until I set a budget (a new feature per their UI), all of my Cloudfront-hosted files were just unavailable on my business' site (I Cloudfront all static assets so all images, fonts, etc were just broken all of a sudden).
These are the limits of scale. Too big, too complex, and not enough skilled people to maintain and/or support it. And our hubris as humans prevents us from accepting it. Why? Why can't we accept smaller but more functional things/systems?
I mean, you can do that already, you use your own domain name and can then change email providers at will, in theory.
But maybe you logged in to your domain registrar through google oauth. If your google account is locked you can't now get into your domain's settings to change your MX records.
The real problem isn't the email address itself, it's all the access that google owns on your behalf. Lose access to Google, lose access to everything.
I discovered this same issue, you are required to have a phone their auth system is bugged me.
I just set up google workspace and I didn't have recovery phone or anything,just password and recovery email.
I didn't login for 1 week (life stuff). When I came back it allowed me to login but didn't allow any admin stuff saying it didn't recognize me and that I must use a known browser.
Well, that was the only browser I logged in with.
The solution was a weird thing where I was able to add phone recovery and authenticator, but then had to wait 2 weeks (couldn't use it). After that I performed authentication as usual.
Been there done that, none of it works, till this date my YouTube account is suspended and they can't do a thing about it.
Google Drive & Workspace are their most poorly designed products with the shittiest support ecosystem. Google would rather bleed money than work on it.
That's one of reason I started DoShare Personal Cloud[₁]
Run your own email server, and give Google the middle finger. Letting Google own your email, and freely spy on your communications is insane. I think this incident clearly demonstrates that you cannot leave critical infrastructure like this in the hands of a third party.
This story is the typical "got banned, complained on HN, only then did Google see fit to actually help me" however I'm surprised that before this was posted he WAS able to actually talk to someone from Google on the phone.
I legitimately thought that was impossible, so, uh, baby steps?
The 40+ hour window with no human contact is the part that hurts most. Small things that would be fixable with a 5-minute call compound fast when payroll is missing. Do team members still have access to their individual accounts during the suspension, or is everyone locked out?
It's quite entertaining to read - most of the article is pretty much elaborating a chain of bad decisions by the author which all lead to this now being a big problem. If he'd have written a similar dependency tree earlier and just thought about it for a few minutes that should've been avoidable.
> Update 1 - I know I can simply change the MX record to someone else but It has its own challenges.
I don't quite get that attitude. He's describing that he needs his business emails. Not just getting a mail server back online for that, even as interim solution, points to the opposite. In the time it takes for MX TTL to expire he could easily just throw up a postfix+dovecot on some VPS, with enough time to spare to add something like sogo if he feels fancy.
That's what I didn't get either. And you don't even need to configure a VPS, there's Fastmail, Protonmail, Zoho, Kolabnow, Purely mail, Migadu and so much more.
Why victim blame him for removing the phone number? He had a logical reason for doing so, and with Google supporting many forms of authentication it's perfectly reasonable to think that removing one wouldn't jeopardize the other methods.
I was a bit worried when I saw the title of the article because I have one of these accounts but geez he made some bad choices. Deleting all phone numbers and the recovery and swapping to a new authentication method and then accessing from a different country??? No wonder it got flagged.
I probably wouldn't believe him either. Google should have an option to revert to the last trusted config after some verification method. Google support is bad, I'll give him that.
All this to avoid roaming charges? And then refusing to share a personal email in this scenario and missing meetings because of that.
I'd argue that changing the MX to fastmail or Microsoft would be much faster than a postfix+dovecot solution on a VPS but I think he's just refusing any solution based on his principals.
The full text of Google's slogan is: Don't be evil (to customers that click ads from which our largest income share comes but not to developers who in the future might be our competitors).
It's just too long to fit on a T-shirt but not to memorise.
Changing your account recovery and 2FA settings then immediately trying to recover your account from an unusual country should temporarily lock out your account, every time, and this is what all normal users want.
Recently I cleaned up a SMB client's Workspace users after archiving their data (former employee accounts that had been languishing). In the space of a day or two I did the following for half the ~20 total accounts:
- Moved to no 2FA sub-organization
- Reset password
- Disabled security check for ten minutes
- Logged in as the user in a fresh browser profile
- Exported data with Takeout
- Deleted the account in the admin console
I fully expected to hit some kind of roadblock or delay or for alarm bells to go off for the other admins, but nope, I literally "absconded" with hundreds of gigabytes of data and nuked half the org in short order.
There is a Workspace Admin option to export users' data but it warns of an automatic 48 hour delay to let "other admins take action" if something is amiss. The client wanted the task done before getting hit with the full monthly license fees again so I had to go the manual route.
Granted, out of paranoia, I was using the client's office VPN as my traffic egress so maybe that helped.
At least he owns his own domain and can eventually switch over. A few years ago we decided to switch our personal emails from gmail accounts to domains we own (though the email is still handled by google.) This way if we ever lose our google account, we can switch the MX and be able to get all our recovery emails, bank second factors, password recoveries, etc.
They could switch their domain to another email provider and start getting emails, which is great. The problem though, is they also used their Google Account to log in to all the 3rd party services (payroll). I have no idea how you would get back into those services. Some _might_ let you switch off the Google Sign-in SSO, but I imagine that is a headache.
This occurs to dozens, hundreds, maybe even thousands of people on a daily basis. It happened to me many years ago. This is your opportunity to escape, instead you cry out here for attention. How pathetic
"Despite repeatedly explaining this, they ignored my assertions and continue to hold my email hostage."
Well, you have become the product here. That also happens by other "free" email providers too. I had this happen to me on inbox.lt; the guy demanded I use a smartphone to "prove" my identity. At that point I realised they want to connect this data to the account and sell it to others who are interested in that.
Because his honest and accurate diagnosis for why mega tech corps treat people inhumanely is the first step towards stopping it. In my opinion of course.
Microsoft 365 is a reasonable alternative. It's easy to buy and even tiny Customers can get a degree of real human (read: tier 1 is unhelpful contractors that you have to fight thru) support.
It's still repugnant to me, as compared to self-hosting, but I would never self-host for a greenfield SMB Customer today. The economics don't make sense and the talent pool of knowledgeable and reasonable sysadmins is dwindling by the day. (I wouldn't want to make a Customer so beholden to me if they were willing to pay for it.)
I miss being able to spin-up an on-prem email server on a box with reasonable hardware redundancy, some external USB disks to rotate for off-site backup, a UPS, a couple consumer-grade "business class" Internet connections, and a contracted "backup MX" to catch email in the event of an outage. It was a good enough for a lot of small SMBs who had a physical office, and was cheap.
The economics make perfect sense once "30 days of a suspended business email with no timely recourse" shows up as a line item. That USB disk and a UPS is looking pretty cheap right about now.
OP really should be moving the MX somewhere else and going into disaster contingency mode. It sucks, but there's a level of survival there they should be willing to accept, at least temporarily.
It's not. Support is about on par with Google for SMBs. I had a client get locked out of the admin panel for about 2 weeks before getting through with support.
The difference is that everyone's account kept working during that time so business kept on as usual, just the admins couldn't change anything.
The sad thing is I don't think anyone did anything unusual and it was some kind of bug of Microsoft's end.
Good to know. I'm only dealing with 7 M365 tenants regularly and we have "break glass" accounts in each one (not tied to Customer's SSO, MFA unrelated to other admins, email address outside the tenant) to try to minimize the possibility of getting locked out, but I know it's always a possibility.
Moving the MX for the domain and limping along from backups is my worst-case contingency but given that there's no place other than M365 to restore the backups to it isn't a very good strategy.
OP triggered every possible red flags for suspicious account takeover in Google systems: deleting his recovery phone number, moving to another country and cellular provider. And then he gets surprised that the account is in 30 day cool down period??? I don't understand people sometimes.
