Gmail account hack prevention and recovery

The hack preventing side is pretty much covered by the dual factor authentication that was recently introduced and the use of the "Always use HTTPS" setting (on by default in gmail) for accessing google, to avoid ssl-stripping attacks.

Now, when you have a compromised account and want to claim it back, Google has a structured procedure to verify you are the real owner of the account, in case the normal password recovery options do not work:

You have to complete a fairly detailed form and send it to them, and they say that it is a good thing to do so from an IP address that you have previously used to access the account - they obviously store those.

Among the details that they need you to provide are:

• If you used Gmail with this Google account. If yes, what was the most recent mail recovery address you used (in case it has been changed). Also, what are the e-mails of your 5 most often contacted people, what are the names of 4 labels you have created in the account, if you created the gmail account using an invitation or not etc.
• If you used your Google account with other services, like orkut, blogger or any other, you provide details about them, like when you first started using them. The details need not be 100% correct - I guess a real person is going to assess the situation at some point after passing obvious checks.
• Other details you have to provide include an estimate of when you started using any google services at all (associated with the account), when you last logged successfully and what is the last password you remember for this account (so they must be storing password hashes of previous passwords).

EDIT: Just found a google article with more info about the reclaiming situation. http://knol.google.com/k/how-to-recover-a-hacked-or-compromised-gmail-account

EDIT2: Just noticed you mention paid services. There is Google Apps for Businesses that offers some benefits for a moderate fee, including live phone support that could potentially help in situations like that, although not sure. On the other hand, there are indeed commercial services, dealing mostly with the authentication part, like DIGIPASS by Vasco. There are several services like that in google marketplace.

I'd recommend looking at Google's Advanced Sign-in feature. It's essentially a two-factor authentication style solution where an application downloaded to your Apple iOS, Android, or Blackberry device and is used to provide a token that you need to enter when you log in.

It wouldn't be a completely effective protection in every scenario, but does provide a bit of extra protection. I've used it for a while and it seems to work pretty well. If you need to use your google account for devices that can't support the two-factor sign-in process then you can generate unique passwords for that application.

This might be me resurrecting a dead question, but I had an issue in the past few days where my gmail was hacked and used for spamming.

I got into the account quickly, changed the passcode, and then activated two-step authentication, which requires a phone number in order to authorize a login to your system via a 6 digit verification code. This has actually helped me to find instances where people were trying to login to my email, but it wasnt me. As well, since they didnt know the passcode (i changed it after turning on 2-step auth), they couldnt even get to that step in their subsequent access attempts.

For prevention, two-step authentication works extremely well.