**Google 'Looking Into' Gmail Hack Lockout Issue with No Recovery**

As a journalist who has been following Google security for some time now, I've encountered my fair share of alarming reports about compromised Gmail accounts and threat campaigns targeting unsuspecting users. But one recent case in particular caught my attention - a Gmail user who was locked out of their account by hackers using a clever tactic involving the Family Link feature.

According to the user's post on the Gmail subreddit, an attacker had changed their age to 10 on their account profile and then added it to a family account under their control. The account owner found themselves completely locked out, unable to use any of Google's recovery options. What's more alarming is that this isn't an isolated incident - multiple users have reported falling victim to the same tactic, with some even being forced to send gift cards to recover their accounts.

So, what exactly is Family Link? For those who may not be aware, it's a Google feature that allows parents to create and manage a supervised account for their children under 13. The feature provides various controls, including access to Gmail, Google Search, and the Chrome browser. However, threat actors have discovered a way to exploit this feature by creating child accounts with no intention of being actual children.

By adding a compromised account as a child to a family link, attackers can gain full control over the account, including password changes, which in turn locks out the genuine owner. This raises some serious concerns about Google's ability to prevent such attacks and provide adequate recovery options for affected users.

I reached out to Google for comment on this issue, and a spokesperson confirmed that the security team is "looking into" the matter as a known post-compromise action taken by hijackers. However, they also stressed that it's an uncommon tactic - which might be true, but I suspect will soon become more prevalent now that it's being discussed online.

One possible solution to prevent account takeovers in this way is to set up recovery contacts, which allows users to designate trusted individuals who can help regain access to their accounts if they're locked out. While this might not be a foolproof solution, it's certainly worth considering as an added layer of protection.

Of course, the best way to prevent account compromises in the first place is to use a Google passkey, which has been shown to provide stronger protection against automated bots and phishing attacks than traditional two-factor authentication methods. So, if you haven't already, consider setting up a passkey for your Gmail account today.

**What You Can Do to Protect Yourself**

While it's essential to stay vigilant and take proactive measures to protect your accounts, there are some steps you can take to minimize the risk of falling victim to this tactic:

  • Set up a Google passkey for an additional layer of security
  • Use strong passwords and enable two-factor authentication
  • Regularly review your account activity and report any suspicious behavior to Google
  • Consider setting up recovery contacts to help regain access to your accounts

As always, stay informed, stay vigilant, and keep your online presence secure.