They didn't willfully delete their recovery phone number. They tried to delete a shitty, known-broken 2FA mechanism after they had set up passkeys. Poor UX conflated the two things, so their recovery phone number ended up being deleted. This is 100% on Google.
Why the fuck would Google care in which country I live? It's a personal decision, and no corporation should have any say in this. They certainly don't have to flag an account for that, especially not if the account has 2FA enabled. This is on Google, too.
The problem is the rapid succession of changes to recovery phone number, country, cellular provider. There is no way to differentiate, at scale, between an account takeover currently in progress that needs to be stopped immediately to minimize damage, and a legit user deciding to change all his personal info at once.
30 day cool down period is a reasonable response, at scale.
Of course you can keep your provider. It's called roaming, per OP story: "I am travelling to the UK and did not want to have *roaming* on my Australian phone."
For cheaper rates than roaming, typically you install a secondary eSIM for the country you're traveling. 99% modern phones support dual SIM for this reason
I think Google has done some cool stuff, and I think in a lot of ways they're, at least historically, one of the less evil big tech players.
I gotta say, though, that my experience with trying to get them to sort out any kind of issue with their services makes me reluctant to spend any money with them.
I bought a Pixel phone. As per the sales terms, the phone came with one year of Gemini AI Pro service. Except, the redemption process to get the year of service didn't work for me. I contacted Google, they never fixed it or offered any solution. I simply didn't get the year of service I was promised.
My friend, who bought a Pixel around the same time, also wasn't able to get the year of Gemini they were promised.
That same friend has a Google One subscription, billed through their phone carrier. Recently, Google (or the provider?) discontinued that specific Google One plan, as well as the option to bill via your carrier. This was all covered in an email sent to my friend. As consolation, the email explained, my friend was given the option to switch to a different plan, billed monthly by Google (instead of their phone carrier), with 6 months free. Except, the new plan, and the 6 months free, wasn't selectable as a plan type for their account. So my friend emails Google about it and, to my complete lack of surprise, Google was unwilling/unable to provide any resolution.
At this point, I legitimately don't understand why, unless I had no other option, I would pick Google for services. They clearly put no real effort into resolving any service issues for any customer that's not spending millions with them.
I agree with your sentiment, but I wanted to call out that they've always been just as evil as other big tech companies.
I think their motto of "don't be evil" was some pretty clever PR.
I started questioning it c. 2008 when they ghosted me on resolving an issue with my blogspot site that was a bug in the platform. All I could get was a condescending non-response from a "diamond" volunteer on a forum. They were apparently the gatekeepers to reaching actual support.
They weren't always evil, not in my opinion.
Back in the day they bought Feedburner, and merged it with their internal equivalent. In that process, my subscriber list was affected. They apologized and even sent out some swag. That was nice, for a small inconvenience at the time.
Today? humans don't even seem to be involved.
I definitely don't think they've ever been super nice, but I still they still have a few much more user-friendly approaches than others. E.g., one of the reasons I bought a Pixel is that Google is one of the only phone makers that manages to have respectable security practices and still respects users enough support them choosing to modify the software on their devices and run alternate operating systems.
Disagree. Even with their issues, they're still less evil than MS, Apple and especially Oracle or Meta.
If they didn't have all their issues (discontinuing products, bad customer service) they'd probably be bigger than MS and Apple combined. But here we are.
Also for better or worse, I pay for bundled Google storage + Gemini and YouTube separately, it's still worth it, even without free months or whatever. And still better than being in MS or Apple's ecosystem.
> it's still worth it, even without free months or whatever
Until you go of the rails of their processes and have your account closed with no recourse.
Sometimes I worry about this but everytime I see an example of it I feel better (because most examples involve the person doing weird things).
> most examples involve the person doing weird things
That doesn't make any sense. There are still plenty of people who are not doing weird things and getting screwed over.
Google fanboys have always fallen for their "don't be evil" nonsense, and it looks like they still are even after it was changed.
The least evil giant might be Yahoo!, although nowadays no one uses their service due to their inability product and tech.
I think their "Don't be evil" was pretty close to the truth, as much as it can be for large corporations, until around the time Google purchased DoubleClick. That was in 2008, so that seems to match your experience.
Well, the actual phrase came from an engineer.
Also, the executives 'retired' the official 'Don't be evil' slogan some time ago. I guess they didn't want to be limited. Seems fitting to the suits.
The finance people and mgmt consultants took over the company from the engineers a while ago.
Sounds a lot like Cloudflare at the moment.
Same. Purchased Pixel 9 Pro XL, didn't get my year of Gemini or Google One, technical missuport couldn't be bothered circling between all the investigation steps I did and re-did already and tej "fixes" that have been verified ate not fixing anything.
"Support" agents couldn't be bothered - this feels like AI trapping me in the tarpit maze to save a few USD on the disk storage and infefence cost, effectively scamming me.
Sounds more like a question why there isn't a class action and deregulation push against them.
People really fail to unionize when they can just piss in the wind.
> I contacted Google, they never fixed it or offered any solution. I simply didn't get the year of service I was promised.
Contract violation. The problem is it's simply too burdensome to go to small claims court.
If you do, it's also possible they ban your personal account
Anyone have an idea whether it would be practical to go to small claims court? I'm curious if this is a path consumers can take if a corporation breaks an agreement?
You'd have to go in the same jurisdiction as they're incorporated. I think (IANAL).
I think a service chasing google around in courts for disputes would do quite well.
That's most likely Ireland for UK customers, which has a similar small claims court system.
Depends on your jurisdiction, of course. (I am not a lawyer and this is not legal advice, merely my impressions). In the UK this would likely be worth it if the injury is a specified financial amount. So for people who have paid for something and simply not got it, a small claims court is a good bet for getting a refund. A lot of the time however, the injury is in the consequences of relying on one of these companies services, and having it withdrawn without notice, as in the OP. Usually, you want service restored, as that is in fact the least costly action for both sides. But small claims courts (in the UK) do not make that kind of order. In theory you could sue for the financial consequences of the abrupt withdrawal, but I'd guess that's too complicated for a small claim.
> ... my experience with trying to get them to sort out any kind of issue with their services makes me reluctant to spend any money with them.
When you pay for Google Workspace you are the client, not the customer and they do answer phone calls for support. The only two times my wife and I needed them for our SMEs, they picked up the phone and helped us resolve our issues. Super professional too. Haven't needed to give them a call in something like 8 years now.
Don't know about Pixel phone and Google One subscriptions but for SMEs Google Workspace is a godsend: it's incredibly cheap per employee and it's the way out of the Microsoft mediocrity. Everything only requires a browser, no matter the OS (wife works from Linux and now added a Mac Mini, for example): Windows can, at long last, get the middle finger in SMEs.
I'll forever be thankful to Google for allowing me to help many people get rid of Microsoft products, including Windows.
It took me 13 years to get them to unban my adsense account. To this day I still have no idea what happened and have assumed it was a competitor sending fake clicks or something.
> I think Google has done some cool stuff, and I think in a lot of ways they're, at least historically, one of the less evil big tech players.
It's been a decade since Google broke their promise not to use information gleaned from your use of their services to sell ads.
> Google quietly erased that last privacy line in the sand — literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits “may be” combined with what the company learns from the use Gmail and other tools.
https://psmag.com/news/googles-broken-privacy-promise/
Protonmail is the solution, or hosting your own email server but that one is more complex.
unfortunately hosting your own email server is nearly impossible if you want reliable delivery. If you don't care about being put in the spam box then it can work.
They sold me a Pixel phone with a broken battery (I think 6a? Where the battery fails after 400 charging cycles). I got an email and the offer to just get 100$ in cash from them instead of sending my phone away to get it fixed. I never received the money after filling out all the forms. Fuck google.
