A critical security vulnerability in Google’s account recovery system allowed malicious actors to obtain the phone numbers of any Google user through a sophisticated brute-force attack, according to a disclosure by a BruteCat security researcher published this week.