Alphabet(US:GOOG) TechCrunch·2025-06-09 14:00Core Insights - A security researcher discovered a bug in Google's account recovery feature that could expose the private recovery phone number of nearly any Google account without notifying the account owner, posing significant privacy and security risks [1][2][6] - Google confirmed the bug was fixed after being alerted by the researcher in April, emphasizing the importance of collaboration with the security research community [7] Exploit Details - The exploit involved an "attack chain" that included leaking the full display name of the targeted account and bypassing Google's anti-bot protection, allowing the researcher to brute-force the recovery phone number in 20 minutes or less [3][4] - The researcher successfully demonstrated the exploit by obtaining the recovery phone number of a newly created Google account [4][5] Security Implications - Revealing the recovery phone number can lead to targeted attacks, such as SIM swap attacks, which could allow hackers to take control of the phone number and reset passwords for associated accounts [6] - Google has stated that there are currently no confirmed direct links to any exploits related to this issue [7] Bug Bounty Reward - Google rewarded the researcher with $5,000 for identifying the bug through its vulnerability rewards program [7]