A security researcher has disclosed a critical vulnerability in Google’s account recovery system that allowed attackers to brute-force and obtain the phone numbers of any Google user.
The vulnerability , discovered in 2025, exploited Google’s username recovery form that continued to function without JavaScript, bypassing modern security protections and enabling systematic phone number enumeration attacks.
https://gbhackers.com/google-vulnerability/