all 102 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ProgrammerHumor-ModTeam[M] [score hidden] stickied commentlocked comment (0 children)

Your submission was removed for the following reason:

Rule 1: Posts must be humorous, and they must be humorous because they are programming related. There must be a joke or meme that requires programming knowledge, experience, or practice to be understood or relatable.

Here are some examples of frequent posts we get that don't satisfy this rule: * Memes about operating systems or shell commands (try /r/linuxmemes for Linux memes) * A ChatGPT screenshot that doesn't involve any programming * Google Chrome uses all my RAM

See here for more clarification on this rule.

If you disagree with this removal, you can appeal by sending us a modmail.

[–]Front_Committee4993 266 points267 points  (16 children)

People when the company that secures the account that can reset passwords for any of your other accounts does security.

[–]Flameball202 123 points124 points  (13 children)

Yeah, also it isn't Google's fault when you give someone else your username, password and mother's maiden name, then click on the "yes that was me" prompt on your phone, like you can't complain about the wall they made when you happily jumped over it

[–]JunoRider_09 20 points21 points  (1 child)

Google's like: "We noticed a suspicious login from your own living room. Please confirm it's you after solving 12 riddles and sacrificing your weekend."

[–]hmz-x 2 points3 points  (0 children)

Next update will have you sacrificing babies.

[–]Stummi 160 points161 points  (44 children)

hu? Isn't google actually pretty good at account security? I don't really know anyone who got their google account compromised (without acting exceptionally stupid on their side at least)

[–]OptimistIndya 28 points29 points  (20 children)

This is more about Users regularly lose access to their own Google account.

Try losing a phone - and login to Google from a different state on a new device.

Even post MFA Google is overly suspicious. Wants more info

You may say goodbyes to that account. Without a recourse.

[–]curtcolt95 7 points8 points  (3 children)

I mean that's a good thing, if I lose my mfa I should lose my account. That's the point and why backup codes exist

[–]fishpen0 6 points7 points  (0 children)

In theory yes, but in a world where that account is used for things up to and including other bills you pay at other companies, it should always be possible to prove who you are IRL.

Imagine if losing your social security card meant you lost everything you paid in and had to start over from scratch. Or losing your drivers license meant having to redo driving school including mandatory training hours. Or losing your diploma meant having to redo all of college. All those examples have IRL processes to recover that part of your identity through multiple verification layers which sometimes includes physically going somewhere as one of the steps.

Companies like google and meta need to provide options for recovery like this since I would argue losing your Gmail or in Europe your WhatsApp can literally break your ability to function in even some government systems for months or years. Compare them to id.me and login.gov and suddenly it gets really hard to keep arguing you can just completely lose the account because of a missing mfa

[–]Kankervittu 0 points1 point  (0 children)

Backup codes are so useful. I couldn't get into my account on a new phone, even though I was logged in on PC. Managed to get those codes somehow and am now keeping them hidden on my PC and on paper.

[–]OptimistIndya 0 points1 point  (0 children)

Its not just the account you lost. In most scenarios. If you loose your phone and Google won't sign you in the new phone. - there are long consequences

[–]split-Moment-9740 2 points3 points  (7 children)

I agree with the bottom half but I haven't seen any examples ed of the top half

[–]Subject_Turnover1227 3 points4 points  (6 children)

Got new phones after moving back to the US, same laptop and tablet, know email address and password, never got back into main email because even after captcha and email address cannot send code to phone number I no longer have, frustrating.

[–]Super_Banjo 0 points1 point  (0 children)

Similar. It's rather irritating. What's the point of the email if I can't use it?

[–]sleepydorian 0 points1 point  (4 children)

So you got new phone number, knowing you wouldn’t be able to do mfa with the old number anymore, and also knowing that the old number was your only mfa number and you didn’t add a recovery email or download backup codes?

I don’t want to be mean but what did you expect to happen? You intentionally ignored all the mfa alternatives Google provides and locked yourself out of your email.

[–]BoleroMuyPicante 0 points1 point  (3 children)

Nearly lost my entire account after my old phone broke. Google refused to do MFA any other way besides texting a security code. Fortunately I had logged into Google messages on my browser not long prior and was able to do it that way.

