My Google Workspace account suspension

Posted by zenincognito 3 days ago

My Google Workspace account suspension(zencapital.substack.com)

369 points | 221 commentspage 2

827a 3 days ago|

Google's customer support is interesting. Its definitely a case where you'll sometimes hit pockets of the company where clearly there was someone who made it their life's work to fix this bad reputation they have; while other pockets make it clear that they deserve the reputation.

I had a Nest subscription that became a total mess. If you've ever tried to use Nest before, or are coming from a legacy Nest account, and/or also have a Workspace account that somehow got wrapped up in the mess, you'll understand how much of a clusterf Nest is for the Google ecosystem. I had signed up for this subscription on a personal Google account, cancelled it, but was still being charged for it, and the credit card being used made me think it was getting charged on my Google Workspace account (which isn't officially supported, and would never let you sign up for it, but DID share an email address with my legacy Nest account I had migrated into the non-Workspace personal account I was using for Nest).

They had to escalate the problem a couple times, which took ~24 hours. Once that happened, their rep had it resolved in minutes, and refunded me two months on the subscription.

The biggest piece of advice I can give when dealing with Google is: Never be weird. You cannot ever put yourself in a situation where your account isn't like the other billion accounts they have. If you do, something will go wrong and its rolling the dice on whether you'll ever reach someone who can help you. If you've used Google enough, you know: Their multifactor settings are weird. You cannot set it up exactly how you want; it'll always trigger some auth method you didn't configure but they have "LATENT KNOWLEDGE" you should be able to authenticate with, like a phone number you configured six years ago, or gmail installed on a tablet that's 400 miles away, and you can't turn it off, even on Workspace.

My favorite bit of Googleism: Go to any site you sign in with Google SSO and watch the URLs in the eight redirects it has to do before it signs you in. You'll see a "youtube.com" in there. Even on a Workspace account. Youtube.com is a load-bearing website in their core auth flows.

Mess of a company. I hope they invest some effort in improving things, but I was saying the same thing in 2018. They probably won't.

nullc 3 days ago||

> like a phone number you configured six years ago

I've put in a heroic effort to make sure they never get a phone number, specifically so they can't start handing my account over to the first clown who simswaps me, and have been successful. Unfortunately, this makes my account weird, which as you noted is fatal.

Ferret7446 3 days ago||

> My favorite bit of Googleism: Go to any site you sign in with Google SSO and watch the URLs in the eight redirects it has to do before it signs you in. You'll see a "youtube.com" in there. Even on a Workspace account. Youtube.com is a load-bearing website in their core auth flows.

I assume that's just because they need to set a cookie on the YouTube domain in case you visit YouTube later on the workspace account, and not "load bearing"in the manner you insinuate

827a 3 days ago||

If the youtube.com 302 failed to itself 302 back to the next destination; because the site is down; would that not be load bearing?

Ferret7446 3 days ago||

You do not hit YouTube directly. You hit Google's frontend server which then does internal routing. Likely it would be able to route around it. Or rather, the auth part of YouTube is not the same as all of the other parts of YouTube. For big tech companies like Google, a website is not one single binary that serves requests, but a ton of services handling different things (and some of those services being caching so it doesn't show things down as you might think). It is highly unlikely that the main services comprising YouTube as a video streaming site would bring down Google auth

zenincognito 3 days ago||

Update: A kind stranger from Google reached out and this is now resolved. Thank you HN for helping me through this.

entrox 3 days ago|

It is quite frankly ridiculous that you need to be in the "in-group" to get things like this resolved and it is not the first time this has been reported, be it Google or Meta or any other big tech corpo.

These players MUST be regulated or treated like utilities; hoping the EU will ratchet up the pressure even more.

Jimmc414 3 days ago||

Google needs to understand that watching this nightmare scenario play out over and over again is actively destroying trust in their platform. When your email, authentication, documents, payroll, and CRM all flow through a single provider and that provider can lock you out overnight with no meaningful recourse, you’ve invited customers to place their entire digital presence into a house of cards. The fact that this same story surfaces almost daily should be a wake up call to existing and prospective customers. Every unresolved lockout is one more reason to start planning an exit. Google has led the effort to lower the bar so much that it’s commonplace and somehow acceptable to ghost paying customers who youve locked out or even worse bounce them through a gauntlet of AI chat bots with the illusion that you are even aware of the damage you’ve caused.

tracerbulletx 3 days ago||

Yeah, loss of a google account in certain cases can destroy entire small businesses and there's no recourse. In the old world we had extremely deep bodies of case law around utilities and commercial leases and road access, insurance and all kinds of things to make business operation legally predictable, but for the digital equivalent it's still the wild west and everyone just throws up their hands like its unavoidable.

macintux 3 days ago|||

Imagine being homeless, and your Gmail account is your online identity for what little financial presence you have, and how in the world can you recover from its loss?

Rastonbury 3 days ago|||

On the surface it seems like it would be a good idea for all these users who were suspended to do a mass arbitration like what happened to Uber to get them to start taking it seriously, this comes up like monthly people getting account pulled up from under them and impacting business. Maybe there a legal differences or something https://www.mbelr.org/mass-arbitration-how-ubers-own-alterna...

jamiemallers 2 days ago|||

[dead]

Spooky23 3 days ago||

I don’t disagree, but the reality is SaaS is the model that most companies depend on and these risks exist everywhere.

