Google Account Hack Issue

[divito]

Just have a situation I'm looking to get more perspective on.

In February, I received a notification from my credit card company that it had declined a suspicious purchase. It was on the Google Store; I have 2FA on, and hadn't received any notifications that morning for a login. I logged in and checked the store, and sure enough, there was an order for ~$1300. For whatever reason, there was no button to cancel this order. I proceeded to go through support, tell them someone used my account to order something and asked them to cancel it. They said they didn't have that ability, and I'd have to contact the payment issuer. 
 

After my credit card didn't work, it seems they selected the Paypal option on my Google account. I then went to Paypal, and gave the same spiel, someone used my account, cancel/stop payment for it (since there isn't an option available in Paypal for this either). Again, support says they don't have access to do that, I need to talk with Google. Frustrated at this point, but I go back to Google, and they tell me that I need to call the carrier company to stop delivery, but as my account was somehow silently compromised, I didn't have the carrier information as the Gmail had a filter and emails had already been deleted, and they wouldn't provide it to me.

Knowing the payment method is Paypal, and neither company is able/willing to help, I removed all the cards from my Paypal, and transferred money from my bank account to an inaccessible savings account so that the payment would at least bounce. However, later that week during the delivery window, I checked the Google Store and noticed the status was set as delivered. Confused, I logged into Paypal to see a negative balance. Going back to support again, Paypal informs me that because I setup a Google subscription 5+ years ago, that gave them authorization to effectively "loan" me the money for the purchase. 

I was super irritated at this point, but they were refusing to help. I submitted claims through the Google Store, all being denied with no explanation. If I had a compromised device, or some other thing, at least I could investigate if I had that information.

Anyways, I proceed to make sure 2FA is updated, change my password. Looking through the device list / history, there are no suspicious devices, and all are devices I personally have in my possession. There isn't some rogue device that I sold or forgot to wipe or some other situation where I could see fault. I don't use shady applications or have Google used in weird places. Even so, I logged out of all devices just in case, and run scans on all my devices. All show nothing weird.

Fast forward from February to May, the same thing happens again (shipping to a different address than previous), I get an email about my 'Google order.' I quickly log in, and this time I'm able to cancel it. I file a claim again (even though there is nothing to refund), to at least alert them that 'hey, here is another situation to investigate, maybe they can notice something related to the first instance.' As before, Google support is unhelpful. I go through the same process again, 2FA is still on, never received any notifications, change my password, no new devices listed on my account, yet log out of all devices anyways.

Which brings me to today, same exact thing again. Once again, I'm fortunately able to cancel it within minutes of receiving the email; have Google call me and explain the situation, and again, they don't have the ability to help or give me any information even though I'm the supposed 'purchaser.' And a funny note, after ending that phone call, I received a Google security alert stating saying suspicious activity was detected and I've been signed out of that device. Only after three bouts of fraud so far am I finally notified of something.

So, in seeking perspective from others, what am I missing? All my devices as listed on Google are in my possession; any old devices that I don't have were wiped. I don't use Google in weird places that might be keylogged, and even then, I've already changed my password several times, have 2FA enabled, etc. I don't get weird emails, nor open attachments. I really don't want to cancel everything and populate a new Google account, but not sure there's a more realistic option after all that's happened.

[Avocado Diaboli]

1 hour ago, divito said:

I don't use Google in weird places that might be keylogged, and even then, I've already changed my password several times, have 2FA enabled, etc.

 

Can you with absolute confidence say that none of the devices in your possession are compromised? Because changing passwords and 2FA won't help if someone has access to one of your devices where you're already logged in. It'd be nice if Google could at least tell you from what device those purchases were made. 

[divito]

23 hours ago, Avocado Diaboli said:

Can you with absolute confidence say that none of the devices in your possession are compromised? Because changing passwords and 2FA won't help if someone has access to one of your devices where you're already logged in.

Nothing is impossible, but there are only 4 devices that are regularly used; PC, phone, and two tablets. All were reformatted after the first incident, making this more perplexing. Any remaining devices, along with the main ones were logged out through Google's device page. 

I'm well beyond the days of warez and questionable online shenanigans, and my usage these days is rather pedestrian. 
 

23 hours ago, Avocado Diaboli said:

It'd be nice if Google could at least tell you from what device those purchases were made. 

Very much my point to them. They have a guide on securing things and all the steps I've already done, but I can't secure my devices if I don't know the device being compromised, despite fresh installs or countless scans, or to determine the method by which this is happening to avoid it.

[Bitter]

Can you unlink payments on your Google account or switch to a prepaid card for payment source? It would at least slow things down hopefully. At this point you might be better off abandoning that account and making a new one.