My pixel 7 battery was dreadful, and despite it being promised to come with 3 months of YouTube premium and Music I didn't successfully redeem either.
I admit once it didn't work I didn't reach out to support but the entire experience was shit sandwich after shit sandwich.
I had to disable 5G on my pixel 8 to get decent battery life
>I bought a Pixel phone. As per the sales terms, the phone came with one year of Gemini AI Pro service. Except, the redemption process to get the year of service didn't work for me. I contacted Google, they never fixed it or offered any solution. I simply didn't get the year of service I was promised.
I fixed this by deleting the subscription data for Google One (which also refunded me a prorated amount for my Google One plan), and then waiting a day.
It's been [0] days since the last "Cloud provider banned me and I lost everything" article.
Everyone who depends on the good graces of a cloud provider for something (not just Google, but Amazon, Microsoft, Apple, whatever) needs to at the very least, take a moment, and figure out what their plan is when they are suddenly banned and locked out permanently, without any way to contact the company.
Does life just go on, since you don't have anything important hosted there? (Best Case)
Do you lose some precious family photos and use it as a tough learning opportunity to stop doing what you're doing? (Next best)
Do you lose access to your E-mail and are suddenly not able to do 2FA, reset passwords, communicate with the company or the Internet in any way, and so on, and now have to panic?
Do you complain online, hoping that someone in the company sees your post and has the ability to restore your account, which you then continue to use because you learned nothing?
Having an online account suddenly suspended is a real, non-zero, but unlikely risk. You should at least have a disaster plan if you rely on these things for anything important. Or better yet, stop relying on them for important things like your identity or precious files!
> Everyone who depends on the good graces of a cloud provider for something (not just Google, but Amazon, Microsoft, Apple, whatever) needs to at the very least, take a moment, and figure out what their plan is when they are suddenly banned and locked out permanently, without any way to contact the company.
This is one of the most common sentiments I hear expressed on HN, next only to "if you're not building your software business around Claude Code, you're gonna left behind".
"A guy on HN told me one time, 'Don't let yourself get attached to any cloud services you are not willing to walk out on in 30 seconds flat if you feel the heat around the corner.'" -- Robert de Niro
To me, the action is the juice.
google is worst because normal people with no tech experience can accidentally get banned from the only email account they ever had since 2005 which has all their insurance tax resumes family photo etc , never even understand how it happened , or fix it
I'm one such person among the billions worldwide, that is a minority on this forum.
> It's been [0] days since the "business I contract with to provide services locked me out of the building we rent, ghosted me, and threw all my shit out" article.
We really need to just fix the laws.
> We really need to just fix the laws.
This. There are something like 150 million Americans with a Google account, and these days it is more important than a phone number to have a working email.
Email is a utility. Email companies should be heavily regulated and controlled like phone or other utility companies.
I don't know if I agree it should be regulated like a utility, however I believe contracts and suspensions should require more work than a click of a button.
The ease of suspend isn’t the problem here. It’s that there is functionally no recourse once the suspension happens, justified or not.
The only people who seem to get un-suspended are the ones who can generate news media outrage or who can call their friend who is a director/exec at the company. (Obviously this intuition is flawed, but it’s hurting the reputations of these SaaS providers.)
> it’s hurting the reputations of these SaaS providers
It's not hurting them enough. Hence the regulation is needed.
Americans need a government issued digital signing token to prove their identity digitally. There are a lot of services demanding ID verification these days and use a 3rd party to process driver's licenses and faces. It's super inefficient, full of friction, and probably unregulated (dodgy).
Someone claiming to work for the US Digital Services replied to me here years ago that this was being worked on in relation to the easily compromised SSN but I'd say all bets are off on a consumer friendly government service like that now.
In the case of Google Workspace for our company, I'm using Cubebackup[1]. I've been going through the disaster recovery exercises lately, and thinking about what I've been calling "external backups", which are backups of a service that are stored and restorable outside that service.
It can be surprisingly difficult with a lot of SaaS products (including Google).
[1] https://www.cubebackup.com/
Yeah. And every time I see a new "cloud provider banned me and I lost everything" article (i.e: every few days), I always just want to ask the same question(s):
"I'm sure it's very sad that you've lost all your [email|calendar|photos|whatever]... but, were you, a person who has chosen to rely on a service provided by a cloud provider with a track record which goes back well over 15 years of locking people out of their accounts with no recourse for the user, not aware that said provider has a track record of doing so, in some cases without even giving an explanation why?
Were you not aware that the service you were relying on them for was critically important to you? Or were you unaware that the provider of this service has the capability to completely disable the service you're relying on with the simple flip of a switch?
I'm fascinated by this decision you've made - could you please explain the thought process by which you chose to use this service which you have no control over for critical things?"
Come now, are those really the rhetorical questions you'd fling at your Aunt Tillie panicking on the phone, because she can't email anybody or renew her important drug prescriptions or whatever?
Most people expect better because in most other walks of life it is better with some kind of plausible appeal route, and the deficiencies we're discussing don't really get publicized. These service-outcomes are the outliers in need of repair, not the consumers.
No - I'd be much less sympathetic to my aunt, because if she's panicking on the phone about not being able to email anyone, that means she's a) ignored my advice and rants for 20+ years and then b) had the gall to call me up to try to have me fix the problem that she created by ignoring me for 20+ years.
But I'm not actually really talking about regular people losing their personal email where they happen to keep a few sort-of important things that are relatively-easily replaced/transferred into a safer system. Those people I can sort-of understand, and don't really need to ask my questions - the answer is simple: "I never thought about it until now".
But aunt Tillie doesn't call herself an "entrepreneur" and doesn't rely on the existence of her gmail account for the survival of a business, and she especially doesn't have a blog where she whinges about the fact she did that.
I'm talking about people who should know better, who should be smart and considering things like "what are the existential threats to this business I'm trying to run?", who use gmail for vital business functions like payroll, and who tie their auth for everything else to their google (or whatever other shitty cloud service) accounts.
Yeah I'm afraid I'm going to have to challenge this assertion - I've seen variations on this article about ten thousand times. The post I was replying to was pointing out that they've also seen this article about ten thousand times. The vast majority of people that I have mentioned this problem to (and I do that a lot!) have responded with "oh, yeah, I've heard about that happening to people".
And another thing: my questions are not rhetorical. I am genuinely curious about the thought process that leads to these decisions. See, I didn't actually have to see this article even once - what I did was I gave it about 10 seconds thought, and came to the conclusion that relying on unaccountable third parties for mission-critical business infrastructure is an existential risk. This all seems very obvious and straightforward to me. Perhaps I'm some kind of super genius? I'm doubtful about that.
It's both. I agree that there should be some recourse. Show me a thing I can sign to bring in a law requiring all companies to post a phone number where a user can speak to a human and I'll sign it and have everybody I know sign it too.
But if you're not giving any thought to who controls your vital data and you lose it as a result of that, that's at least 50% your fault.
If a service offers "Login with Google/Apple/Facebook/etc" you should never do that if they offer a username/password. It just increases the single point of failure. Avoid places that only offer the "Login with Foo" if at all possible (looking at you Tailscale).
As an ex-googler, the only reason I was comfortable keeping even my personal email there was because I could reach out internally if there was a problem. I left Google, and left gmail behind too.
> Avoid places that only offer the "Login with Foo" if at all possible (looking at you Tailscale).
Tailscale is the only serious company that I can ever recall offering /only/ third party login. It's bit bizarre on the face of it. Anyone know the reason?
Curious isn't it, especially as it's such a bad fit for their product - authenticating with GitHub in order to ssh made the whole thing so much more painful than it needed to be. I subsequently tried switching to using a passkey when that became an option, but it's not possible to make the passkey user the owner of a tailnet created by a GitHub org user, so I'm stuck with two users in my Tailscale and can't delete the GitHub org user. It's the main thing that keeps me looking for a reliable alternative to Tailscale.