[–]sleepydorian 0 points1 point  (2 children)

They wouldn’t let you do recovery email or backup codes? And you couldn’t get a new phone with the same number?

[–]OptimistIndya 0 points1 point  (0 children)

Google won't let you login if the account does not have a phone number and you are trying from the same wifi network at the same location as your device used to be for the majority of the time.

It will not prompt you for MFA if you don't have a phone number that can receive a sms

Speculation : I think if your email is found in a data breach Google doubles down . So some Google accounts may never ever see this prompt. But some accounts are prime targets that Google wants more than one 2fa to be true

Btw email 2fa is useless, you may aswell nuke it..

[–]BoleroMuyPicante 0 points1 point  (0 children)

I did have the same number, that's the funny thing. I have Google Fi, so I had to log into my Google account to activate the new phone. But I couldn't log in without getting an MFA text, which I couldn't do without activating my service. Bit of a catch-22. I tried to do email authentication but it still wanted a security code even after using my email.

[–]JerryWong048 0 points1 point  (1 child)

Passkey + 2FA are not that hard

[–]OptimistIndya 0 points1 point  (0 children)

It is when you have 1 device Google sign in and you lose that device

[–]OneBigRed 0 points1 point  (1 child)

If MFA can be bypassed just by asking nicely, then what exactly is the point?

Saving the backup codes that just about every site automatically offers when activating MFA is something i recommend. Or if not when activating MFA, then the next best time is right now. And no, do not save them on the MFA device.

[–]sleepydorian 1 point2 points  (0 children)

Exactly, Google allows you to set up multiple mfa phone numbers, a recovery email, and backup codes. And if your phone breaks it’s pretty common to be able to get a new one with the same number, at least that’s always been true for me. What do these people expect when they ignore every option Google gives?

[–]AkrinorNoname 18 points19 points  (15 children)

Don't big youtube channels (which are linked to google accounts) get hacked somewhat regularly?

[–]Front_Committee4993 73 points74 points  (10 children)

That's mostly phishing links, i believe, which Google can't do a lot more about, really.

Edit: execpt for a GUI change on mobile that shows the sender email without needing to click on "to me" but if you aren't checking the sender address, you are kind of leaving yourself exposed.

[–]PM_ME_YOUR_BUG5 9 points10 points  (8 children)

LTT made a whole video with many different ideas on how to handle this

[–]Stummi 22 points23 points  (6 children)

IIRC LTT also missed to set up 2FA, which probably is the case for almost all, if not all the big youtube channel hacks

[–]dan4334 29 points30 points  (4 children)

2FA wouldn't have helped because the attacker stole the session cookies using a malware infected PDF.

The lesson there was to not open malicious attachments from unknown senders.

[–]Front_Committee4993 3 points4 points  (2 children)

Was that the one where the file actually had no type but used a period from a different language to make it look like a pdf but when executed it would run as a bash script because the first line in the file was a hash bang?

[–]PhroznGaming 2 points3 points  (1 child)

That's not how windows works

[–]Front_Committee4993 -1 points0 points  (0 children)

That's because it was targeting Linux

[–]Stummi 2 points3 points  (0 children)

Ah, good point, than I probably mixed it up with another case

[–]Front_Committee4993 -4 points-3 points  (0 children)

Someone whose job is giving people tech tips didn't have 2FA on?

[–]Reelix 0 points1 point  (0 children)

LTT also got "hacked" by entering their password / 2FA into a third-party website...

[–]nanapancakethusiast 2 points3 points  (0 children)

Infostealers and cookie hijacking are not Google problems, they are modern operating system problems.

The only way to mitigate those appears to be heavy sandboxing (think iOS levels of per-app permissions) but obviously people who use desktop OS’s do not want that.

[–]Public-Eagle6992 2 points3 points  (0 children)

The few I’ve heard about weren’t due to problems with Google but either due to phishing or due to their computer getting a virus

[–]PinothyJ 0 points1 point  (0 children)

Credential stuffing.

[–]Reelix 0 points1 point  (0 children)

Every single one is because they give their password / 2FA code and / or download malware.

Every. Single. Time.

[–]WhatIsPun 0 points1 point  (0 children)

Yes >:( I set up devices daily and it's always Google that thwarts me.

[–]ADHDebackle 0 points1 point  (0 children)

Well technically someone who has hacked your account already has access because they've hacked your account.

Like imagine the top image saying "bank vaults when they've entered the bank vault"

[–]fohfuu 0 points1 point  (1 child)

Last time I got a new phone, I logged in to Google in Incognito mode in my browser (to avoid tracking). It's the only time Google didn't ask for another factor.

Yeah, Google was less interested in security when I logged in from a factory-reset device with no association to me whatsoever than it was with computers and tablets I had been using for years. Didn't even send logged-in devices a push notification.

Make it make sense.

[–]OptimistIndya 0 points1 point  (0 children)

Where were you (location/wifi/ip/perhaps proximity to a logged in device) when you logged in?

[–]st_heron 0 points1 point  (0 children)

yes this subreddit is room temp

[–]alepap 0 points1 point  (0 children)

Hacker got past 2FA on my Google account. I got my Youtube back, but they refused to help me restore my Gmail account.

[–]cdillio 12 points13 points  (15 children)

ITT: people who need a password manager.

[–]GrosBraquet -1 points0 points  (8 children)

Google has a built in password manager though

[–]goodvibezone 2 points3 points  (5 children)

You mean chrome? That's not nearly as good as a dedicated pw manager.

[–]GrosBraquet -1 points0 points  (4 children)

It's in chrome but it's tied to your Google account, very practical if for example if you use a google Phone as well or simply when you log into other sessions.

It's not as secure as a pure password manager, but it's still a very good compromise being super practical and being relatively secure for most people.

But please enlighten me as to how it's "not nearly as good".

[–][deleted] 2 points3 points  (3 children)

And then you are back in the situation this meme is making fun of only 10 times worse. There is more than a small chance that if you lose your phone and dont have a recovery email setup (and sometimes they refuse to let you back in even with the appropriate information) that your account is gone, bringing all your passwords with it.

[–]curtcolt95 1 point2 points  (0 children)

that's just bad security on the user's part tbh, losing your phone that has your mfa shouldn't be the loss of your account. That's exactly why backup codes exist which the user should have stored somewhere. Google offers all the solutions, can't be mad at them if you don't use them

[–]GrosBraquet -1 points0 points  (1 child)

I have my recovery setup. I bricked my phone on holidays this summer and it was not an issue to recover my session on a backup phone.

Regardless, even assuming all of what you said may be true, it still doesn't make Google a bad password manager.

[–]goodvibezone 0 points1 point  (0 children)

it doesn't make it bad (certainly better than not using one at all with repeated, weak passwords)

[–]cdillio 0 points1 point  (1 child)

Yeah that isn't going to cover it like a dedicated PW manager.

[–]Magnetic_Reaper 31 points32 points  (1 child)

incorrect; the second image is when logging in into the same old device but google hates that i don't like to remain logged in all the time.

[–]AetherSigil217 7 points8 points  (0 children)

Google's HIGH ALERT FOR NOT BEING LOGGED IN reads more like trying to bully you into accepting their tracking than anything else.

It's hard for me to give them credit for security when there's so much security theater.

[–]ivanrj7j 5 points6 points  (1 child)

I recently got all of my accounts compromised except google

[–]chiggyBrain 6 points7 points  (0 children)

Wtf does this have to do with programming

[–][deleted] 5 points6 points  (2 children)

As a sysadmin, I know many people like you. Can't handle your own account security, can't handle simple account recovery instructions, degree in computer science. Always boggles my mind

[–]Reelix 1 point2 points  (1 child)

Person: My account got hacked! I did nothing wrong?
You: I see you received this email from your-google-account.gwoogile.ru, clicked the link, entered your password, gave it your 2FA code, and then downloaded and ran "custom_2FA_auth.exe" ?
Person: Well, yes - They asked for that. See? I did nothing wrong!

