I am the one who had been using g suite before it became google workspace for more than a decade.. Last year I changed my email provider, cancelled workspace subscription and deleted the google account only to create a new one with the same email address as a normal user. Used google takeout to transfer all valuable assets out.
I lost access to literally nothing! SSO binds your email address as the primary account idenitifier in all known to me services. Does not matter what IDP you use to “sign in with”.
I find this twitter thread misleading. Unless the affected account was using @gmail.com as their primary identity.
Buy a domain and set up email on custom domain. backup emails periodically outside of the provider to be able to switch easy if needed. Same applies to other data stored in SAAS of any kind. This is the rule of thumb if the risk of losing access to tour primary IDP is critical.
Yeah, Google's lack of support is notorious at this point. It's why just about any YouTuber who gets their account hacked is reduced to begging for help on Twitter, since there seems to be no-one at the company able to help directly if contacted from the site itself.
Does make me think that there should be regulations about support to prevent this sort of thing though. Maybe at the very least there should be a mandated reason for banning/deleting an account and an appeal process with an actual person on the other end. Yes people might use it to figure out how to 'abuse' the system. But that's life. We don't hide the laws so the only way people know what's legal and what isn't is to get arrested for breaking them.
I do wonder what the solution to number 3 is though. Feels like an issue with services using Google login, not Google itself. If you registered with an email and that domain expired, someone could also reset the password for much the same effect. Short of Slack and the like asking you some sort of security question upon logging in each time, I'm not sure what a good solution would be to fix this sort of flaw.
We need to have an entirely different set of regulations and expectations for entities in excess of a certain size. I think 50-100 million in revenue would be a fairly reasonable starting point but even lower would be acceptable. Certainly at a billion dollars you should be able to speak to someone who can resolve or escalate any issue with in less than a working day.
and the point of entire post was about any SSO is bad.
At that point any password manager (including on-premise bitwarden, cause that is still single credential for everything) is bad, you should memorize randomly generated 64 digit password and never forget it.
There's a certain writing style, very short paragraphs, fair amount of repetition that just feels like you've read this post before. And you have, just on different topics but it's always the same feel.
But also lots of negatives to start the sentence, usually with a reinforcement e.g.
your password didn't help. your 2fa didn't help. you were never asked to authenticate. you were asked to authorize. completely different mechanism
I am the one who had been using g suite before it became google workspace for more than a decade.. Last year I changed my email provider, cancelled workspace subscription and deleted the google account only to create a new one with the same email address as a normal user. Used google takeout to transfer all valuable assets out.
I lost access to literally nothing! SSO binds your email address as the primary account idenitifier in all known to me services. Does not matter what IDP you use to “sign in with”.
I find this twitter thread misleading. Unless the affected account was using @gmail.com as their primary identity.
Buy a domain and set up email on custom domain. backup emails periodically outside of the provider to be able to switch easy if needed. Same applies to other data stored in SAAS of any kind. This is the rule of thumb if the risk of losing access to tour primary IDP is critical.
Assess the risk and act accordingly.
Yeah, Google's lack of support is notorious at this point. It's why just about any YouTuber who gets their account hacked is reduced to begging for help on Twitter, since there seems to be no-one at the company able to help directly if contacted from the site itself.
Does make me think that there should be regulations about support to prevent this sort of thing though. Maybe at the very least there should be a mandated reason for banning/deleting an account and an appeal process with an actual person on the other end. Yes people might use it to figure out how to 'abuse' the system. But that's life. We don't hide the laws so the only way people know what's legal and what isn't is to get arrested for breaking them.
I do wonder what the solution to number 3 is though. Feels like an issue with services using Google login, not Google itself. If you registered with an email and that domain expired, someone could also reset the password for much the same effect. Short of Slack and the like asking you some sort of security question upon logging in each time, I'm not sure what a good solution would be to fix this sort of flaw.
We need to have an entirely different set of regulations and expectations for entities in excess of a certain size. I think 50-100 million in revenue would be a fairly reasonable starting point but even lower would be acceptable. Certainly at a billion dollars you should be able to speak to someone who can resolve or escalate any issue with in less than a working day.
Heh. Posted on X.
and the point of entire post was about any SSO is bad. At that point any password manager (including on-premise bitwarden, cause that is still single credential for everything) is bad, you should memorize randomly generated 64 digit password and never forget it.
using google in 2026 is self imposed risk
The tweet was still written by an LLM, even though the system prompt included "only use lowercaps, making my text look like a kid in a csgo chat"
What makes you think so?
There's a certain writing style, very short paragraphs, fair amount of repetition that just feels like you've read this post before. And you have, just on different topics but it's always the same feel.
But also lots of negatives to start the sentence, usually with a reinforcement e.g.
your password didn't help. your 2fa didn't help. you were never asked to authenticate. you were asked to authorize. completely different mechanism