ZeroTier. It works well for me. I chose it over Tailscale because it doesn't require a third party for login.
I think I read somewhere (but could be wrong) that it was because they didn’t want to own any “authentication” services. Their infrastructure was zero trust (as in they don’t hold any passwords or private keys), just a discovery server for different devices.
My other annoyance lately is companies that don't let you set a password. It's either passkey only (which I'm not sold on, yet), or "we'll email you a login link". Great, now I have to wait for the email to show up, click the link, hope it doesn't expire if I get distracted while waiting, and then also delete your emails, sometimes multiple times a day?
What a shit tier authentication mechanism.
I despise this. Slack keeps doing this even though I have a password and 2FA configured.
Vercel won't even let you set a password.
"Sign-in methods: Email, passkey, Google account, Apple account, GitHub, GitLab, Bitbucket".
Perhaps they are not a serious company after all?
Is Tailscale really a serious company?
I use my own OIDC connection to Tailscale. I don't use a third party for login. It's not hard to set up.
Spotify did this for years in the beginning too. I remember this was the reason I didn’t use them until they proposed email logins.
Tailscale offers custom SSO for free
Shouldn't a service that may be the only way of remotely accessing your devices be ... independent of a 3rd party authentication service?
Passkey auth is also available as a first-class option.
One of the other articles on HN's front page right now, is that Germany's implementation of eIDAS will require a Google or Apple account.
I genuinely feel like there is something happening where hackernews articles come in bunch/reference-to-each-other :]
So one of the comments on one hackernews post on front-page almost somehow always refer to something within a hackernews post on the same front-page. I have seen this witnessed too many times that it might be time to name this phenomenon.
people see one article reach the front page and it reminds them of another article and they post that one too. cycle repeats.
For those like who who've never heard of eIDAS: https://en.wikipedia.org/wiki/EIDAS
We offer Login with Google and Login with Facebook on our apps. The fun part is both FB and Google started blocking Selenium and any other automated agents from logging in. So basically there's no way to run end to end tests that confirm the login flows using FB or Google, which have wrinkles that our normal login doesn't hit.
> We offer Login with Google and Login with Facebook on our apps.
This has the nefarious side effect of allowing Google or Facebook to track people across the Internet and apps. Webmasters like you are, often for no imperative reason, complicit of this by providing such login options.
“For no imperative reason”
App developers have repeatedly stated that offering those options increases user account creation. There is lower friction to using “login with <big tech>” than to create username/password creation flow. My guess is that most of the world hasn’t figured out a password manager workflow that works for them (or they aren’t willing to pay for it).
This is an issue that regulators need to address. Asking small businesses to forego the significant impact on their business of not implementing common features that users demand is not a good solution to public policy failures.
I don’t know what the exact revenue/growth difference is, but if my paycheque depended upon getting more users to sign up, I don’t think I could justify making it into a political stance when Google isn’t going to notice my tiny boycott.
I work for a university. It came down as a requirement from above because our most important users are older (rich) donors who struggle with even basic login.
Dealing with Google is a nightmare. I'm one of the volunteer sysadmins for https://forum.buildhub.org.uk/, a DIY and self-build forum. For 10 years it ranked very well on Google, particularly in the UK, and then on 28 December 2025 it disappeared from Google's index.
Nothing has helped, the Google forums are tumbleweed and there's no one to reach out to for what could be an algorithm change or something gone wrong. I'm a paying Workspace customer and it's made me think I need a backup plan in case I'm ever suspended. Reports like this don't encourage.
> Nothing has helped, the Google forums are tumbleweed and there's no one to reach out to for what could be an algorithm change or something gone wrong.
The own-brand forum (Google, Microsoft, Apple) seem to be infested by netizens from lower-income countries trying to build online customer support portfolios by providing utterly useless answers.
That, or trying to game the system and getting shortlisted for a free trip to Google HQ for one of their contributor summits.
I am genuinely curious if anybody knows of a non-trivial problem being solved on one of these forums, at least for a huge company that’s palming off customer support. It just feels like screaming in to the void, only for someone to (deliberately?) misinterpret your question and give you some generic advice.
It depends on what you call "non-trivial". I found answers on how to circumvent dumb macos bugs on Apple forums at least twice in the last 6 months. One related to displays, I was about to return a new USB-C monitor which wouldn't turn on. A silly issue, but it's a bug on my book, I wouldn't find the answer on the docs.
That counts! I suppose I’m lucky enough to know of more reliable resources (macadmins.org Slack is an excellent community), and so I turn to them after reading more than a couple of threads on the Apple Support Community. Perhaps it has improved or I never dig deep enough.
I’d be at a complete loss for any obscure Windows issue though.
Every suggestion when encountering a Windows OS bug is "run sfc /scannow" - has this ever solved a problem for anyone?
Once upon a time at Google: The year was 2013, and I'd been selected to be among the first 8,000 people to get Google Glass. I had to go to Google HQ in NYC from my home in Virginia to get it and be instructed 1:1 on how to use it. I was given a toll-free phone number to call for support by a Glass expert, available 24/7/365.
Not only did they answer immediately whenever I had even the smallest problem or question: I twice broke my Glass, and each time I'd call the support number to ask for a replacement.
Google's policy was that no matter how you broke it or how many times it happened, they'd replace it free. They'd immediately send a box to return the broken device (prepaid) and a couple days later a brand new Glass would arrive.
Like I said, once upon a time....
The thing here is the 8.000 Glass early adopters vs the hundred-millions (billions maybe?) of Google workspace users.
It's not the same league, not even the same sport.
PS: Not defending Google here, their support for some products is abysmal
You are correct. I agree 100%. It's easy to be great when it's on a tiny scale.
Billions in profit may unblock scaling customer support beyond scrappy startup minimums
However (and I loathe this logic) if you can get the marketplace to accept that minimal level, and the brand harm is inconsequential, why not pocket the savings
Those are not matter-of-fact saving, but rather significant savings
> and the brand harm is inconsequential
That's the thing though. Google have destroyed their brand through these kinds of actions, over many years.
You were a volunteer employee. The very least they could do is make sure you can keep doing the job.
I think organizations have a very hard time staying motivated once the product’s concern has moved away from any one team. While you test the product for them there’s likely people whose jobs depended on you and 7999 others doing so. But eventually a product will be considered shipped and all the various talent now pays attention to what’s next.
Well put.
> Google's policy was that no matter how you broke it or how many times it happened, they'd replace it free.
Yes, because they were using you to figure out where it needed improvements for every day wear and tear. It wasn't charitable, it was R&D expense.
True. I loved my Glass, it was amazing.
Still remember the excitement I felt when I saw this Google Glass concept video in 2012: https://youtu.be/5R1snVxGNVs?si=sVS7wzZ8jYH-oGMM
How about this real-life Glass video I made in 2013 a month after I got mine; forty minutes long, recording the entirely of a 5K race!
https://youtu.be/Pu8HTrXI84g?si=puSZt5fYbR69yslo
Very nostalgic, thx for sharing!
That's fascinating. The stabilization is surprisingly good. And there's a kind of out-of-focus pulsing that happens to the video periodically. I'm wondering if that might be your pulse against the Glass, abruptly moving the Glass in a way that its stabilization couldn't compensate for.
I bought the Google 3-pod wifi system when it first came out. There was an 844 number for support on the back. I remember calling it when I didn't understand something and got an instant pickup by support staff.
With this comment in mind, I just now called that same number with an instant pickup telling me they no longer take support calls at that number.
Yep, monopolistic loss leaders can feel great when they're showering you with expensive marketing, right up until they reliably pull the rug in an effort to screw everyone or recoup their losses.
It was only a few years ago that they offered all of their Stadia subscribers a full refund for every dollar they ever spent on the platform. By this point their reputation for customer service was well and truly known, but colour me surprised when I received a not insignificant sum credited to my bank account from Google.
