Gmail Account Recovery and Security

How to Get Help

The purpose of this article is to help guide you through the process of recovering a lost account and (if it was lost due to being compromised) re-securing it so that is it less likely to be lost again.

There are other sources of information including the Gmail* Help Center: http://mail.google.com/support/?hl=en and the GMail Help Forums: http://www.google.com/support/forum/p/gmail?hl=en both of which support searching for topics of interest.

Please note that you can not recover your account just by posting to the Gmail help forum. You must use one of the methods provided by Google as outlined below.

Table Of Contents
  1. How To Recover Your Account - a basic guide to what process to follow
  2. Account Recovery Walk-Through - a guide with pictures to help understand the recovery flow
  3. Additional Recovery Information - more information about the Account Recovery Form (for many, this is the most important section of this article)
  4. FAQ About Account Recovery - read this before you post a question to the forum
  5. When You Reclaim Your Account - how to re-secure an account
  6. How To Protect Your Account Contents - how to backup your account



How To Recover Your Account

We will assume you went to https://mail.google.com/ and tried to log into your account. It didn’t work and you found your way here. You need to start with the following decision tree to determine what actions you need to take to recover your account.

If your password does not work, use the “Need help?” link on the sign-in page and then the "I don't know my password" option which will direct you to a page with one or more recovery options depending on which ones you previously configured on your account:
  1. Get a verification code sent to your mobile device.
  2. Request a password reset e-mail to be sent to your recovery account.
  3. Proceed through the Account Recovery Flow to attempt to prove ownership of the account.
https://accounts.google.com/signin/recovery

If you are told "Sorry, Google doesn't recognize that email", it may have been deleted, so use the Account Recovery Flow to try and recover it.  It could also mean that the account name is incorrect so attempt to recovery the account name as noted next.
https://accounts.google.com/signin/recovery

If you do not remember the account name, (which might be why the account does not appear to exist), use the “Need help?” link and then use the "Find my account" link:
https://accounts.google.com/signin/recovery

If you are instructed to supply a mobile number to receive a SMS code, you need to follow the process as described.  This could include mention of "suspicious activity" or there being "something different" about how you are signing in.
http://gmailblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
http://www.google.com/support/forum/p/gmail/thread?tid=69a33682180a6d01&hl=en
https://support.google.com/mail/answer/114129

If mention is made of “unusual activity”, it could be because of abnormal account usage that may indicate compromise. It may unlock in 24 hours, or it may provide a list of possible causes that will need to be corrected.
https://support.google.com/mail/answer/43692

“Temporary Error (502)” or 500, indicates an internal error that should correct itself soon.
https://support.google.com/mail/answer/140031

Any message about account “maintenance”, indicates that temporary server maintenance is in process which should take less that 24 hours.
https://support.google.com/mail/answer/63592 (original article missing)

Any messages about being underage, indicates the system believes you are too young to own a Gmail account (generally under 13).
https://support.google.com/accounts/answer/1333913

Any message about your account being “Disabled” or “Suspended", typically indicates some abuse, violation of the Terms of Service, or possibly a compromised account. Follow any instruction given or provided links when you try to sign in.
https://support.google.com/mail/answer/43692

If you see some other error not listed above, use the following more comprehensive list of possible problems.
https://support.google.com/mail/troubleshooter/2943007

If at any point you are told that "This account was deleted and is no longer recoverable", then the account is lost.  There is no way to recover it, and the account can not be re-created.




Account Recovery Walk-Through

Important:   Google is making changes to the account recovery process.  Most people will see the new process but there are some limited cases where you might see the old process.  You have no control over which process you have available for account recovery.  The process starts the same for both methods:
You should see an "Account support" page where you can enter your e-mail address. In most cases clicking next will start the new account recovery process.

New Account Recovery Process

This section will provide an overview of the new process of doing an account recovery. This new process is under development by Google and subject to ongoing changes, so what you see in practice may vary from what is documented below.

All account access starts the same way, by going to the Gmail sign in page at: https://mail.google.com/. If you're trying to recover access to an account, you click the "Need help?"link at the bottom.  You can also go their directly by using the link: https://accounts.google.com/signin/recovery.

This starts the new recovery process.  There is a "Find my account" link if you don't know your user name, but for all other cases you enter your e-mail address and click "Next".


