Gmail account I never created - how much to worry?

In My Humble Opinion
1

I have a gmail account rarely used – it’s firstname_lastname at gmail .com. Happened to log on and there’s a security alert that someone logged into another gmail account, lastname_firstname at gmail .com, which is not an account I know about. My first and last names are unusual enough that it’s probably not a fluke/coincidence but see below. It’s vaguely possible I set up lastname_firstname years ago and forgot all about it.

I successfully went through the account recovery process for lastname_firstname using a code sent to my REAL Gmail account, removed an associated phone number I’ve never seen, changed the password on lastname_firstname, and finally was able to check the emails.

There are 431 emails going back to July 2022, mostly the usual Gmail junk that you get if you never monitor your account, but some concerning things – Fidelity Investment Account stuff (not mine) involving account setup, trade confirmations, and password changes; and a ticket purchase on United Airlines from Denver to Raleigh, not a flight I’ve taken, with tickets in my name and flight numbers that match up with real routes I checked online. I talked with United but they’re not able to pull up any records from last August, when the trip was (they said call my bank).

There are a handful of sent messages in the account. Here’s where it gets interesting. It seems to be a high school kid in Colorado who shares my name, sending out resumes. There is mail from “him”, if it is a real person, to a real company which appears on the resume. There are pictures of him online on his high school’s Instagram and Facebook accounts. I’ve gone through my life thinking my FN/LN combination was unique, but my guess now is that this possibly real person tried to set up a gmail account, found “his” name taken, switched the names, and then (this is the inexplicable part) put in my actual gmail account as the recovery account. Perhaps he thought it was his too, I don’t know.

Or perhaps someone stole my identity, is masquerading as a Coloradan highschooler, and is buying Fidelity instruments and taking flights while pretending to be me, for some reason. He looks better than me, anyway, so there’s that.

At least I have control of both Gmail accounts now. I’m worried I may have hacked him, actually, and am considering calling the number on his resume, or emailing the address he used there, which is not the gmail one.

If it’s fraud/ID theft, it doesn’t make sense that the person who set up the mail account used my (actual, correct) gmail account for account recovery, does it? On the other hand, it doesn’t make a lot of sense that a real person would do this either. I am at a loss what to do next.

2

Wow. That sounds so fake.
Goodlooking highschool Kid with investments. Hmm🤔

It would worry me enough I’d definitely call my financial institution and CC company.

Call that number. It’s probably a g-mail phone number. If you get a buzzy, metallic sound it’s obviously not real.

( disclaimer: I know very little about online crap. YMMV.)

I hope it’s just a similar named person and they are as confused as you.

3

Welp, I’ve read through enough of the guy’s email to become convinced he’s a real person who shares my name, and who was foolish enough to give my gmail address as a recovery account. My brother said this was impossible, that you’d have to verify the recovery address as well, but I just proved him wrong by setting up a test Gmail account with his address as recovery. It let me, no questions asked.

So now I feel bad. I’ve hacked some high school kid’s email. If it were me, I would not want to hear that some creep who shares my name read my mail. I’m thinking, delete the account and back away. I’m not going to contact him.

(Among the emails I read was one from another version of himself, [firstname][lastname]123@gmail.com. Glad he’s got that sorted out.)

4

Yes, you have committed a federal crime: violation of the Computer Fraud and Abuse Act. Not likely to be prosecuted as long as you stop here and don’t try to leverage this access to get into their Fidelity account and steal their money, but still very wrong.

The fact that they made a mistake and provided your email address as a recovery address for their account gave you the technical ability to log into their account, but absolutely not the legal right to do so.

If you are suggesting that you delete the other person’s account, no. Attempting to destroy the evidence certainly isn’t going to make things better.

5

Some time ago, I got access to someone’s Hawaiian Airlines account in a similar way (story here). In the end, I just noted the havoc I could have caused, and took just enough action to terminate any of my potential access to the account (and me receiving any emails about it).

6

I totally thought you were joking until I read the rest of your post.

7

Since you know his email address, just send an explanatory e-mail… oh, wait…

8

Contact his parents, if you can weave your way through his Facebook friends. They’d want to know their kid is being irresponsible with his sensitive information, as well as his financial information.

9

The idea that in this day and age major companies do not force an email verification when someone is setting something up is incredibly shocking.

Someone recently set up a Paypal account with one of my emails as a secondary thing. I don’t want to login to the account via a recovery thing or some such since I don’t want my email basically confirmed to be attached to this account. So there’s nothing to be done.

This is the 2nd time Paypal has done this to me. The first time I went around and around with CS rep who basically couldn’t do anything like delete the account, remove my email or anything. All they did was “suspend” the account.

Instagram also thinks I have an account set up that isn’t at all mine.

10

What do you suggest I do then?

Please understand that because my real Gmail was the backup account access, I believed for some time that the other account was actually mine, but that someone was using my identity/gmail account to make financial transactions. This seemed like a very serious problem warranting investigation, and a reasonable assumption to go on, all the way till I checked the Sent items. Only then did the light dawn.

11

Wow. I would totally log into the PayPal account in your situation, to see if someone had linked it to my bank account. Then, again, I would delete the account if I had power to do that. What business does someone else have putting your email address on a thing like that? How could anyone not assume some funny business was going on? (What, a slip of the keyboard, they “accidentally” typed in your email?)

