A security flaw recently uncovered in Google’s account recovery system could have allowed attackers to discover the private recovery phone numbers linked to nearly any Google account without alerting the user, raising serious privacy and security concerns.
The vulnerability was identified by an independent researcher known as brutecat, who revealed that by exploiting a series of coordinated steps—an “attack chain”—it was possible to bypass Google’s anti-bot defences and rate limits designed to prevent automated password reset attempts.
This process involved extracting the full display name of the targeted account and systematically testing every possible phone number combination until the correct recovery number was found. Automating this method enabled the researcher to brute-force recovery phone numbers in under 20 minutes, depending on their length.
The exposure of recovery phone numbers is particularly alarming because it can facilitate advanced attacks such as SIM swapping, where hackers take control of a victim’s phone number by deceiving mobile carriers. Once in control, attackers can intercept password reset codes sent via SMS, allowing them to gain unauthorised access to Google accounts and other services linked to that number, increasing the risk of identity theft and data breaches.
A spokesperson for Google, Kimberly Samra, confirmed the vulnerability has been fixed and highlighted the company’s ongoing collaboration with the security research community through its vulnerability rewards programme.
“Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.” Samra stated. She also noted there have been “no confirmed, direct links to exploits at this time.”
Brutecat disclosed receiving a $5,000 bug bounty from Google for the discovery.
This incident emphasises the importance of securing recovery options linked to online accounts. While Google encourages users to keep their recovery phone numbers and email addresses up to date to facilitate account recovery, these methods can themselves become targets. Security experts recommend adopting stronger authentication methods such as hardware security keys or passkeys, which offer more robust protection than SMS-based two-factor authentication.
Users should also remain cautious of phishing and social engineering scams impersonating Google support. Recent reports have highlighted sophisticated AI-driven scams where attackers pose as Google representatives to trick users into revealing recovery codes or sensitive information. Google has reiterated that it will never make unsolicited calls to users for password resets or account troubleshooting, advising vigilance against such fraudulent contacts.
To improve account security, users can manage their recovery information through their device’s settings under Google account management. Regularly reviewing and updating recovery options, alongside adopting advanced authentication measures, can help mitigate risks associated with account recovery vulnerabilities.