I saw it mentioned in a comment elsewhere in this thread, but the level of service you get really seems dependant on which pocket of Google is responsible for the product you happen to be using. Unfortunately Workspace is a giant pocket with many billions of users with suboptimal and/or perpetually exhausted support.
This should be illegal. Megacorps eat more and more of our life and regular people are increasingly at mercy of these hostile entities. They should be pushed more against. If we can't have proper anti monopoly splits like AT&T, then at least ways to prevent them exerting too much power are long due. If you provide an essential service, responsibility should match that.
Excreting power. What an awesome mental image.
“Exerting” would be more correct I guess but less fun.
Funny because I have dyslexia and read excreting power as exerting power, and then had to read your "Exerting" underneath 4 times to understand the mistake. I guess it's the phonics, dyslexia is so weird tho, ha.
Hey do you have certain fonts that are better? I was working with a dyslexic student last week trying to find fonts that work better for his online classes. All the research pointed towards a handful that didn't seem to really improve processing for the student.
They tried all sorts with me in school, I seem to recall it's related to trying to add shadow to hint to the brain the direction the letter should be etc. I found it more annoying than helpful. Probably a very unpopular opinion but I think teaching someone with dyslexia to read and write neurotypically is probably unhelpful and finding audio visual learning methods is a considerably better way to have them retain knowledge. I think you can get to a basic level of competency but speed and recall, at least with me, never really came. One thing I found once that was cool was an app that present each word at a time only in the center of the screen, but it felt extremely mechanical I was so focused on the words once I was done there was basically no meaning left if that makes sense. I'm autistic with dyscalculia also, FWIW. I mostly think in sounds, pictures and movies, for whatever reason my brain doesn't have a great framework for symbols that don't have those things inherently attached to them. ¯\_(ツ)_/¯
Was this one of the font's they tried?
https://opendyslexic.org
Yes, there needs to be a government public service counter where you can go with all your BigTech issues and complaints.
This is one of the goals of the digital services act.
The EU isn't as bad as some Americans want to believe.
They aren't perfect but at least they try. All our government does is bomb brown people and cut taxes for the wealthy.
The EU’s heart is in the right place, which can only rarely be said of the US.
But the EU’s approach is often backwards. When product managers have to ask the government if it’s ok to ship a feature, something is wrong. When the government responds that it can’t say in advance, you’ll just have to ship and see if you get fined, something is really seriously broken.
If a company is about to produce millions of physical products, I think it is quite ok if they first check with the government to see if that is a good idea.
Same with social media features that are rolled out to millions of users.
This is about Digital Services Act, not physical products.
If the EU was prepared to give advance permission, that would make sense. It would be slow ("Hey we want to rename 'username' to 'login'" -> "we'll get back to you in a couple of months"), but it would make sense.
But, if you'll re-read my comment, my complaint is that the EU will not pre-clear features. They will only punish after the fact if they decide it was a bad feature.
And that's even assuming you're correct that the bureaucrats themselves know what is a good idea. Which I'm skeptical of. I think they're more likely to be correct than, say, Facebook... but that's a pretty low bar.
There needs to be a law that every cloud-based service which has accounts for more than (say) 1% of population, must have a physical service counter presence in every major town staffed by an employee who must be empowered to resolve all account access issues.
Notice how phone carries manage to have a shop in every little strip mall, you're never more than a few miles from the nearest one. Google takes in far more revenue, can easily afford the same. Or they could even just partner with the phone carriers and have a staffed desk in every tmobile/at&t/verizon shop.
Staffed desks would just tell you they need to open a ticket.
No company will give full account unlock control to field employees.
Even the bank teller behind the glass needs to phone their internal fraud dept to unlock accounts.
> needs to phone their internal fraud dept
Except the bank teller has already authenticated you and internal fraud will pick up the phone...
I recently had to go through the recovery flow for an admin account and it was wild. Despite Google manually unlocking the account and giving me a reset link, every login was forced to authenticate via SMS using the (removed) phone number. Luckily I was able to get a hold of it and get the code, but even after adding a TOTP and security key 2FA, further logins still required SMS.
It feels like the security team made this change to reduce account hijacking but it's at complete odds with the recovery flow and modern security practices. Better hope your phone number doesn't get hijacked or recycled because it's the key to your account now, security keys be damned.
Google enabled 2FA on my Gmail account without any prior notice. I have the username, password, recovery email, and all emails from the account are forwarded to my Fastmail, but I can't ever log into the account again because it is trying to do 2FA by SMS to a number I don't have.
I've tried everything to find someone inside Google to fix this, but so far no luck. At least with Meta you can find someone on a forum like Swapd who will take a small bribe to fix these issues.
> At least with Meta you can find someone on a forum like Swapd who will take a small bribe ...
That sounds like its own kind of problems. (!)
Very similar situation. I could even see information being sent to the recovery email. So, when the time came to setup my business, I chose Zoho and avoid Google whenever possible.
My SO has identical situation. Identical. She still receives emails for this account because she set forwarding years ago, I still get notifications because I'm set as a recovery account, but without the phone she doesn't have for the last 15 years we have no way of logging in.
We have everything else but this alone is not enough.
You could rephrase this meta thing as "Meta employee can successfully coerce an adult into sex by promising Instagram account unban" - more accurate IMO: https://showtime-fqi8q.s3.amazonaws.com/onlyfans-star-slept-...
You could try logging into Gmail just to the point before the SMS is sent, then phone the number you used to have and speak to the current owner. Apologize that you forgot to take the number off your account and so they are receiving text messages meant for you, but you would like to get one more message from them and they won't be bothered anymore. Then you will switch to a new number on your Gmail and they will not receive your messages. Many people will be happy to help a stranger if you are nice and polite to them.
The other option is to contact the phone company and explain, asking an open ended question if there is any way they could help you, with the permission of the current owner of the number, to get one more text message and move your Gmail to a new number. It doesn't sound in any way like you are trying to pull a scam, so they might help.
If you’re operating Google workspace without a well oiled Enterprise behind the scenes, a single admin account is a single point of failure.
I had this happen a couple years ago when I was migrating to a different domain. The only difference was all of the authentication that I supplied Google said was an adequate and I got into some sort of a login loop where Authenticator, SMS, DNS record nor pass key would provide enough authentication for me to get in.
I got the automated got bought to finally send me the mythical form, after completing that I was told that they were unable to authenticate me further. I ended up emailing their support multiple times and threatening lawsuits multiple times when I got a magic call from a human at Google. They also sent me the link that put me into a login loop however after chatting with them for nearly an hour I got a different magic login link form which appeared to work.
I can't believe I'm praising Microsoft (Office365) here but it actually has a track record of actually having support, support people that you can talk on the phone with and knows how to navigate the dark corners of their convoluted systems and actually solved my problems (even if it was caused by Microsoft's horrific UI in the first place).
An article here a couple of days ago said that the automation behind the scenes in Azure is piss poor and the whole thing is held together by thousands of contractors manually fixing the endless failures.
On the plus side, it does mean they have thousands of people who know how to fix problems.
edit: https://news.ycombinator.com/item?id=47616242
At Google there is one guy who knows how to fix the problem.. he's a monk who is also in 700 different teams and the only one who remembers how the systems were built. You have to climb all the way up to his mountain abode, hope that he is home and pray that he will hear your cries and help you
There's a long queue up that mountain, though.
Any painful automation story feels very different from their customer service. MS has always been superior to their competition with customer service - especially paid service contracts - because it's far closer to their identity: very long-term, tightly integrated enterprise. Google has never had this; even the idea of paying for support came very late (and reluctantly) to them.
> MS has always been superior to their competition with customer service - especially paid service contracts - because it's far closer to their identity: very long-term, tightly integrated enterprise. Google has never had this; even the idea of paying for support came very late (and reluctantly) to them.