You will then be presented with a number of possible ways to regain access to your account or attempt to prove you own it.  The options available are dictated by what recovery options were previously configured on the account.  For example, if no recovery e-mail address was configured, that option will not be shown.  If options were configured but not kept up-to-date, they will be shown but may be useless for recovery.  In the case of a compromised account, the options may be shown, but if they were modified by the hacker they will be useless for recovery.

If the lost account has 2-step verification enabled (https://gmail.googleblog.com/2011/02/advanced-sign-in-security-for-your.html) you may be directed to the old account recovery process at this point.  This will also be true if the account was compromised and the hacker enabled 2-step verification to make it harder to recover the account.

The new recovery options available may include any of the following and possibly others not pictured:


If you have a pre-configured e-mail or phone number and select that option, you will be sent a six-digit code to enter.  Entering the correct code will take you to a page to reset the password.  Answering one of the other questions correctly might also take you directly to that page.


If you can't use or answer a given option, click the "Try a different question" link for the next option.  If you aren't given the option to reset the password, the last question will typically asking for a contact address where Google can e-mail you.


Like above, a six-digit code will be sent to that address which you will then enter.  But unlike above, receiving this code does not mean you will be allowed to reset the password.  The answers you provided on the previous pages will determine if you are given the option to reset the password, or if your request is denied.

If you can't use any of the options or fail to prove ownership of the account, you will receive a message that "Google couldn't verify it's you, so you can't sign in to this account right now".  You can of course try again, but if you can't prove ownership of the account, it is lost.  There are no other ways to recover a lost account.


If you clicked the "Find my account" link on the first page you will be directed to the following page where you will have a choice to provide a previously configured e-mail or phone number.  You will also have to provide the first and last name configured on the account.  You will the receive a list of accounts that match that information.  You must know both the e-mail/phone and the name on the account.



Old Account Recovery Process

The one case that appears to still use the old or original process for account recovery is for accounts where 2-step verification has been enabled.  This includes cases where an account has been compromised and 2-step verification was enabled by the hacker to make it more difficult for the original owner to recover it.  This section will provide an overview of the old process of doing an account recovery for this case. But please note that Google constantly makes changes to the process or the individual pages so the images below may exactly match what you see. It's a guide to the general process, not definitive documentation.

All account access starts the same way, by going to the Gmail sign in page at: https://mail.google.com/. As noted above, if you're trying to recover access to an account, you click the "Need help?"link at the bottom.  You can also go their directly by using the direct link: https://accounts.google.com/signin/recovery.

If the account has 2-step verification enabled, instead of the above new process, you will probably see the following screen. It will show you your avatar, e-mail address, and perhaps your name to verify you are trying to recover the correct account.   It will also ask you for the last password you remember.


At this point you will need to specify the exact situation you find yourself in.   For a simple lost password you might select the first option.  If you are unable to receive the 2-step verification code (for example, you lost your phone) you would choose the second option.  The third option is for the case when the account was compromised and someone else enabled 2-step verification.




For the first case, if you have a recovery e-mail address configured on the account you will be able to use that to reset the password. Note that you can not use a phone to do a password rest on an account with 2-step verification enabled. Consider the situation where the phone was lost or stolen - someone could reset the password and receive a 2-step verification code all using just the one device.

For all other cases you will be directed to the account recovery form where you will answer a series of questions to prove ownership of the account. You will see a series of screens that ask a number of details about the account which, if answered correctly, will prove ownership and allow the account to be returned. The first two screen may look similar to the following.




Once the form as been submitted there will be a confirmation screen.


If you successfully prove ownership of the account you will receive instructions on how to sign in.  This could involve resetting your password and/or bypassing 2-step verification.

The other case is if  insufficient information has been provided to prove ownership.  This may come an a message in the browser after you submit the form, or an e-mail to the provided contact address. The only option is to keep trying.
The information provided does not match our records. Try signing in from a location where you usually sign in (e.g., home or work) and fill out the account information again.

At Google, we take your privacy and security seriously. We're committed to returning accounts only when we're sure we're giving them back to the accounts' owners. Unfortunately, based on the information you provided, we were unable to verify that you own this account. To ensure that we are not compromising the security of the data, we can't return the account at this time.
If this happens the only option is to repeat the process providing more answers to the questions, or more accurate answers than provided previously.  Simply repeating the process with the same answers will not help.  You must provide more proof of ownership or Google will not return the account.

