Google’s Quiet Patch and the Loud Wake-Up Call About Phone-Number Security

When news broke that an independent researcher had managed to uncover the recovery phone number for any Google account with a little coding nous and patience, security folk experienced déjà vu. We’ve long warned that a mobile number is the modern skeleton key: crack it and you prise open everything from cloud wallets to private inboxes. The researcher, known online as “brutecat” proved just how quickly that door can swing wide, exploiting an obscure workflow in Google’s Looker Studio, then hammering Google’s backend with automated guesses until the correct digits fell into place. In some regions the process was measured in minutes rather than hours. Google has since closed the loophole and paid a modest bug bounty, but the demonstration exposes a wider systemic problem: we still treat phone numbers as if they were semi-secret, even though the attack surface keeps expanding.

A Perfect Storm for SIM Swappers

The exploit is tailor-made for SIM-swap crews. With a verified number, criminals can sweet-talk telco support into porting a victim’s line to a rogue SIM. Once texts start flowing to the attacker’s handset, password resets and multi-factor codes tumble like dominoes. Recent ransomware campaigns have shown just how lucrative that chain reaction can be when it reaches corporate email accounts and crypto treasuries.

Why Phone Numbers Remain a Soft Underbelly

Unlike passwords, mobile numbers don’t change often, are reused across services, and are routinely shared in day-to-day life. Yet they underpin everything from SMS-based 2FA to account-recovery flows. That asymmetry is hacker heaven: the credential is stubbornly static, but the reward for cracking it keeps growing. Google initially rated the flaw “low likelihood of exploitation,” but later upgraded the risk, an admission that threat modelling isn’t keeping pace with the real-world value of telephone metadata.

Lessons for Platforms—and Users

• Rethink SMS-centric recovery. Tech giants need to accelerate the shift toward app-based or hardware-key authentication, treating phone numbers as a last-ditch backup rather than a primary credential.

• Throttle and alert. Any mechanism that allows high-volume guessing must trigger rate-limiting and user notifications. In this case, victims were kept blissfully unaware of the ownership hand-off and the barrage of guesses that followed.

• Hygiene at the human layer. Users should assume their number is public and plan accordingly: migrate to stronger MFA, remove phone recovery where alternatives exist, lock their mobile account with a carrier PIN, and avoid posting numbers on social channels. The FBI has long advised keeping phone numbers off public profiles, and the wisdom of that stance is clearer than ever.

The Bigger Picture

This saga is less about one patched bug than about the fragility of an identity ecosystem that still leans on ten-digit strings issued in an era of rotary dials. Each time researchers show how easily those digits can be weaponised, the case strengthens for retiring them from the front line of authentication. Until that happens, expect adversaries, whether lone SIM swappers or sophisticated ransomware affiliates, to keep circling the weakest link in the chain. Google’s swift fix is welcome, but the fundamental takeaway is stark: if your phone number can open the door, someone will keep looking for a new way to turn the handle.