Cybersecurity News in Asia

Features
- Featured
  
  Editor's pick: Cybersecurity trends in 2026
  
  Wednesday, January 7, 2026, 10:36 AM Asia/Singapore | Cyberthreat Landscape, Features
- Featured
  
  Exploding identity fraud and deepfakes challenge manual oversight of autonomous AI
  
  Tuesday, December 30, 2025, 9:27 AM Asia/Singapore | Features, Newsletter
- Featured
  
  Amid rapid digitalization and lagging cybersecurity oversight, India buckles up
  
  Monday, December 22, 2025, 4:50 AM Asia/Singapore | Features
Opinions
Tips
Whitepapers
Awards 2025
Directory
E-Learning

And all along we thought phone numbers linked to our online identity were safe

By CybersecAsia editors | Friday, June 13, 2025, 4:52 PM Asia/Singapore

Had a recently disclosed vulnerability in a cloud giant’s widely-used free digital accounts been exploited, the damage would have been unthinkable.

Most of us never realized our Google-linked phone numbers were far more vulnerable than we thought. Now, a Singaporean security researcher has revealed just how easily attackers could have uncovered those digits, putting millions at risk of targeted attacks and account takeovers.

The flaw, discovered by the researcher known as “brutecat” allowed hackers to use an outdated version of Google’s account recovery form. This version, which did not require JavaScript, lacked the usual protections against automated abuse. As a result, attackers could bypass CAPTCHA rate limits and rapidly test all possible phone number combinations until they struck gold.

By combining this loophole with information from Google’s “Forgot Password” process — which reveals the country code and last two digits of a recovery phone number — and the display names obtained through Google Looker Studio, attackers could narrow down the possibilities.

Once a phone number was confirmed, it opened the door to SIM-swapping attacks. This could allow hackers to reset passwords and potentially seize control of Google accounts and any other services linked to that number.

The vulnerability was reported to Google on 14 April, 2025. In response, Google had completely removed the insecure recovery form by 6 June, and awarded brutecat a US$5,000 bug bounty, emphasizing no evidence suggests the flaw had been exploited at scale*.

Security experts note that incidents like this highlight the risks posed by outdated or “legacy” web features that remain accessible even after newer, more secure systems are introduced. They urge users to enable two-factor authentication and regularly review their account recovery settings.

Meanwhile, Google is committing to reviewing other account recovery processes to prevent similar issues in the future.

For users worldwide, this episode is a wake-up call to stay vigilant about online safety and the hidden risks tied to our digital identities.

*Editor’s note: In cybersecurity, absence of evidence is not evidence of absence. Stolen data could have been stowed away for future mass attacks in conjunction with other data heists.