Google has patched a vulnerability that allowed attackers to discover the recovery phone number tied to any Google account, security researchers and media outlets disclosed this week. The flaw, first reported by independent researcher “brutecat” and detailed by 404 Media, could be exploited in seconds through a brute-force attack on an outdated account-recovery form that still functioned when JavaScript was disabled. By iterating possible numbers, the form confirmed the correct one and, in combination with a name leak through Looker Studio, let an attacker precisely match phone numbers to user identities. Although Google did not say how many users were exposed, researchers warned that the weakness placed millions at risk of SIM-swap fraud and full account takeovers. Google said it deployed a fix ahead of public disclosure on 9 June 2025 and has found no evidence the technique was used in large-scale attacks. The company did not recommend additional steps for users beyond standard account-security practices such as multi-factor authentication. The disclosure comes amid a broader wave of security updates. Adobe on 10 June issued patches for 254 vulnerabilities—225 of them in Experience Manager—including a critical Magento flaw scoring 9.1 on the CVSS scale, while the US Cybersecurity and Infrastructure Security Agency added newly exploited Erlang SSH and Roundcube bugs to its catalog.