Google Apps accounts

Google Apps accounts (those not ending in @gmail.com) can not be recovered using the standard Gmail recovery procedures. One must contact the Google Apps administrator for the domain who can reset the password to regain access.





Additional Recovery Information,
The Account Recovery Form

The Account Recovery Form is part of the old account recovery process described above.  It is seldom used now, perhaps only for cases where the lost account has 2-step verification enabled.  As such, this section has almost become obsolete.

When filling out the Account Recovery Form it is important that you complete as much of the form as possible, and that the information be as accurate as you can make it. If the form is rejected you can try submitting it again. You can re-submit it as many times as you want, but it's best to wait for a reply to each submission before submitting again. If you don’t receive a reply, check your spam/junk folder (especially if it’s a non-Gmail account).

It’s very important that as you repeatedly submit the Account Recovery Form that you fill in more of the blanks with more accurate information. There is some threshold of correct information you need to prove ownership, so a rejection means you need to supply more and/or the information you submit needs to be more accurate. Submitting the same form with no additional information multiple times does not help.

Hints for successful account recovery:
  • It’s not about the number of times you submit the Account Recovery Form, it’s about providing more and better answers with each attempt. If your submission is rejected, you must work harder to provide more answers, and make the answers more accurate in subsequent submissions.
  • Wait for a response before each new submission (be sure to check Spam). Responses could be delayed as much as 24 hours but you should wait a full 48 hours before submitting another form.
  • If you are not receiving a response, check your Spam or Junk folder on the account you specified for replies. Also double (triple) check that you correctly spelled the e-mail account name.
  • Duplicate submissions, or submissions without waiting for a reply can trigger a submission lock forcing you to wait a few days to try again.
  • Make your best guess on every field of the form. You never know what will help.
There are a number of factors in addition to the answers provided on the account recovery form that Google takes into account when evaluating a recovery request.  The types of answers you provide is also important.  Some of these factors can be influenced during the account recovery process and some can't.  But the more you know, the better changes for a successful recovery.

The number and type of questions asked can very greatly. It may be as few as three: a past password, the account creation date, and the last date the account was accessed. Often it will include additional questions: frequent contacts, user labels created, and other products used with dates. In some cases it might ask other questions: the user provided secret question, IP address information, ISP information, etc. It doesn't matter how many questions you are asked, unless you can answer enough of them correctly to prove ownership of the account Google will not give it to you.

Hints for successfully filling out the Account Recovery Form (this stuff is important):
  • If possible, use the same computer and browser for account recovery that was typically used to access the account.  This can make it much easier to get your answers accepted.  As the account recovery form notes: "Please note that we need your IP address in order to resolve this issue. "
  • If the form asks for a previous password, it must be the exact password.  Being even one character off will not count as a correct answer.
  • Any contact e-mail addresses provided must be for people with whom messages were sent AND received.
  • Dates must be close, but do not need to be exact to the day.  You can be off by days or perhaps a few weeks, but not by months or years.
  • Any label names entered must be for user-created labels.  Gmail system labels do not count as a correct answer.
  • If you have no contacts or labels, leaving that answer blank may be technically correct, but an answer of "none" does not count as a correct answer.
  • If other Google products are listed, they must also include the date, otherwise they will not count as a correct answer.

There may be one other option for simple password recovery if your account wasn’t compromised and you simply forgot your password. If you have your browser setup to remember your account information you may be able to view your saved password. Both Firefox and Chrome allow saved passwords to be viewed in plain-text. If you use another browser that does not permit this, then you can use/install Firefox or Chrome, import your settings, and then check to see if the saved password is accessible. Again, this only works for people who forgot their password due to relying on the browser’s auto-fill function, but if it applies it might be an easier than the above procedures.



FAQ About Account Recovery

Q. Why can’t I tell someone private information about my account that they could look up to verify my claim?
A. Account privacy rules are very strict within Google, and allowing employees to look at the contents of an account would be a serious breach of privacy.  You may know enough about the contents of the account to prove ownership, but no one at Google can verify that information.

Q. Why isn’t there a comments section in account recovery where I could add additional information to prove my claim?
A. Like above, it would be a violation of account privacy for an employee to look in the account to verify any additional information supplied.