If we're comparing cloud services, surely GCP has customer service? I can't imagine any big enterprise using it otherwise.
I tried to read it assuming the blog post author is a hacker. The hacker could have stolen an OTP device with DNS access, but couldn't steal for the phone number (so they removed it, there was no explanation why phone number is removed). And honestly, how else could they prove they are legit? What if they really are a hacker?
It would be cool if Google (and other media giants, especially IdP ones) had an office where you could bring your passport and verify it's you. I don't think there is.
I’d hate for the “government-name” verification to become a requirement, but I’ve long wished services would at least offer that as an optional add-on. For certain important accounts, I’d be eager to place my government identity on file with the company ahead of time.
The Americans have done something kind of interesting along those lines, as far as an in-person IDV option to establish e-government accounts [0]. You start account setup online, then take a barcode to a post office along with your identity documents.
I have to imagine it’s hard to make a commercial case for such a system, though… especially these days with so much momentum toward the approach I resent—that is, requiring ID checks just to be online in the first place.
[0] https://www.login.gov/help/verify-your-identity/verify-your-...
Now try and read it assuming that instead of a screw up, this user was actually hacked. How do they recover?
Honestly, if you are using Gmail as your primary email I could probably ruin your entire year. I could just try and hack you (not even successfully) and Google will just shut down your entire life rather than attempt to work out who's right.
> I could just try and hack you (not even successfully) and Google will just shut down your entire life rather than attempt to work out who's right.
Had this happen to me. Fortunately the 'attacker' wasn't actually trying to do this, so damage was limited, but it's chilling when you think about what some motivated script kiddy can do with your Google account just by requesting password resets.
Update: A kind stranger from Google reached out and this is now resolved. Thank you HN for helping me through this.
It is quite frankly ridiculous that you need to be in the "in-group" to get things like this resolved and it is not the first time this has been reported, be it Google or Meta or any other big tech corpo.
These players MUST be regulated or treated like utilities; hoping the EU will ratchet up the pressure even more.
Google's customer support is interesting. Its definitely a case where you'll sometimes hit pockets of the company where clearly there was someone who made it their life's work to fix this bad reputation they have; while other pockets make it clear that they deserve the reputation.
I had a Nest subscription that became a total mess. If you've ever tried to use Nest before, or are coming from a legacy Nest account, and/or also have a Workspace account that somehow got wrapped up in the mess, you'll understand how much of a clusterf Nest is for the Google ecosystem. I had signed up for this subscription on a personal Google account, cancelled it, but was still being charged for it, and the credit card being used made me think it was getting charged on my Google Workspace account (which isn't officially supported, and would never let you sign up for it, but DID share an email address with my legacy Nest account I had migrated into the non-Workspace personal account I was using for Nest).
They had to escalate the problem a couple times, which took ~24 hours. Once that happened, their rep had it resolved in minutes, and refunded me two months on the subscription.
The biggest piece of advice I can give when dealing with Google is: Never be weird. You cannot ever put yourself in a situation where your account isn't like the other billion accounts they have. If you do, something will go wrong and its rolling the dice on whether you'll ever reach someone who can help you. If you've used Google enough, you know: Their multifactor settings are weird. You cannot set it up exactly how you want; it'll always trigger some auth method you didn't configure but they have "LATENT KNOWLEDGE" you should be able to authenticate with, like a phone number you configured six years ago, or gmail installed on a tablet that's 400 miles away, and you can't turn it off, even on Workspace.
My favorite bit of Googleism: Go to any site you sign in with Google SSO and watch the URLs in the eight redirects it has to do before it signs you in. You'll see a "youtube.com" in there. Even on a Workspace account. Youtube.com is a load-bearing website in their core auth flows.
Mess of a company. I hope they invest some effort in improving things, but I was saying the same thing in 2018. They probably won't.
> like a phone number you configured six years ago
I've put in a heroic effort to make sure they never get a phone number, specifically so they can't start handing my account over to the first clown who simswaps me, and have been successful. Unfortunately, this makes my account weird, which as you noted is fatal.
> My favorite bit of Googleism: Go to any site you sign in with Google SSO and watch the URLs in the eight redirects it has to do before it signs you in. You'll see a "youtube.com" in there. Even on a Workspace account. Youtube.com is a load-bearing website in their core auth flows.
I assume that's just because they need to set a cookie on the YouTube domain in case you visit YouTube later on the workspace account, and not "load bearing"in the manner you insinuate
If the youtube.com 302 failed to itself 302 back to the next destination; because the site is down; would that not be load bearing?
You do not hit YouTube directly. You hit Google's frontend server which then does internal routing. Likely it would be able to route around it. Or rather, the auth part of YouTube is not the same as all of the other parts of YouTube. For big tech companies like Google, a website is not one single binary that serves requests, but a ton of services handling different things (and some of those services being caching so it doesn't show things down as you might think). It is highly unlikely that the main services comprising YouTube as a video streaming site would bring down Google auth
Google needs to understand that watching this nightmare scenario play out over and over again is actively destroying trust in their platform. When your email, authentication, documents, payroll, and CRM all flow through a single provider and that provider can lock you out overnight with no meaningful recourse, you’ve invited customers to place their entire digital presence into a house of cards. The fact that this same story surfaces almost daily should be a wake up call to existing and prospective customers. Every unresolved lockout is one more reason to start planning an exit. Google has led the effort to lower the bar so much that it’s commonplace and somehow acceptable to ghost paying customers who youve locked out or even worse bounce them through a gauntlet of AI chat bots with the illusion that you are even aware of the damage you’ve caused.
Yeah, loss of a google account in certain cases can destroy entire small businesses and there's no recourse. In the old world we had extremely deep bodies of case law around utilities and commercial leases and road access, insurance and all kinds of things to make business operation legally predictable, but for the digital equivalent it's still the wild west and everyone just throws up their hands like its unavoidable.
Imagine being homeless, and your Gmail account is your online identity for what little financial presence you have, and how in the world can you recover from its loss?
On the surface it seems like it would be a good idea for all these users who were suspended to do a mass arbitration like what happened to Uber to get them to start taking it seriously, this comes up like monthly people getting account pulled up from under them and impacting business. Maybe there a legal differences or something https://www.mbelr.org/mass-arbitration-how-ubers-own-alterna...
I don’t disagree, but the reality is SaaS is the model that most companies depend on and these risks exist everywhere.
If your business is dependent on services you need to take a modicum of effort to protect yourself - the posts author was literally walking around with his entire business at risk from him dropping his phone or having it pickpocketed.
At the end of the day, the protagonist in this story is mad because Google won’t allow him to social engineer access to his company. He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.
> He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.
Are we reading the same blog post? He had his password, 2FA authenticator set up, and backup codes -- everything Google asks you to have to be on the "golden" auth path.
He only deleted his SMS authentication path (one thing I don't understand is how he was able to do this in the first place without being logged in), which is in any case the least secure method of 2FA. Also, It should be fairly obvious that SMS is not expected to work seamlessly while traveling, how is this not a scenario that's hit by millions of Google users worldwide?
We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.
The SMS only fallback is when other things have failed and they suspect that there’s been a takeover. Microsoft does something similar to tie it to some tangible thing. I’m not excusing Google. Their exception handling is poor at best. I’ve seen issues at customers where phones left in flight get flagged because of GPS disruptions due to Middle East conflicts, for example. (Phones flagged as having been in Syria or Russia can be kryptonite) One scenario was a VIP whose kid was in Europe with their other parent and the VIP’s tablet, signed into work email.
Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.
Point is, this type of shit happens and you should have a contingency.
> Point is, this type of shit happens and you should have a contingency.
