(no title)
ktsmith | 6 years ago
> Enter the last password you remember using with this Google Account
Which of course the attacker knows because they changed your password. If they don't know that you can click try again and go through the various two factor methods set up (hardware token, totp code, sms) and then the very last and also terrible option is putting in the date the account was created. If your account has been owned the attacker likely knows this too. Advanced account protection is pretty much the only option if you've had your account breached at any time.
nulbyte|6 years ago
> Which of course the attacker knows because they changed your password.
The site asks for the last password you remember using, not the last password that was used (presumably by the attacker). I don't think this is as bad as you think; the attacker doesn't likely know the previous password, or else they would not have needed to hijack your phone number.