If your business is dependent on services you need to take a modicum of effort to protect yourself - the posts author was literally walking around with his entire business at risk from him dropping his phone or having it pickpocketed.

At the end of the day, the protagonist in this story is mad because Google won’t allow him to social engineer access to his company. He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.

quadrifoliate 3 days ago||

> He deleted his sole token (Google makes it trivial to add many) in the most fraud signally way possible.

Are we reading the same blog post? He had his password, 2FA authenticator set up, and backup codes -- everything Google asks you to have to be on the "golden" auth path.

He only deleted his SMS authentication path (one thing I don't understand is how he was able to do this in the first place without being logged in), which is in any case the least secure method of 2FA. Also, It should be fairly obvious that SMS is not expected to work seamlessly while traveling, how is this not a scenario that's hit by millions of Google users worldwide?

Spooky23 3 days ago||

We’re hearing one side of the story from a frustrated user recounting a borderline traumatic and stressful event.

The SMS only fallback is when other things have failed and they suspect that there’s been a takeover. Microsoft does something similar to tie it to some tangible thing. I’m not excusing Google. Their exception handling is poor at best. I’ve seen issues at customers where phones left in flight get flagged because of GPS disruptions due to Middle East conflicts, for example. (Phones flagged as having been in Syria or Russia can be kryptonite) One scenario was a VIP whose kid was in Europe with their other parent and the VIP’s tablet, signed into work email.

Other factors apply too - there may be multiple accounts tied to the number that are in different locales, for example. No idea what obnoxious rules Australia and UK add as well.

Point is, this type of shit happens and you should have a contingency.

quadrifoliate 3 days ago||

> Point is, this type of shit happens and you should have a contingency.

Let's work through what the contingency could have been. Always make sure you buy international roaming everywhere you go? Always be able to switch your MX records (from a provider whose account isn't tied to a Google-controlled email)?

They seem to get increasingly less practical to be honest. People travel all over the world everyday, this shit shouldn't be hard for a company like Google that supposedly ingests mountains of data.

More to the point, I think email has become sort of a fundamental right given how much of your identity depends on it. Companies that control this sort of identity foundation need to be heavily regulated, and perhaps nationalized.

Spooky23 3 days ago||

Ok, sure man. In the meantime before the Lenin of our age appears…

In this case, don’t run around with a business account with a single user with admin privileges. Segregate privilege. Don’t share a phone number with other accounts. Don’t use SSO as the key to your business.

If you run a business you need to manage risk. If a customs officer thought he looked funny and seized the phone, he’d be boned as well.

welder 3 days ago||

> I removed my phone number from the account. I am travelling to the UK for a short period and did not want to have roaming on my Australian phone.

So for my own notes, removing a phone number from my Google account before travel will risk account suspension. Hope OP resolves it, but also need to make sure this never happens to me.

cadamsdotcom 12 hours ago||

25 years ago my friends and I all had hard drives crash, and lost my data” experience. Corporate cancelation is harder to mitigate - but far rarer. The way things work un 2026 is very friendly to normies.

But you dear HNer ain’t a normie!

You have the skills to migrate your stuff away. It is time to pull the trigger.

0xpgm 3 days ago||

Instead of getting more dependant on Big Tech's AI products, I think the perfect use for AI is develop tools and workflows that decouple one from Big Tech.

storus 3 days ago||

I keep paying ElevenLabs for 3 years after some early AI agent project where I used it as my payment data is bound to a google account associated with a phone number that expired in the meantime. I thought adding the google authenticator to the account and switching to it as a secondary authentication method from the phone number would allow me to cancel the subscription, but for some reason Google insists I verify using the expired phone number...

lukeschlather 3 days ago||

> On Saturday, April 4, at 5:06 AM, I received a notification saying my authenticator had been removed. It hadn’t. The authenticator was still active on my phone - it was the recovery phone I had removed. Google apparently conflated the two.

This is a massive bug here. I was also surprised recently that Google won't let you enroll multiple Authenticators. If we had functional security regulations I think there would be some pretty large fines for Google's error here.

pzmarzly 3 days ago||

I guess one way to protect yourself from this would be to use another IAM solution for SSO login to Google Workspace, but is there any reasonable choice for small businesses other than Entra ID or Okta?

gchamonlive 3 days ago|

There's always keycloak you can rollout yourself. It's not trivial but it's quite doable.

watusername 3 days ago|||

Instead of Keycloak, I would recommend giving Kanidm a try: It's much more lightweight and covers most of what you usually need (one notable exception being SAML).

https://github.com/kanidm/kanidm

walterbell 3 days ago|||

Thanks for the pointer, https://news.ycombinator.com/item?id=47649354

edit: looks like there are affordable managed hosting providers for keycloak.

gchamonlive 3 days ago||

I was a long time k8s skeptical, but I think it's solid now. If there's good support for keycloak for k8s with support for backups I wouldn't think twice.

Not sure the state of keycloak now, but it was a lot of work to manage keycloak configs with the IaC pipeline. That could have gotten better now, but I think having access to the data is important because migration might not be trivial if for instance a provider starts acting up.

e40 3 days ago|

This is why I do full Google Takeout every 2 months and have my own domain with Workspace. I don't rely on cloud file storage. The calendar is important, but I could switch easily.

IMO, the worst part of this is Workspace support is immune to ANY explanation. I mean, credit card companies are well used to "is this your transaction?" emails.

More comments...