A bug in Google’s account recovery system could have allowed someone to discover your private recovery phone number in less than 20 minutes—without you knowing. This flaw raised serious concerns about your security and privacy. Fortunately, Google has now fixed the issue after being alerted by a security researcher.
A hidden danger in account recovery
The vulnerability was discovered by an independent researcher known as brutecat. They found that the issue was linked to how Google’s account recovery system works when trying to reset a password. The researcher explained in a blog post that they could take advantage of a flaw in the recovery process to find the phone number connected to almost any Google account.
Using an “attack chain” made up of several steps, brutecat could leak an account’s full display name, bypass Google’s anti-bot systems, and cycle through every possible phone number combination. With this method, the attacker could eventually guess the correct number.
Google’s system has protections to prevent too many password reset requests from being made simultaneously, which usually prevents these brute-force attacks. However, brutecat was able to bypass those protections. By using a script to automate the process, they found it was possible to discover a recovery phone number in 20 minutes or less, depending on the number’s length.
Why this matters for your safety
Finding the phone number tied to your Google account might not be a big deal. But for hackers, it opens the door to dangerous follow-up attacks—especially SIM swap scams. In these attacks, someone tricks a phone company into giving them control of your phone number. Once they control your number, they can reset passwords and take over your online accounts, including email, bank accounts, and social media.
Even anonymous accounts, such as ones created for privacy reasons, could have been exposed if linked to a recovery phone number, making this flaw especially serious.
Google responds and rewards the discovery
Google confirmed that the issue had been fixed after brutecat reported it in April. “This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program,” said Google spokesperson Kimberly Samra. “Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”
Samra added that there have been “no confirmed, direct links to exploits at this time,” meaning there’s no evidence yet that hackers took advantage of the bug before it was fixed.
As a thank you, Google rewarded brutecat with a US$5,000 bug bounty through its vulnerability rewards programme. This programme encourages security researchers to help Google spot flaws and fix them before they can be abused.
If you’re a Google user, you don’t need to do anything right now—Google has already fixed the issue. Still, it’s always a good idea to review your account’s security settings, enable two-factor authentication, and stay alert for any suspicious activity on your phone or accounts.
