Locked out of your Google account: the recovery paths that actually work

You've typed the password three times. Google says it doesn't recognise you, the code is going to a phone number you no longer have, and there is no phone number to call. Your email, your photos, your YouTube, your saved logins for everything else, all behind one door. This page walks you through the recovery paths that work, the mistakes that make lockouts permanent, and what to set up afterwards so this never happens again.

Last reviewed: 18 July 2026

Think it was hacked? If someone else broke in and changed your details, that is a different problem with a different fix: use the hacked Gmail account recovery guide instead. This page is for the other lockout: nothing was hacked, you have simply lost access.

First, understand what you're dealing with

Google account recovery is automated. There is no support line where a human checks your ID and hands the account back. The system asks you questions, watches how and where you answer them, and produces a yes or a no. That feels cold when you're locked out, but it also means the process is predictable, and you can stack the odds in your favour before you press "Forgot password" again.

The recovery system scores your attempt on two things: what you know (old passwords, recovery contacts, account details) and where you're answering from (device, location, network it has seen you use before). Most people focus on the first and ignore the second. The second often matters more.

Use a device and location Google already knows

Before anything else, move to the computer or phone you normally used for this account, on your home internet connection. A recovery attempt from your usual laptop on your usual Wi-Fi looks like you. The same answers typed into a borrowed phone at a friend's house look like an attacker.

Concretely:

  • Use a browser you were signed in on before, even if the session has expired. Don't clear cookies or history first.
  • Use your home or work network, not a VPN, not public Wi-Fi.
  • If the account lived mostly on your phone, try from that phone.
  • If your usual device is the thing that died, use the same location and network at least.

Check the easy doors before the hard one

  • Recovery email. If you set one years ago, Google can send a code there. Check whether that old address still works before you start; if it's an account you can also get back into, do that first.
  • Recovery phone. Same idea. If the number on file is an old SIM, your carrier may be able to restore the number to a new SIM; that's sometimes faster than fighting the recovery form. Guard against thinking the number is dead when it's sitting in a drawer.
  • Another signed-in session. Check every device you own: an old tablet, a spare laptop, the family computer. One live session lets you reset everything from inside the account.
  • Backup codes. If you ever turned on 2-step verification, you may have printed or saved ten single-use codes. Search your documents folder, your password manager, and the drawer where important papers go.

Prepare before you retry the recovery form

The form asks questions to prove you're you. Gather answers first, then attempt once, well:

  • Previous passwords. Any password you ever used on this account counts, even ancient ones. Write down every candidate you can remember.
  • When you created the account. Month and year is enough. Old emails from other accounts ("Welcome to Gmail") can pin this down, and rough is better than blank.
  • Recovery contacts you may have set. Old phone numbers, old email addresses.
  • What the account was used for. Some flows ask about labels, contacts, or services used.

Answer everything you can, even imperfectly. A wrong guess on one question hurts less than a string of blanks.

The cooldown reality: slow down

Failed attempts make the system trust you less. Rapid-fire retries with different answers look exactly like someone guessing their way in, and the system responds by locking harder and, in some cases, making you wait days before another serious attempt is considered.

So treat recovery attempts like a scarce resource. One careful, well-prepared attempt from a known device beats ten panicked ones from wherever you happen to be. If an attempt fails, stop. Gather better answers, get to a better device or network, and come back. The enforced wait is frustrating, but fighting it makes the outcome worse.

If Google offers to notify you at another address or asks you to wait for a review, take that path and actually wait. The delay is part of the security model, and it works in your favour when you really are the owner.

When recovery truly fails

If every path dead-ends, the honest answer is that some Google accounts are not recoverable, and no paid "account recovery service" advertising on social media can change that; anyone claiming guaranteed Google recovery for a fee is running a scam. Your fallback plan is damage control: work out what critical services used that address for login or password resets, move them to an address you control, and treat the old account as gone.

If the lockout happened because someone else broke in and changed your details, that is a takeover, not a lockout: start with the hacked Gmail recovery guide, report it to Scamwatch and ReportCyber at cyber.gov.au, and IDCARE can help if identity documents or money are involved.

Prevention: ten minutes that makes next time boring

Once you're back in (or on your new account), do these while the pain is fresh:

  • Update your recovery email and phone. Check them twice a year; an outdated recovery contact is the single most common reason lockouts become permanent.
  • Add a passkey. Signing in with your phone's fingerprint or face unlock removes the password from the equation entirely for daily use.
  • Generate backup codes and print them. Paper in the drawer with your passport, not a screenshot on the phone you might lose. Our two-factor authentication setup guide covers backup codes the safe way.
  • Stay signed in on a second device you keep at home.
  • Set up account inheritance or inactivity handling if the account matters to your family.

The short version: Google recovery is automated, so play to how it scores you: attempt recovery from a device, browser, and network the account has seen before, with old passwords and account details gathered in advance. Check for live sessions, backup codes, and old recovery contacts before fighting the form. Failed attempts trigger cooldowns, so make one prepared attempt rather than many panicked ones. Afterwards, set current recovery contacts, a passkey, and printed backup codes so the next lockout is a non-event.

General guidance only. Recovery flows change and outcomes depend on your account's history; this is not legal or professional advice.