Q. Why can’t I simply talk to somebody about this?
A. Unfortunately, Google does not offer live support for the free Gmail product (see: http://mail.google.com/support/bin/request.py?contact_type=contact_policy). You must use the recovery methods provided.  There is also the fact that even if you could talk to someone, you would still have to answer the same questions to prove ownership of the account.

Q. Why can’t Google lock the account to protect it from any more damage or outgoing spam.
A. Google may disable an account if they notice suspicious usage or if the account is being used to send out spam. But again, privacy concerns would prevent them from simply locking an account because someone claims it’s theirs and is compromised. In addition, since there is no live support, there is no one to even make such a request to.

Q. I had a really long password of random strings that would be impossible to guess. How was my account compromised?
A. Google (as most e-mail providers) have blocks to prevent trying lots of passwords to guess the correct one (brute-force attacks). Most accounts are compromised by harvesting passwords other ways. While a secure password is important, it’s only one in a long list of things needed to keep any online account secure.  This article has more information on this topic:  http://gmail-tips.blogspot.com/2012/01/how-not-to-get-hacked.html

Q. But I’m very careful with my password. I don’t give it to anyone except an official request from Gmail.
A. Unfortunately if you provided your password in response to any e-mail (even claiming to be from Google/Gmail) then your password was harvested by phishing. It’s very common, and can trick even the most careful people.

Q. I'm not getting any reply after submitting my account recovery information.
A. First, make sure you are using a valid, working contact e-mail address that you check regularly for any replies. Also, check the junk/spam label in case any reply was miss-filtered. Then try again. You might also try a different contact e-mail address.

Q. My contacts were deleted by the hacker, how do I recover them?
A. Deleted contacts can now be restored to any point in the last thirty-days: https://support.google.com/mail/answer/1069522

Q. My e-mail history was deleted by the hacker, how do I recover it?
A. Have you looked in All Mail and Trash for the missing information? Have you used Search to try and find it? Unfortunately, messages deleted from Trash or Spam can not be recovered. If you would like to request Google attempt to recovery messages deleted by a hacker, see: https://support.google.com/mail/troubleshooter/4530113

Q. My account was deleted by the hacker, can I recover it?
A. The account recovery process can sometimes restore a recently deleted account. That is your only option in this case.  But if you are told that "This account was deleted and is no longer recoverable" then the account is lost.

Q. I don’t care about the account, can I just get the e-mail history or the contacts from it.
A. Unfortunately, you have to be able to access the account in order to transfer any information out of it. This means you need to try and recover the account first.

Q. I don’t care about the contents, I just need the e-mail address back because I have other things linked to that address.
A. Account names are never re-used, so you can’t re-create the account. So to get the name back you will have to try and recover the account.

Q. Can I find out who did this? Can anyone prosecute them?
A. About the only information you have available is the list of the last 10 IPs to access your account (see the Details link below the Inbox). But given how easy it is to fake IPs, and how inaccurate they are, it’s unlikely that more than a general location can be determined. In general, law enforcement is not interested in a simple compromised account, and Google is not a law enforcement agency. Bottom line is: one’s energy is better spent on recovery and re-securing the account.

Q. Isn’t what the person did illegal? Can I sue them or get them arrested?
A. Any legal questions should be asked of local law enforcement or an attorney. Google is neither of those and can not advise you on any actions.

Q. Can I find out what they did in my account while they had access.
A. There are no account activity logs available, so you can’t find out for sure. If there is spam in your Sent Mail, they you know they used the account for that. But there’s no way to know if or what messages they may have looked at, so take appropriate precautions.

Q. How was my account compromised?
A. There are many ways passwords can be harvested and account compromised, but the most common ones include:
  • Using the same password on multiple web-sites. A less secure site is hacked and they get the user database (e-mail and password) and then just try them all. If the person did not use a unique password, the hacker gains access to the e-mail account.
  • Phishing e-mails that ask for account information or direct you to a phishing web-site. Don’t dismiss this because the messages are a lot more convincing that you would imagine, often using text copied from actual Google e-mails or on-line forms.
  • Use of a computer that is infected with a key-logger or other malware (most common for public computers like at a school or library) which records your login information.
For more information about how accounts can be compromised see the article: http://gmail-tips.blogspot.com/2012/01/how-not-to-get-hacked.html



When You Reclaim Your Account,
How To Secure Your Account

The process of re-securing an account actually consists of two parts:  (1) securing your Gmail account, and (2) securing the Google account that holds your Gmail account.  Both parts must be completed or changes made by someone else may be missed allowing the account to be compromised or accessed again.

