Why does Google allow the hacker and the account owner to keep resetting passwords in rapid succession? The timeline indicates that two lengthy ping-pong sessions took place during the incident. That kind of behavior should immediately raise a red flag. How often do legitimate users reset passwords alternately from two different locations 10 times in 15 minutes?
I'm surprised that Google doesn't detect two people fighting for control of one account. They could have easily detected ping-pong sessions and and locked both parties out of their accounts for a couple of hours. Or they could have penalized the newly added recovery address by forcing an exponential delay between resets using that address. This is not the first time I've heard of somebody breaking into a Gmail account while the account owner is using that very same account.
I was in the same situation about 1,5 years ago, when some security hole in Gmail allowed my account to be hijacked. The account was suspended automatically after the attacker had sent out 7 spam mails, and I could reset the account again without the attacker returning ever again. But, the ping ponging did go on for a while and Google did not bother.
I would just be worried about how they lock us out, what if the block both of our IP's and then the hacker manages to change his IP and can now get in and has an advantage over the legitimate account holder.
Good idea I think! Lock it after 2 account changes for a few hours at the very least, then the original owner will have it back, who is most likely the legitimate owner.
I'm surprised that Google doesn't detect two people fighting for control of one account. They could have easily detected ping-pong sessions and and locked both parties out of their accounts for a couple of hours. Or they could have penalized the newly added recovery address by forcing an exponential delay between resets using that address. This is not the first time I've heard of somebody breaking into a Gmail account while the account owner is using that very same account.