Google’s Gmail Update—Yes, Delete Your Phone Number Now
Why you should delete your number.
A raft of headlines will suddenly worry Gmail users, as a researcher proves that a user’s private phone number can be “brute-forced” from their Google account using just their Gmail address. So, do you need to delete the phone number on your account? The answer is yes, there’s one account setting where you do need to delete it.
Per 404Media, the researcher known as brutecat “was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media’s own tests.”
Google has confirmed the attack and it has deployed an update: “This issue has been fixed. We’ve always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”
There are major privacy implications in “brute-forcing the phone number of any Google user,” as brutecat describes it, not least because it’s the unique identifier in secure messaging and account recovery, two areas where socially engineered attacks are rife. Fortunately, this was a proof of concept and has not been exploited — that we know.
Your phone number is held in two places in your Google account — account recovery and two-factor authentication (2FA), where it’s used to text codes when you sign in or access sensitive settings within the account. As I recommended last week, you should only use your number as an account recovery option but delete it for 2FA.
Google calls this two-step verification (2SV), and you can find details on changing your settings here. You should only use 2FA linked to physical hardware, which means passkeys, authenticator apps or for the truly security hardened, physical keys.
One of the implications of this phone number leak is SIM swapping, where an attacker armed with your number can trick a phone company into issuing a new SIM and so utilize your account. This open up risk, with most 2FA still SMS-based. You do not want an attacker armed with both your Gmail address and your SIM card.
The even biggest risk is a fake call claiming to be from a technical support desk. Google has been hit hard by such attacks and has patched as it goes. It emphasizes it will never call users with a security or account issue, but still those attacks come.
And so, in addition to deleting your phone number as a 2FA option, you should never engage with any technical or customer support desk from a major brand that calls or texts on the premise of an account or payment or password issue.