1.  Google has created the Gmail Security Checklist which can be used to check your Gmail account and some other related security settings: https://support.google.com/mail/checklist/2986618?rd=1

2.  Google has also created and Account Security Checkup which performs a similar function at the account level:  https://security.google.com/settings/security/secureaccount

What follows are some of the more important parts of the above who items.  This is not a replacement for doing them both, but may be helpful to address the most critical items quickly allowing you to perform the above two checks at a later time (just don't forget).

Getting Started
Begin by scrolling to the bottom of your Gmail page and see if there are any other sessions signed into your account (“This account is open in 1 other location”). Then click the word “Details” where it says “Last account activity” (lower/right) and then “Sign out all other sessions”.



Now change your password to anything reasonable but without worrying too much about how secure it is because you are going to change it again. See the first section in Account Security below.  Next check all the following items and verify that they are set correctly.

Note: in the following “Settings” is accessed using the Gear icon in the upper/right of the Gmail window. If you using the Basic html version of Gmail, then “Settings” will be one of the choices along the top.

Note:  in the following pictures "Filters" will probably be "Filters and Blocked Addresses" since Gmail now has a blocking function.

Note:  in the following pictures "Accounts and Import" may be just "Accounts" in some cases.


Also note that you may have to scroll down on each specific page to find the referenced setting.

Potential Spam
Settings that could result in spam being attached to outgoing e-mail.
  • Settings -> General -> Signature
    Make sure nothing as been added, and be sure to scroll down in case additions aren't visible.

  • Settings -> General -> Vacation Responder (or Out Of Office Reply)
    Make sure it's disabled and empty.
E-mail Theft
Settings that could result in the theft of e-mail (perhaps without any indication that it is happening).
  • Settings -> Forwarding and POP/IMAP -> POP Download
    It is best to disable it unless there is a clear need for it.

  • Settings -> Forwarding and POP/IMAP -> IMAP Access
    It is best to disable it unless there is a clear need for it.

  • Settings -> Forwarding and POP/IMAP -> Forwarding
    Forwarding should be disabled or verified that the forwarding addresses are correct.

  • Settings -> Filters
    No filters defined, or at least no filters that forward or delete e-mail.

  • Settings -> Accounts and Import -> Send mail as
    Make sure it is using your correct e-mail address, and delete any unrecognized entries.  Also click the "edit info" link on the right and verify each entry you have (including the default one) do not have a reply-to address set to an account you do not own.
Account Security
Settings that improve the security of the account as well as make it easier to recovery a lost account.

Please note that the path used below (Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page]) to get to account settings can be accessed directly by using the direct link to account settings:  https://myaccount.google.com
  • Settings -> Accounts and Import -> Change account settings -> Other Google Account settings [new page] Sign in & security -> Signing into Google -> 2-step verification 
    For additional account security, enable 2-step verification, and be sure to save a set of backup codes as instructed during setup.
    Direct link: https://accounts.google.com/b/0/SmsAuthSettings#devices

Now that your account is secure, check again for other sessions logged in. If there is still another session on the account, repeat the above until you successfully get everything secured while no one else is logged in. Now that the account is fully secured and you've verified no one else is logged in, you may want to change the password one last time.

And don't forget the Gmail Security Checklist and Account Security Checkup mentioned above.

Additional Information



How To Protect Your Account Contents

As some people learn, even when a compromised account is recovered sometimes the hacker has deleted the e-mail history and/or the contacts. Unless you have backed up that information to your local computer, it may well be lost forever.

There are several ways to backup a Gmail account and a number of tools to help you. Perhaps the most appropriate for Gmail the free utility https://github.com/jay0lee/got-your-back/wiki (Got Your Back or GYB) which supports backup and restore of both Gmail and Google Apps account with full support for labels and the ability to be run as an automated scheduled task. It stores the files on your local computer so they can be include in your normal computer backup.

The following article provides a lot more detail about doing backups and other tools that are available: http://gmail-tips.blogspot.com/2012/01/gmail-backup.html


Last updated:  Aug 10, 2016

* Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.