Had a recently disclosed vulnerability in a cloud giant’s widely-used free digital accounts been exploited, the damage would have been unthinkable.
Most of us never realized our Google-linked phone numbers were far more vulnerable than we thought. Now, a Singaporean security researcher has revealed just how easily attackers could have uncovered those digits, putting millions at risk of targeted attacks and account takeovers.
The flaw, discovered by the researcher known as “brutecat” allowed hackers to use an outdated version of Google’s account recovery form. This version, which did not require JavaScript, lacked the usual protections against automated abuse. As a result, attackers could bypass CAPTCHA rate limits and rapidly test all possible phone number combinations until they struck gold.
By combining this loophole with information from Google’s “Forgot Password” process — which reveals the country code and last two digits of a recovery phone number — and the display names obtained through Google Looker Studio, attackers could narrow down the possibilities.
Once a phone number was confirmed, it opened the door to SIM-swapping attacks. This could allow hackers to reset passwords and potentially seize control of Google accounts and any other services linked to that number.
The vulnerability was reported to Google on 14 April, 2025. In response, Google had completely removed the insecure recovery form by 6 June, and awarded brutecat a US$5,000 bug bounty, emphasizing no evidence suggests the flaw had been exploited at scale*.
Security experts note that incidents like this highlight the risks posed by outdated or “legacy” web features that remain accessible even after newer, more secure systems are introduced. They urge users to enable two-factor authentication and regularly review their account recovery settings.
Meanwhile, Google is committing to reviewing other account recovery processes to prevent similar issues in the future.
For users worldwide, this episode is a wake-up call to stay vigilant about online safety and the hidden risks tied to our digital identities.
*Editor’s note: In cybersecurity, absence of evidence is not evidence of absence. Stolen data could have been stowed away for future mass attacks in conjunction with other data heists.
