Gmail Lockout Hack: Google Probes Recovery-Block Attacks

Google has confirmed it is investigating an ongoing phishing campaign that is locking users out of their Gmail accounts by exploiting the platform’s family management system. Attackers who gain access through stolen credentials are adding compromised accounts to a family plan as a child profile, which restricts key account controls and blocks standard recovery options.

How the Attack Works

The method begins with credential theft, typically through phishing pages designed to mimic Google’s login flow. Once attackers obtain access, they immediately enroll the victim’s Gmail account into a family group that they control. Because child accounts are subject to parental restrictions, victims lose the ability to adjust security settings, remove themselves from the group, or initiate normal recovery procedures.

Limited Recovery Window

Google states that affected users have a seven-day window to regain access by responding to automated recovery prompts sent to their original recovery email or phone number. If the victim does not complete the process within that period, regaining access becomes significantly more difficult, often requiring additional verification steps.

Who Is at Risk?

Security researchers note that the exploit does not rely on a flaw in Google’s systems but on successful phishing. This makes the attack scalable, putting a large portion of Gmail’s global user base at potential risk. Any user who can be tricked into entering credentials on a fraudulent page is vulnerable to this takeover method.

Recommended Protections

Experts advise enabling passkeys or hardware-based authentication to reduce the chances of credential theft, as these methods are resistant to phishing. Users should also ensure their recovery email and phone number are up to date, since these details are essential for reclaiming access during the seven-day recovery window.

The Takeaway

The attack highlights how social engineering and misuse of account features can have major security consequences. Google’s investigation remains ongoing, but the company emphasizes that prevention hinges on avoiding phishing attempts and adopting stronger authentication methods.