Google fixed a flaw that let attackers uncover your phone number via email in just 20 minutes

An independent cybersecurity researcher uncovered a critical vulnerability in Google accounts that allowed someone to discover the phone number linked to an account — in under 20 minutes and without the user’s knowledge or consent.

The discovery was first reported by TechCrunch. The researcher, who goes by the alias Brutecat, used a series of steps to exploit the flaw. First, they were able to determine the account owner’s name from their email address. Then, by bypassing Google’s rate-limiting protections, they ran a script to test possible phone numbers — and accurately identify the one tied to the account.

TechCrunch journalists tested the method firsthand: they created a fresh Google account with a unique phone number and only gave Brutecat the email. Within minutes, he correctly identified the linked number. This could have enabled a more serious attack, like SIM swapping — a method that would hand control of the victim’s services to the attacker.

Google patched the issue in April after receiving Brutecat’s report. Company spokesperson Kimberly Samra thanked the researcher for his help and confirmed that the vulnerability had been fixed. Brutecat received a $5,000 reward through Google’s bug bounty program.