Scammers work in mysterious ways and people absolutely have a right to protect themselves without worrying about invading the privacy of the con artists.

12

Not necessarily a slip of the keyboard - maybe it’s never happened to you, but it’s not at all uncommon for someone to try to create an email of Firstlast@whatever and find out it’s unavailable. I have a very uncommon name - both my first name and last name are uncommon and I would be shocked if there is someone else with the same name. My email addresses normally consist of firstlast@whatever. Except for one - which for some reason wasn’t available. So it’s firstlastnumber@something - and I guarantee that I made that mistake at least once because it was a hassle trying to fix it.

13

Of course, and this is what happened to my Coloradan doppelganger, no doubt. I beat him to it, registering Firstlast@gmail many years before he ever could. What doesn’t make sense is him then creating a new gmail account for himself and putting in Firstlast – my account – as his recovery account. Just as it doesn’t make sense that some stranger sets up a PayPal account and decides to link ftg’s email to it. Why would anyone do that?

Maybe the thinking is as the xkcd strip has it, as alluded to above. “This SHOULD be my email address, therefore it IS my email address.” Not saying you thought like that, doreen, but I’m not understanding the mistake you said you made at least once that was a hassle to fix.

Anyway I still don’t know what to do next. I guess I will not delete the other account, but I think reaching out to the guy is a very bad idea. He doesn’t want to hear that a stranger read any of his mail; I sure wouldn’t. He can just create himself a new gmail account. My only hope is he doesn’t continue to use my address as his backup.

14

Here’s what I think you should do: I would first remove your own email address from the account as the recovery email, because that’s what started this whole chain of events. I would also reassociate the phone number you previously removed from the account if possible (though you won’t be able to verify the number, of course). If you don’t have it, use the phone number from the kid’s resume.

Then change the password of the hacked account to something relatively simple, contact the other person using the other email address you have, explain the situation (and the fact that they had screwed up and used your email address as their recovery account) and give them the password and control of their own account back.

More than finding out that someone had read my emails, I would be more upset to find out that someone had permanently hacked my email address and that I could not get it back. Plus, once he figures out that he no longer has access to it, he may go to Google with his credentials and try to get control back himself. This could create a mess for you then. You might even get your own account deleted and yourself banned from Gmail if Google decides that you are the hacker and that you did this whole thing with nefarious intent.

Besides, it’s the right thing to do in my mind. You don’t even have to have a back-and-forth exchange with him. Email him the account password to the other email account you have of his and I think you’ve done your due diligence. I wouldn’t try to contact him by phone or physical mail. On second thought, I might try to leave a voice mail briefly explaining the situation and the fact that you sent him the account password to [other_email_address].

15

I second this.

16

I doubt he would care. You don’t have to tell him you read his emails. He probably thinks he was hacked and may be worried about his accounts.

At the very least you should change the recovery email to his other email at [firstname][lastname]123@gmail.com so that he can get it back.

17

I agree entirely with the recommendation above, with a very slight amendment. In explaining the situation, I would emphasize the “innocent mistake” aspect of your original story above — shit, did I accidentally set up this other email and forget about it? Don’t mention anything about suspecting a hacker and taking deliberate steps to “break into” or “take over” the account; you did this innocently, and almost immediately realized your error, and you are now taking steps to return control of the account to him.

18

The mistake I made was registering an account somewhere, maybe a retailer , maybe a streaming service and accidentally using first last @whatever instead of firstlastnumber@whatever. Which meant I couldn’t sign in or change the password and in fact , I didn’t know what I had done until the company was able to look up my account using other information. But it would have been just as easy to accidentally give firstlast@verizon.net or firstlastnumber@gmail.com instead of firstlastnumber@verizon.net as the recovery email. Because I’ve had multiple first last email addresses - and only this one has a number.it wouldn’t be because I thought it should be mine - it would be because I mixed up parts of two different emails.

19

So I think my personal experience might be helpful here. I have a Google doppelgänger as well. I have JohnSmith [@] gmaildotcom, and someone in DC has JohnSmyth [@] gmaildotcom. He and I have gotten each other’s emails all the time, and we exchange them, including sensitive documents like mortgage applications, insurance claims, etc. Now, it’s not like having access to each other’s complete account. But I’m thankful that he forwards me my email, and that he trusts me to do the same.

Reaching out to your Colorado doppelgänger is, in my opinion, the right thing to do. I know I’d want to know.

20

OK. I appreciate the opinions above. Good advice here, and why I love the SDMB. I agree that returning the account to its owner is the right thing to do. Just now I went to log in (to note alternate contacts for him from his mail, which I hadn’t saved before), and lo, the password has been changed.

Yesterday I’d made a few attempts to remove my email address as the other account’s backup, and was thwarted – Google wanted me to tap something on “my” iPhone’s Gmail app. So I assume the other account’s owner received messages of unauthorized activity and managed to wrest control back, using his phone as a security key. Good for him.

Perhaps we are done here, but I might shoot him an email at the LastFirst address which he now controls again, explaining what happened – without mentioning I read any emails – and asking him to remove my address as account backup. That’s not even necessary, though, since if I get any future security alerts, I’ll at least know what’s going on.

It definitely shouldn’t have been so easy for me to change his account’s password. I’m glad I only use gmail as a throwaway account, more or less, and will probably be keeping it that way. What a bizarre experience.