Yes, my google account was simjacked last year. I lost access to my email, photos, and ability to login via Google. They were after my Coinbase account (luckily the only account I used real 2FA on). They could have initiated bank transfers too but didn’t try.
Customer support for personal gmail accounts is almost nonexistent. Fortunately I had a friend who worked at Google and had them put a word in on my reset request otherwise I would have been SOL.
Disable phone number resets and switch to Google Authenticator w/ backup codes ASAP.
Go through the password reset process with google and it's worse than most people think. The first thing it asks you is:
> Enter the last password you remember using with this Google Account
Which of course the attacker knows because they changed your password. If they don't know that you can click try again and go through the various two factor methods set up (hardware token, totp code, sms) and then the very last and also terrible option is putting in the date the account was created. If your account has been owned the attacker likely knows this too. Advanced account protection is pretty much the only option if you've had your account breached at any time.
>> Enter the last password you remember using with this Google Account
> Which of course the attacker knows because they changed your password.
The site asks for the last password you remember using, not the last password that was used (presumably by the attacker). I don't think this is as bad as you think; the attacker doesn't likely know the previous password, or else they would not have needed to hijack your phone number.
Customer support for personal gmail accounts is almost nonexistent. Fortunately I had a friend who worked at Google and had them put a word in on my reset request otherwise I would have been SOL.
Disable phone number resets and switch to Google Authenticator w/ backup codes ASAP.