Critical Google Account Vulnerability Exposed Users' Phone Numbers

A security researcher has identified a critical vulnerability in Google's account recovery system that could have allowed attackers to obtain the phone numbers of Google users by exploiting an outdated recovery mechanism that functioned without newer JavaScript protections.

How was the vulnerability exploited?

It turns out that Google’s username recovery form has been operating with JavaScript disabled, circumventing modern bot protections implemented for other services since 2018.

According to the security researcher who found the problem, attackers could have used two specific HTTP requests that would let them verify whether a phone number was linked to a specific Google account.

Even if Google's defenses included IP-based restrictions and CAPTCHA protections, it was possible to rotate IPv6 addresses and bypass these limitations entirely.

Real-world attack scenario

An attacker would first identify the victim's Google account display name. By using hints from Google's account recovery process that reveals partial phone numbers attackers could brute-force the missing digits.

Attackers could use consumer-grade hardware costing merely $0.30 per hour to brute-force phone numbers. For countries with smaller phone number pools, like Singapore, it could take just a few minutes. For larger countries like the United States, it could take 20 minutes or more.

Potential consequences for users

Had attackers discovered this vulnerability first, it could have led to:

• Massive privacy breaches, exposing personal phone numbers linked to Google accounts.
• Increased risk of targeted phishing attacks, scams, and social engineering attempts, as attackers could exploit personal phone numbers to appear trustworthy or familiar.
• Possible account takeovers by using the phone numbers in further account recovery and verification attacks.

Google's response

Initially, Google rewarded the researcher a bounty of $1,337, believing the vulnerability unlikely to be widely exploited. However, after recognizing its severity and potential damage, Google increased the reward to $5,000 and addressed the issue quickly by fully deprecating the vulnerable processes by June 2025.

What can users do?

• Regularly review and update your account security settings.
• Enable two-factor authentication (2FA) wherever possible.
• Remain vigilant and on the lookout for unexpected messages, especially those asking for personal or account details.