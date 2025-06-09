Google has fixed a bug that could have allowed attackers to find the recovery phone number linked to nearly any Google account without the owner knowing.

The flaw, discovered by an independent researcher known as brutecat, affected the account recovery feature and was reported to the company in April.

The issue involved a chain of actions that worked together to beat Google’s security checks.

The researcher found out the display name of a target account and then bypassed the system that blocks too many password reset requests.

This opened the door for a script to test different phone number combinations until the correct one was found.

According to the researcher, the process could take less than 20 minutes depending on the length of the number.

To confirm it, TechCrunch created a brand-new Google account using a phone number that had never been used before.

After receiving the email address tied to the new account, the researcher sent back the correct phone number shortly after.

This type of attack could lead to more serious threats.

Once someone has a recovery phone number, they could try to take control of it using a SIM swap.

That would let them reset passwords and gain access to linked accounts. Even anonymous users could be put at risk.

Google said it has not seen any actual attacks using this method and has already resolved the issue.

The company paid the researcher $5,000 through its bug bounty programme, which rewards people who find flaws in its systems.