Let's work through what the contingency could have been. Always make sure you buy international roaming everywhere you go? Always be able to switch your MX records (from a provider whose account isn't tied to a Google-controlled email)?
They seem to get increasingly less practical to be honest. People travel all over the world everyday, this shit shouldn't be hard for a company like Google that supposedly ingests mountains of data.
More to the point, I think email has become sort of a fundamental right given how much of your identity depends on it. Companies that control this sort of identity foundation need to be heavily regulated, and perhaps nationalized.
Ok, sure man. In the meantime before the Lenin of our age appears…
In this case, don’t run around with a business account with a single user with admin privileges. Segregate privilege. Don’t share a phone number with other accounts. Don’t use SSO as the key to your business.
If you run a business you need to manage risk. If a customs officer thought he looked funny and seized the phone, he’d be boned as well.
> I removed my phone number from the account. I am travelling to the UK for a short period and did not want to have roaming on my Australian phone.
So for my own notes, removing a phone number from my Google account before travel will risk account suspension. Hope OP resolves it, but also need to make sure this never happens to me.
Instead of getting more dependant on Big Tech's AI products, I think the perfect use for AI is develop tools and workflows that decouple one from Big Tech.
I keep paying ElevenLabs for 3 years after some early AI agent project where I used it as my payment data is bound to a google account associated with a phone number that expired in the meantime. I thought adding the google authenticator to the account and switching to it as a secondary authentication method from the phone number would allow me to cancel the subscription, but for some reason Google insists I verify using the expired phone number...
> On Saturday, April 4, at 5:06 AM, I received a notification saying my authenticator had been removed. It hadn’t. The authenticator was still active on my phone - it was the recovery phone I had removed. Google apparently conflated the two.
This is a massive bug here. I was also surprised recently that Google won't let you enroll multiple Authenticators. If we had functional security regulations I think there would be some pretty large fines for Google's error here.
This is why I do full Google Takeout every 2 months and have my own domain with Workspace. I don't rely on cloud file storage. The calendar is important, but I could switch easily.
IMO, the worst part of this is Workspace support is immune to ANY explanation. I mean, credit card companies are well used to "is this your transaction?" emails.
I guess one way to protect yourself from this would be to use another IAM solution for SSO login to Google Workspace, but is there any reasonable choice for small businesses other than Entra ID or Okta?
There's always keycloak you can rollout yourself. It's not trivial but it's quite doable.
Thanks for the pointer, https://news.ycombinator.com/item?id=47649354
edit: looks like there are affordable managed hosting providers for keycloak.
I was a long time k8s skeptical, but I think it's solid now. If there's good support for keycloak for k8s with support for backups I wouldn't think twice.
Not sure the state of keycloak now, but it was a lot of work to manage keycloak configs with the IaC pipeline. That could have gotten better now, but I think having access to the data is important because migration might not be trivial if for instance a provider starts acting up.
Instead of Keycloak, I would recommend giving Kanidm a try: It's much more lightweight and covers most of what you usually need (one notable exception being SAML).
https://github.com/kanidm/kanidm
These kind of stories led me to explore de-googling my digital life. And honestly its been a fun journey and given meaning and purpose to my homelab. 100% recommend. Own your digital life, run local, reclaim the web.
Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.
In my experience Google Workspave support is very good. I’ve always been able to get a knowledgeable person on a call to debug issues without much difficulty.
But yea, if you’re locked out of your admin account, that’s another story. Very sjmilar to if you get locked out of your AWS root account. It’s a nightmare to recover.
> Using a Google Workspace Super Admin account for your non-admin day to day needs is similar to using your AWS root account instead of IAM users.
It sounds like the mistake here is not appointing another Super Admin, and making sure they don't use their account for day to day needs. Or just having two Super Admin accounts controlled by the same person, heh.
I can't see how not using one's Super Admin account wouldn't prevent tripping some kind of fraud lockout that's impossible to recover from.
Randomly, I just remembered that I lost a GCP account because I tried logging in from Laos, and they asked me for the front and back photos of a payment card that I used ages ago that I didn't bother making scans of before it was lost. Urgh.
Make a primary super admin (admin@ whatever) and only log into it for admin purposes. Make an actual user (you@) for day to day line of business work. This has the benefit of making some categories of spear phishing and xsrf attacks harder if the account that gets compromised doesn't have root.
That's what I've been doing.
It doesn't address this thread's concern that a single Super Admin could be locked out with no recourse, since Google's customer support is horrendously bad.
So you're saying for a simple setup of 1 user, you really need to pay for 2 users. The admin account and the real user you want to use, which doubles the cost.
In an ideal world, 3 users, because you want a backup admin in case your primary admin is lost.
I don’t love it either, but these are Google’s published best practices / recommendations
Just had to fix an AWS account lock out this morning. Why? Despite having a $0 balance and payment info on file, until I set a budget (a new feature per their UI), all of my Cloudfront-hosted files were just unavailable on my business' site (I Cloudfront all static assets so all images, fonts, etc were just broken all of a sudden).
These are the limits of scale. Too big, too complex, and not enough skilled people to maintain and/or support it. And our hubris as humans prevents us from accepting it. Why? Why can't we accept smaller but more functional things/systems?
We don't have to live like this.
With phone numbers, you can move from one carrier to another, while retaining your number. This helps with competition.
We need the same for email.
Sure, it may not work with the ancillary services, but keeping your email address would solve a lot of issues.
I mean, you can do that already, you use your own domain name and can then change email providers at will, in theory.
But maybe you logged in to your domain registrar through google oauth. If your google account is locked you can't now get into your domain's settings to change your MX records.
The real problem isn't the email address itself, it's all the access that google owns on your behalf. Lose access to Google, lose access to everything.
I discovered this same issue, you are required to have a phone their auth system is bugged me.
I just set up google workspace and I didn't have recovery phone or anything,just password and recovery email. I didn't login for 1 week (life stuff). When I came back it allowed me to login but didn't allow any admin stuff saying it didn't recognize me and that I must use a known browser.
Well, that was the only browser I logged in with.
The solution was a weird thing where I was able to add phone recovery and authenticator, but then had to wait 2 weeks (couldn't use it). After that I performed authentication as usual.
It's horrible.
Been there done that, none of it works, till this date my YouTube account is suspended and they can't do a thing about it.
Google Drive & Workspace are their most poorly designed products with the shittiest support ecosystem. Google would rather bleed money than work on it.
That's one of reason I started DoShare Personal Cloud[₁]
[1] https://getcloud.doshare.me
Run your own email server, and give Google the middle finger. Letting Google own your email, and freely spy on your communications is insane. I think this incident clearly demonstrates that you cannot leave critical infrastructure like this in the hands of a third party.
This story is the typical "got banned, complained on HN, only then did Google see fit to actually help me" however I'm surprised that before this was posted he WAS able to actually talk to someone from Google on the phone.
I legitimately thought that was impossible, so, uh, baby steps?
The 40+ hour window with no human contact is the part that hurts most. Small things that would be fixable with a 5-minute call compound fast when payroll is missing. Do team members still have access to their individual accounts during the suspension, or is everyone locked out?
It's quite entertaining to read - most of the article is pretty much elaborating a chain of bad decisions by the author which all lead to this now being a big problem. If he'd have written a similar dependency tree earlier and just thought about it for a few minutes that should've been avoidable.
> Update 1 - I know I can simply change the MX record to someone else but It has its own challenges.
I don't quite get that attitude. He's describing that he needs his business emails. Not just getting a mail server back online for that, even as interim solution, points to the opposite. In the time it takes for MX TTL to expire he could easily just throw up a postfix+dovecot on some VPS, with enough time to spare to add something like sogo if he feels fancy.
That's what I didn't get either. And you don't even need to configure a VPS, there's Fastmail, Protonmail, Zoho, Kolabnow, Purely mail, Migadu and so much more.
