A concerning new vulnerability allows attackers to link email addresses to Google account users’ phone numbers with remarkable speed and scale. Leveraging the power of cloud computing, malicious actors are employing a sophisticated brute-force attack to exploit flaws in account recovery or sign-up processes.
This method targets the verification step where a user might enter a phone number to associate it with an existing email address or verify account ownership. By using cloud platforms, attackers can distribute their efforts across thousands of temporary IP addresses, making it incredibly difficult for security systems to detect and block the malicious activity as a single, coordinated attack.
The process involves systematically testing potential phone numbers against a list of known email addresses. The vulnerability lies in how the system responds; even subtle differences in error messages or response times can reveal whether a tested phone number is linked to the target email. This allows attackers to rapidly confirm associations, effectively compiling a database of Google users and their associated phone numbers.
The primary risk is the breach of user privacy and the creation of valuable data for phishing campaigns, spam, and other forms of online harassment or fraud. While the attack doesn’t immediately compromise the account password itself, knowing the link between an email and a phone number significantly lowers the bar for subsequent social engineering or targeted attacks. It exposes users to unwanted contact and potential exploitation.
Platforms are urged to bolster their defenses against such attacks. Implementing more robust rate limiting, requiring CAPTCHA or other forms of authentication earlier in the verification flow, and varying system responses to prevent enumeration are crucial steps. Users should remain vigilant and be aware that their personal information remains a target for sophisticated attackers using readily available technologies like cloud infrastructure. Protecting digital identity requires continuous effort from both service providers and individuals.
Source: https://go.theregister.com/feed/www.theregister.com/2025/06/10/google_brute_force_phone_number/