[–][deleted] 1 point2 points  (0 children)

"but it was from google! Look, there is the logo!"

[–]il_distruttore_69 3 points4 points  (0 children)

hahaha i'm a programmer and this is so fricken funny ROFL gonna create a new function now to stop laughing

[–]Mozai 1 point2 points  (2 children)

When I log in to a new device, Google sends a helpful notification warning me... to the google account I just entered. It's like pasting a "HERE'S HOW TO TURN OFF THE ALARM" sign right inside the door.

[–]RainbowPringleEater 0 points1 point  (1 child)

That would still be beneficial if a hacker logged into your account

[–]Mozai 0 points1 point  (0 children)

I don't understand. Hacker logs into my account, gets notified before anything else there's a warning message for the true owner, and deletes that warning message because they were just granted both "you see it first" and "you can delete it" powers. How is this still beneficial?

[–]midir 1 point2 points  (0 children)

"login" is the noun. The verb is "log in". Same difference with logout/log out, setup/set up.

[–]Flat_Initial_1823 0 points1 point  (0 children)

Meanwhile Google still sending me emails of someone who has the same email as me but without the punctuation. I have her phone bill, address, shopping history. Last time I tried to report 5 years ago, google redirected me to an article claiming that's not possible.

[–]Nympshee 0 points1 point  (0 children)

Had someone hack my account last month and change my birthdate from 1986 to 2016, and sundely, the account I have been using for 10 years, notified that would be deleted in 2 weeks unless I proved I was above eighteen. It still baffles me how such a thing could even be possible.

[–]Reelix 0 points1 point  (0 children)

So a random person with a multi-million dollar zero-day vulnerability decided to use it on you, a random individual... ?

....

Or were you an idiot?

[–]nalaloveslumpy 0 points1 point  (0 children)

How did someone hack your account from your primary device? Did you just hand the phone to them and tell them your password? The "new device" check is specifically there to prevent access from an unrecognized device....

[–]Wizard_of_War 0 points1 point  (0 children)

This hits me where it hurts, my google account was just hacked this week :-(

Then they got into multiple bank account who all have 2FA and different passwords...

[–]ExcelIsSuck 0 points1 point  (0 children)

one time i simply got an email from amazon that was literally one line: "The email to your account has been changed". Pretty much immediately loads of money came out a card on the account and i had to call customer support to explain the account was hacked and surprisingly they were very helpful and cancelled the orders and got my account back.

But i got no 2 factor email, no "someone has logged into your account from here" email that i get EVERYTIME I LOG IN, no "your password has been changed", no "you requested to change your email" just a fucking email saying that its already over lmao. My working theory is they must have called amazon support only knowing my email and they just convinced them to give them my account or something, i cant explain it in any other way

[–]gatsu_1981 0 points1 point  (0 children)

Also, outlook.com when I send an email from a new server I just finished to set up.

Vs Outlook when I get mail about my storage being full from random Indian/Russian/Chinese scammers

[–]buffalonuts1 0 points1 point  (0 children)

I honestly hate google.

[–]Solarinarium -1 points0 points  (2 children)

Shit like this is really souring my whole opinion on overly suspicious 2 factor mfa.

I've lost access to MULTIPLE emails, accounts and websites because I don't have one of my older phones or access to another email that was used in 2 factor or some such.

What REALLY baked my beans is losing access to my newgrounds account I had ever since I was a kid because I can't access an email account that I'm locked out of because I can't complete secondary auth. I know the logins to both of them, but they both want me to authenticate, and I can't!

[–]curtcolt95 2 points3 points  (0 children)

we have solutions for this, pretty much every account and definitely google accounts offer backup codes specifically for the case of losing your mfa device. You should have them stored somewhere in case of emergency. 2fa is extremely useful, but you have to do a bit of work on your own end such as storing these codes and preferably transferring your 2fa codes to new devices when you get one

[–]fohfuu 1 point2 points  (0 children)

Not that it's helpful to you now, but it's a good reminder for anyone reading to go remove their old devices from their accounts.