compromised google account

[savedan]

Hey there,

 

so my younger brother just last evening had someone hack into his steam account. The hacker tried impersonating Valve to try and scam him out of his cs2 skins. Luckily he asked me for help right at the beginning, I recovered his steam account no problem. To my horror he told me that he used the same password everywhere, including both of his emails (from now on referred to as Email 1 and 247). He had no 2Fa either. In addition he had his windows defender off, which after being turned back on found malware. 

I thought I did a good job at helping him prevent any damage from happening. I had him change all the passwords and come up with unique ones, set up 2Fa and recovery options etc. The hacker had broken into his emails, as there was a active device logged into them that he didnt recognize when we checked the googles "devices" tab. Just now my brother came to me and showed me that the same device had logged into email 1 just now. This made no sense to me, as there was 2Fa enabled. I told him to change the password, but it turns out the password was changed for the email 1 account. One of the googles password recovery steps was a code, sent to an email listed as a recovery email address. There were 2 options. One of which was the blurred out email 247 address and looked something like this: name***********@gmail.com. The other option didnt have the stars censoring it. To top that off the address of said account was very similar to the real thing, but it was a fake, a account that my brother doesnt recognize. I figured that thats how the hacker got in and changed the password, so I thought I would just remove that account from being a recovery option. Said fake google account is not listed under recovery options by google. It only has the email 247 account listed. 

What do I do here? I have no idea whats going on. I doubt that it has anything to do with potential malware not spotted by windows defender, as my brother didnt log back into his google accounts on his pc after yesterday until now. The 2Fa didnt keep the hacker out of the account, and the recovery option not showing in settings is baffling to me.

 

Any help would be greatly appreciated, thank you so much for your time. Merry christmas.

[Sant_HH]

Change all your passwords, recovery info, and 2fa for all your accounts. Then force sign out all devices. Also completely reformatting the pc is also a good idea, there maybe some malware hidden.