A security researcher known as brutecat recently uncovered a vulnerability in Google's systems that could have allowed attackers to retrieve the private phone number linked to any Google account. By using a brute-force method, the flaw enabled bypassing Google's bot-protection mechanisms, making it possible to extract phone numbers through trial and error.
The process was alarmingly efficient. For U.S. users, brutecat estimated that a phone number could be obtained within an hour. In regions with shorter phone number formats, such as the UK, the attack could take as little as 8 minutes. All an attacker needed was the target’s Google account name or the email address associated with the account. Worryingly, the victim would receive no notification of the attempted breach.
The vulnerability was reported to Google in April 2025 and has since been resolved. Fortunately, there have been no reports of this flaw being exploited in real-world attacks. A Google spokesperson issued a statement: “This issue has been fixed. We always emphasize the importance of working with the security research community through our vulnerability reward program and would like to thank the researcher for flagging this issue.”
This incident highlights the critical role of security researchers in identifying and addressing potential risks in widely used platforms like Google. It also serves as a reminder for users to stay vigilant and ensure their account recovery options are up to date and secure.
