Critical security alert: do nothing!
Return-Path: <3-o0uZAgTBfcmn-qdokxZbbntmsr.fnnfkd.bnlmhfdksqteex.bnl@gaia.bounces.google.com> X-Received: [snip]; Thu, 06 Apr 2023 02:16:42 -0700 (PDT) Date: Thu, 06 Apr 2023 09:16:41 GMT Subject: Critical security alert From: Google <no-reply@accounts.google.com>
I received a critical security alert from Google today, advising me that someone had my account password, and requesting that I sign in to change it. The damnedest thing is it was sent to an email address that I have no recollection creating a Google account with. I did create an account to comment on a YouTube video a couple of years ago, but I can't recall what email address I used; and, besides, I deleted the account.
So my first thought was this is a phishing attack. Yet all the domains are Google's. Even the link button resolves to:
https://accounts.google.com/AccountChooser?Email=[snip]&continue=https://support.google.com/accounts/answer/98564?aneid%3D-3795986496008703203
No sneaky folder or subdomain shenanigans. No replacement alphabet or encoding shitnitz. So it seems legit.
As a precaution, I went to accounts.google.com directly, not via the links. I typed the email address into the account name dialogue and was prompted for the password. Damn! Forgot password. But, hey, there's a handy forgotten password link…which prompts you for the last password that you remember using. I guess that might work in some cases, if you use a systematic naming convention, for example, but it seems pretty unhelpful otherwise; and it suggests Google logs all your passwords, presumably in perpetuity, which sounds like a potential security vulnerability to me. Wouldn't it make more sense to email a password reset, like pretty much everyone else does?
If you can't remember any passwords for the account, you can try another way
. This option simply washes its hands of the problem, and tells you that you can't be signed in. Screw you, shithead!
End result: if that account is real, and someone has my password to it, then there's bugger all I can do about it.
Honestly, for all the big brains supposedly at Google, they don't seem to have much in the way of common sense. Perhaps they should sack Big Bird.
Hmmmz. I went back, and tried to recover my user name from earlier in the account recovery process. Strangely enough, no account exists with my combination of name and email. As I thought.
Nevertheless, I have no idea why Google would've sent a security alert to a mail address for a corresponding Google account that doesn't exist. I couldn't see, from analysing the message, both in raw source and presentationally, how it could have been a phishing attack.
I guess it shall just remain one of those mysteries. Like crop circles, the popularity of the Kardashians, and BBC breaking news policies.