This post is also available in:
Français (French)
Google Flaw: How a Bug Exposed Gmail Account Phone Numbers
A worrying Google flaw made it possible to guess the phone number associated with any Gmail account: was your security unknowingly at risk?
What was the Google flaw that exposed phone numbers?
The Google vulnerability, the main keyword in this article, relied on an old account recovery form still accessible on the company’s servers. This form allowed anyone with your Gmail address and display name to check whether a phone number was associated with your Google account. A simple automated test, carried out on a large scale, could thus guess the target’s phone number, jeopardizing the privacy of millions of users.
How could the Google flaw be exploited?
- Display Name Identification: By submitting a document through Looker Studio (Google’s reporting tool), the target account’s display name is displayed, even if the person never views the document.
- Massive Number Testing: A tool developed by BruteCat automatically generated and tested thousands of phone numbers in Google’s old recovery form.
- Cross-referencing: By using the number snippets displayed by Google during account recovery (for example, two digits of the emergency number), the tool could refine the search and find the full number associated with the account.
Using this method, a cybercriminal could link a name, an email address and a telephone number, opening the door to targeted and extremely effective phishing attacks.
Why is this Google flaw so worrying?
The Google breach touched on the very foundation of digital security: the confidentiality of personal data. Using a name, email, and phone number combination, a hacker can launch personalized phishing campaigns, steal an identity, or even attempt to take control of other accounts through social engineering. This type of vulnerability highlights the need for constant vigilance, even among digital giants like Google.
How did Google react to the flaw?
Alerted on April 14, 2025, Google took more than a month to respond. It wasn’t until May 22, 2025, that the company cut off access to the old recovery form and implemented mitigation measures. BruteCat, the researcher who made the discovery, received a $5,000 bounty for his contribution to the platform’s security. To this day, it remains unclear whether the Google flaw was exploited by cybercriminals before it was patched.
The consequences of the Google flaw for users
Impact on account security
This Google flaw demonstrates that no system is infallible, even among major web companies. The ability to link a Gmail address to a phone number exposes users to increased risks of phishing, telephone harassment, and even identity theft. For professionals, the leak of personal data can also have legal and reputational consequences.
Best practices to strengthen your security
- Check your Google Account security settings regularly.
- Enable two-factor authentication to limit the risk of unauthorized access.
- Stay vigilant against phishing attempts, even if the message appears to come from an official contact or service.
- Limit the distribution of your phone number on the internet and in online forms.
Google and Vulnerability Management: What Lessons Can We Learn?
The discovery of this Google vulnerability underscores the importance of bug bounty programs and collaboration between independent researchers and companies. Although some considered Google’s response slow, the rapid patching after the public alert helped limit the potential damage.
Towards more proactive cybersecurity
Breaches like this are a reminder that digital security is an ongoing process. Companies must not only patch bugs, but also regularly audit their legacy tools and interfaces, which are often forgotten but still accessible. For users, vigilance remains essential: any information shared online can become a gateway for targeted attacks.
Conclusion: What do you think about Google’s handling of this flaw?
The Google vulnerability revealed by BruteCat highlights the fragility of our personal data, even among web giants. Do you think Google reacted quickly enough? Should reward programs be strengthened to encourage the discovery of vulnerabilities? Share your opinion in the comments and let’s discuss best practices for protecting our digital identities!