Got hacked and couldn't remove a passkey the scammers added to my account, how is this possible?
I got hacked by a very sophisticated social engineering scam that utilized a loophole with google cloud projects to send me very official looking emails from actual google email address' and domains. I realized very quickly that I fell for a scam and noticed an android mobile device and unknown windows machines logged into my account. They added their own passkey onto an android device, and because of that, no matter how many times I changed my password they were able to bypass it with the passkey. I also was not able to remove the passkey they added, the option just wasn't there (see screenshot). I could remove my own passkey that I added from 1Password, but not theirs. They also tried changing my own password on me, but thanks to my passkey, I was still able to log in. I was manually logging them off my account for 5 straight hours until I was able to finally turn off 2fa and passkeys altogether and change my password before they got back in. Is this a known issue?? In the future, how would I be able to remove an unauthorized passkey?
edit: I think I was able to finally kick them off by manually signing their devices out and very very quickly turning off 2fa altogether so that they couldn't use the passkey to sign back in, but it would be good to know if there's a way to remove their passkey another wa