Google should fix their broken account creation process
Frequently I get emails from Google in my gmail account congratulating me for creating a brand new Gmail account. The problem is that I never created those accounts. The email also says “Please keep this email for your records, as it contains an important verification code that you may need should you ever encounter problems or forget your password.” There is a link to follow if the receiver of the email didn’t create the gmail account and that says:
If a new user lists a secondary email address when creating a Gmail address, we automatically send a confirmation message to that address. Unfortunately, users often misspell their secondary addresses, so the confirmation message is sent to the misspelled address instead of the user’s intended address. This confirmation message is not an indication that your address has been compromised in any way. If you receive a confirmation message from Google regarding a new Gmail address that you did not create, you can safely disregard the message.
Anyone can sign-up for a gmail account. Giving a secondary email address is optional but is recommended for security purposes. If a secondary email address is provided, Google should use it to activate the account, not send a congratulatory message to it. After this is implemented, if the user inadvertently provides a wrong secondary email address (typo), he won’t get the expected email from Google asking him to activate the account; he will realize his mistake, try again and give the correct email address. Currently, if the user doesn’t update his incorrect secondary email address and also forgets his password, he cannot reset it. The holder of the ‘wrong’ email address will get an email if the user tries to reset his password.
I don’t understand why Google doesn’t follow the common practice of verifying the ownership of the email address.