Why victim blame him for removing the phone number? He had a logical reason for doing so, and with Google supporting many forms of authentication it's perfectly reasonable to think that removing one wouldn't jeopardize the other methods.
I was a bit worried when I saw the title of the article because I have one of these accounts but geez he made some bad choices. Deleting all phone numbers and the recovery and swapping to a new authentication method and then accessing from a different country??? No wonder it got flagged.
I probably wouldn't believe him either. Google should have an option to revert to the last trusted config after some verification method. Google support is bad, I'll give him that.
All this to avoid roaming charges? And then refusing to share a personal email in this scenario and missing meetings because of that.
I'd argue that changing the MX to fastmail or Microsoft would be much faster than a postfix+dovecot solution on a VPS but I think he's just refusing any solution based on his principals.
I wonder, will big tech adopt the EU Digital Identity? Or will they have to be forced?
It would dramatically improve the service.
Time since paying Google customers had to resort to social media outrage to obtain decent resolution: 0 days
Good luck to you
The full text of Google's slogan is: Don't be evil (to customers that click ads from which our largest income share comes but not to developers who in the future might be our competitors).
It's just too long to fit on a T-shirt but not to memorise.
Thanks for the great reminder to detangle myself from Google.
It's simply about time to own your digital life instead of being slave of someone else.
> 3) Removed recovery phone
Never put your phone in there in the first place. You can actually skip that step.
I failed the Apple Developer ID verification four times due to technical issues and now my account is ineligible to become a developer.
Forever.
>Update 1 - I know I can simply change the MX record to someone else but It has its own challenges.
>Update 2 - Sadly, its 2 PM in the UK and I will miss the meeting that I had scheduled via Google Meet because emails are not working
Srsly?
If you wanted to intentionally trigger every account abuse system at Google, follow this guy's script.
people who travel shouldn't trigger account abuse
Changing your account recovery and 2FA settings then immediately trying to recover your account from an unusual country should temporarily lock out your account, every time, and this is what all normal users want.
Recently I cleaned up a SMB client's Workspace users after archiving their data (former employee accounts that had been languishing). In the space of a day or two I did the following for half the ~20 total accounts:
I fully expected to hit some kind of roadblock or delay or for alarm bells to go off for the other admins, but nope, I literally "absconded" with hundreds of gigabytes of data and nuked half the org in short order.
There is a Workspace Admin option to export users' data but it warns of an automatic 48 hour delay to let "other admins take action" if something is amiss. The client wanted the task done before getting hit with the full monthly license fees again so I had to go the manual route.
Granted, out of paranoia, I was using the client's office VPN as my traffic egress so maybe that helped.
At least he owns his own domain and can eventually switch over. A few years ago we decided to switch our personal emails from gmail accounts to domains we own (though the email is still handled by google.) This way if we ever lose our google account, we can switch the MX and be able to get all our recovery emails, bank second factors, password recoveries, etc.
They could switch their domain to another email provider and start getting emails, which is great. The problem though, is they also used their Google Account to log in to all the 3rd party services (payroll). I have no idea how you would get back into those services. Some _might_ let you switch off the Google Sign-in SSO, but I imagine that is a headache.
this is actually scary as fuck
I thought with Workspace you'd actually be spared from this kind of BS
I guess not?
you're paying for the privilege of getting locked out by the same algorithm that locks out free accounts. the only difference is you get an invoice.
This occurs to dozens, hundreds, maybe even thousands of people on a daily basis. It happened to me many years ago. This is your opportunity to escape, instead you cry out here for attention. How pathetic
"Despite repeatedly explaining this, they ignored my assertions and continue to hold my email hostage."
Well, you have become the product here. That also happens by other "free" email providers too. I had this happen to me on inbox.lt; the guy demanded I use a smartphone to "prove" my identity. At that point I realised they want to connect this data to the account and sell it to others who are interested in that.
Google Workspace isn't free, it is a paid for plan.
its $13 per month for a basic plan.
What do you add to humanity with this crappy take? Why are you shitty to the victim?
Because his honest and accurate diagnosis for why mega tech corps treat people inhumanely is the first step towards stopping it. In my opinion of course.
1. they're wrong in their basic understanding; this is not a free product
2. the response is glib and lacks any empathy
3. there's no suggestions of possible action or resolution path
4. it is all opinion and low value / low effort
So even if it's an "honest and accurate diagnosis" that you agree with, it's not helpful, valuable or even comforting. We can do better.
What's a good alternative to Google Workspace for SMB customers?
Office365?
Microsoft 365 is a reasonable alternative. It's easy to buy and even tiny Customers can get a degree of real human (read: tier 1 is unhelpful contractors that you have to fight thru) support.
It's still repugnant to me, as compared to self-hosting, but I would never self-host for a greenfield SMB Customer today. The economics don't make sense and the talent pool of knowledgeable and reasonable sysadmins is dwindling by the day. (I wouldn't want to make a Customer so beholden to me if they were willing to pay for it.)
I miss being able to spin-up an on-prem email server on a box with reasonable hardware redundancy, some external USB disks to rotate for off-site backup, a UPS, a couple consumer-grade "business class" Internet connections, and a contracted "backup MX" to catch email in the event of an outage. It was a good enough for a lot of small SMBs who had a physical office, and was cheap.
The economics make perfect sense once "30 days of a suspended business email with no timely recourse" shows up as a line item. That USB disk and a UPS is looking pretty cheap right about now.
OP really should be moving the MX somewhere else and going into disaster contingency mode. It sucks, but there's a level of survival there they should be willing to accept, at least temporarily.
It's not. Support is about on par with Google for SMBs. I had a client get locked out of the admin panel for about 2 weeks before getting through with support.
The difference is that everyone's account kept working during that time so business kept on as usual, just the admins couldn't change anything.
The sad thing is I don't think anyone did anything unusual and it was some kind of bug of Microsoft's end.
Good to know. I'm only dealing with 7 M365 tenants regularly and we have "break glass" accounts in each one (not tied to Customer's SSO, MFA unrelated to other admins, email address outside the tenant) to try to minimize the possibility of getting locked out, but I know it's always a possibility.
Moving the MX for the domain and limping along from backups is my worst-case contingency but given that there's no place other than M365 to restore the backups to it isn't a very good strategy.
Tough situation. A good reminder to set up a backup recovery method before removing the existing one, especially when traveling.
OP triggered every possible red flags for suspicious account takeover in Google systems: deleting his recovery phone number, moving to another country and cellular provider. And then he gets surprised that the account is in 30 day cool down period??? I don't understand people sometimes.
They didn't willfully delete their recovery phone number. They tried to delete a shitty, known-broken 2FA mechanism after they had set up passkeys. Poor UX conflated the two things, so their recovery phone number ended up being deleted. This is 100% on Google.
Why the fuck would Google care in which country I live? It's a personal decision, and no corporation should have any say in this. They certainly don't have to flag an account for that, especially not if the account has 2FA enabled. This is on Google, too.
Your comment is victim blaming.
The problem is the rapid succession of changes to recovery phone number, country, cellular provider. There is no way to differentiate, at scale, between an account takeover currently in progress that needs to be stopped immediately to minimize damage, and a legit user deciding to change all his personal info at once.
30 day cool down period is a reasonable response, at scale.
> The problem is the rapid succession of changes to recovery phone number, country, cellular provider.
Aren't cellular providers inherently tied to the country they're in?
How do you move to another country without changing cellular providers at the same time?
Of course you can keep your provider. It's called roaming, per OP story: "I am travelling to the UK and did not want to have *roaming* on my Australian phone."
For cheaper rates than roaming, typically you install a secondary eSIM for the country you're traveling. 99% modern phones support dual SIM for this reason
you keep the old number forever and when travelling get a data sim only
Have backup codes, Passkey, access to the said number, same laptop logged in, phone logged in, recovery email address access and nothing works...