Gmail Hacked? You Now Have 7 Days to Get it Back

Google has confirmed users who are completely locked out of their Gmail accounts after an attack can still recover their access. However, they have just seven days to act after the breach.

The issue involves cases when an attacker not only gains access to an account, but then changes security and recovery settings. These can include an alternative email address or a phone number.

In both cases the idea is that if a user knows their account is breached, they can issue a password reset request. They will then be able to choose a new password and regain access. This will at the least limit the time the attacker has to not only read through past emails, but to use the account maliciously, for example for identify theft.

Lockout Limit

The problem is if the hacker acts quickly and is able to change the information in the recovery settings. This would usually involve overcoming security measures such a two-factor authentication (which Google calls 2-Step verification). Bypassing this is difficult but not impossible. Once the attacker has changed the information, the real account owner will be unable to either access the account or reset the password.

Forbes' Davey Winder has confirmed with Google that there is a workaround. It's revealed a little-known policy, which is that a recovery email or phone number should actually still work for seven days even after it is changes. (Source: forbes.com)

SMS Text Verification Dropped

In other words, somebody locked out of their account can still regain access for a week, as long as they set up a recovery email or phone number in the first place.

The good news is that account breaches and lockout should be getting rarer thanks to an update to Google's two-factor authentication. It's no longer going to send text messages with a an authentication code, a system that can limit cases where an attacker gets hold of a user's password but doesn't have physical access to their devices. Instead, Google will generate a QR code that appears on screen for the user to scan with a phone camera. (Source: arstechnica.com)

Understanding the Gmail Lockout Problem

When a Gmail account is breached, it often goes far beyond just losing access. Attackers commonly:

• Change the password to lock you out immediately
   
• Alter or remove your recovery email and phone number
   
• Disable or bypass 2-Step Verification
   
• Use the account to send phishing emails or steal your identity

Without valid recovery options, many users find it nearly impossible to regain control. This is what makes Gmail account recovery such a critical issue, especially after a security breach.

The Seven-Day Recovery Window: What It Means

Google recently confirmed a policy that may help users recover from full account lockouts. If a hacker changes your recovery email or phone number, the original recovery info still works for 7 days after the change.

This means if you act quickly, you may be able to recover your Gmail account even after a breach. However, there is no visible countdown or warning when this window starts, so timing is everything.

Why Only Seven Days?

Google has not officially explained why the recovery window is limited to 7 days instead of 30 or more. However, there are likely two reasons:

• Security: A longer window could increase the risk of unauthorized recovery attempts, especially if a hacker tries to reverse-engineer the original contact details.
   
• Urgency: A shorter window encourages immediate action and reduces the risk of attackers maintaining access to a compromised account over time.

While 7 days may feel short, it is far better than having no fallback option at all. It is designed as a last-chance recovery route for users who were previously left with none.

How to Secure Your Gmail Before a Breach Happens

The best way to avoid a lockout is to prepare your account now. Here are key steps:

1. Set up recovery options: Go to your Google Account Settings and add a recovery email and phone number. Verify that both are working and up to date.
    
2. Enable 2-Step Verification (2FA): Use an authenticator app, physical security key, or push notification rather than SMS.
    
3. Download backup codes: Generate and store them in a safe offline location.
    
4. Monitor your account: Regularly check your login activity and security settings to catch suspicious behavior early.

These steps can help prevent an attacker from taking over your account and locking you out permanently.

How to Regain Access to a Locked Gmail Account

If you have already lost access to your account but had recovery info set up, act fast. Here is what to do:

1. Visit the Google recovery page: accounts.google.com/signin/recovery
    
2. Enter your Gmail address and follow the prompts
    
3. If within the 7-day window, your old recovery phone or email may still work
    
4. Verify your identity using a code, old password, or other prompt
    
5. Reset your password and log in again
    
6. Once inside, secure the account:
    
   • Change the password again
      
   • Remove unfamiliar devices
      
   • Re-enable 2FA and reset backup codes
      
   • Check for suspicious filters or auto-forwarding rules

The sooner you act, the more likely it is that recovery will work.

Why SMS Verification is Being Phased Out

Google is retiring SMS-based verification codes because they are no longer secure. Hackers can intercept these messages using SIM swapping, malware, or flaws in the mobile network.

Instead, Google is moving to more secure options:

• QR code login: Scan a code on screen using your phone
   
• Push prompts: Approve logins from a notification sent to your phone
   
• Authenticator apps: Use Google Authenticator or similar tools for one-time codes
   
• Security keys: Use a physical device like a YubiKey to verify logins

If you still rely on SMS for 2FA, it is time to update your security settings.

What's Your Opinion?

Have you set up recovery details on your accounts? Were you aware of the seven-day workaround with Gmail? Have you ever been locked out of an account?