You use your phone number for passwords, recovery, and account lockouts — and that convenience can become a vulnerability. You need to know how a flaw could let someone discover linked phone numbers and why that matters for your personal security.
This article walks through how the weakness worked, who found it, how attackers turn exposed numbers into SIM-swap and account-takeover opportunities, and what the patch and timeline mean for your accounts. Stay with it to understand practical risks and the steps you can take to protect your phone number and online identity.
Google’s brute-force phone number exposure flaw
You could have your phone number discovered without alerts because a legacy recovery endpoint lacked rate limiting and protections.
That endpoint let researchers demonstrate how attackers can iterate guesses against recovery fields to reveal linked numbers.
Google patched the issue after disclosure, but you should check your account recovery options and turn on stronger protections.
Read the technical disclosure from the researcher for details on how the flaw worked and was fixed.
Researcher ‘brutecat’ who found the bug
You probably saw the handle Brutecat pop up in reports after the discovery.
They published a clear write-up showing how a legacy recovery form lacked rate limits, letting attackers brute-force phone numbers.
You’ll notice Brutecat shared proof-of-concept details responsibly and coordinated with Google before disclosure.
That led to a patch and a modest bug bounty while protecting users from immediate exploitation.
How SIM-swappers exploit exposed numbers
When your phone number appears in leaked databases, attackers use it as a starting point to build your profile. They pair leaked numbers with public data and social engineering to trick carriers into moving your number.
You might get called or messaged with convincing details that lower the guard of support staff. Once the carrier ports the number to a SIM or eSIM under the attacker’s control, they can intercept codes and reset passwords.
The impact on Google account recovery
If an attacker finds your recovery phone number, they gain a key piece used to reset accounts. That increases your risk of SIM swapping and unauthorized access.
Google’s patch closed the brute-force path, but you should still review recovery options. Remove old numbers, enable two-step verification, and consider an authentication app for stronger protection.
Timeline of the vulnerability discovery
You first saw reports after researchers disclosed the issue publicly, detailing how attackers could spoof apps to steal data. News outlets then confirmed active exploitation and vendors started emergency patches.
You watched vendors publish advisories and updates; some fixes arrived within days. Security teams scrambled to scan fleets and apply patches as exploits spread.
You likely received vendor alerts if you run Android devices or manage mobile fleets. Check official updates and apply patches immediately.
Google’s patch released in April 2025
You should install the April 2025 update because it fixes multiple vulnerabilities, including two zero-days that were actively exploited. Google described the attacks as limited and targeted, so timely updates reduce your risk.
If you use a Pixel, the patch arrived directly from Google; other phones get fixes from manufacturers. Check your phone’s system updates and apply the patch as soon as it’s available.
Read more about the bulletin from a detailed report here: Google fixes Android zero-days exploited in attacks, 60 other flaws (https://www.bleepingcomputer.com/news/security/google-fixes-android-zero-days-exploited-in-attacks-60-other-flaws/).
Why phone numbers matter in account security
Your phone number often acts as a recovery key for accounts and password resets. That makes it a direct target for attackers who want to regain access.
Companies send one-time codes and alerts to your number, so interception can let someone bypass logins. Losing control of your number can lead to account takeover and identity theft.
Treat your number like a credential: enable app-based 2FA where possible and limit where you share it. Check account recovery settings regularly to reduce exposure.
Risks of automated brute-force attacks
You can be targeted without warning when attackers use automated tools to try many codes or passwords rapidly.
Those tools can bypass rate limits and lockouts if systems aren’t configured correctly, letting attackers test thousands of attempts per minute.
Your account takeover risk rises when attackers pair brute force with leaked credential lists or social data.
If they succeed, they can read messages, intercept two-factor codes, or impersonate you for fraud.
Weak or reused passwords make your devices and services much easier to crack.
Use strong, unique passwords and multi-factor authentication to reduce the danger.
How hackers could guess phone numbers digit by digit
You could be targeted by an attacker who tries numbers one digit at a time against an account-recovery endpoint. The flaw let researchers automate guesses and learn when a digit matched, so the next guess narrows the possibilities quickly.
You’d see repeated rapid requests that reveal partial matches rather than full verification. That lets an attacker reconstruct your recovery number without alerting you, as reported in coverage of the Google vulnerability (https://techcrunch.com/2025/06/09/google-fixes-bug-that-could-reveal-users-private-phone-numbers/).
Privacy threats from exposed linked phone numbers
If your phone number is tied to a messaging account, attackers can confirm it exists and link it to your profile photo or last-seen info. That makes targeted harassment, doxxing, or unwanted contact easier.
You may get phishing calls or SMS that look unusually convincing because they match accounts you actually use. Scammers can also build identity maps by combining leaked numbers with other public data.
More from Decluttering Mom:
