Latest news with #bruteforce
WIRED
09-06-2025
- WIRED
A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account
Jun 9, 2025 10:00 AM Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack. ILLUSTRATION: WIRED STAFF A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests. The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information. This article was created in partnership with 404 Media, a journalist-owned publication covering how technology impacts humans. For more stories like this, sign up here. 'I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,' the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts. In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. 'Essentially, it's bruting the number,' brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number. Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit. 'The victim isn't notified at all :)' a caption in the video reads. A Google spokesperson told 404 Media in a statement 'This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we're able to quickly find and fix issues for the safety of our users.' Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe. Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim's valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts. On its website, the FBI recommends people do not publicly advertise their phone number for this reason. 'Protect your personal and financial information. Don't advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,' the site reads. In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat's write-up.
Forbes
01-06-2025
- General
- Forbes
How To Make A Good Password – 4 Strong Password Examples
A good password is one that's impossible to guess. One of the simplest ways for a hacker to gain control of your online accounts is by getting hold of your password. Sometimes, they do this through brute force attacks — automatically checking millions of random permutations — or by working through words in the dictionary. Sometimes, they'll use credential stuffing, exploiting the fact that many people reuse passwords across different sites. We're constantly told that it's important to always use really strong passwords — but what does this mean in practice? We look at how to create a strong password and help keep your online accounts safe from attack. A good password is, essentially, one that it's impossible or very difficult for an attacker to guess. That means avoiding anything obvious — 'password' or '123456' for example, both of which are surprisingly frequently used. Generally speaking, the longer a password is, the better, and it should include a combination of upper-case letters, lower-case letters, numbers and symbols. While a combination of real words and other symbol is fine, using the name of your child or your favorite sports team is a really bad idea. And you should make sure that each password you use is unique — never reuse a password, or even a very similar one — across more than one site. If you're coming up with a password yourself, you could, of course, simply bash your keyboard at random and use whatever comes out — and that's actually not a bad way of doing it. You should make sure that whatever you come up with is reasonably long and complex. Some cyber experts recommend using a passphrase — several words strung together — as a starting point; although anything like a song lyric or famous quotation is a really bad idea. It's also less clever than you might think to use special characters in place of normal letters — pa$$w0rd', or the like — as hackers are on to that one. Finally, there are a number of password generators online that will come up with one for you that should fulfill all the criteria for a good password. Using a random string of upper- and lower-case letters, symbols and numbers should usually generate a very strong password. The longer it is the better, with security experts recommending that it should have at least 14 characters. Obviously, this won't exactly be easy to remember — but there are dozens of free password manager services online that you can use to do the job for you. To create a password that's secure but a little easier to remember, many security agencies, including the U.S.'s Cybersecurity and Infrastructure Security Agency, suggest the use of a passphrase. One way to do this is to think of three random words and string them together — needless to say, they should be random, rather than a part of a well-known phrase or something based on personal information, such as 'MyCatTibbles', for example. Perhaps the simplest solution for coming up with a really strong password is to use a password generator, which does all the hard work for you. Password generators use random number generators to create strong, random passwords with no patterns or predictable sequences. Most allow you to customize your passwords, and will store them securely — so that the only one you'll have to remember is the one for the password manager itself. When it comes to creating a strong password, the longer it is, the better. It's usually recommended that it should have at least 14 characters. A strong password will usually contain a mixture of upper- and lower-case letters, numbers and symbols, although it's also possible to create a good one by stringing together a series of unrelated words. There's no need to tailor a password to a particular site, although some will require you, for example, to use a minimum number of characters or to include numbers or symbols. One hard-and-fast rule is that you should never reuse the same or very similar passwords on more than one site — and don't use any of the examples given below, just in case hackers are reading this article too. This password — 'qo34inhj#';[ladfbyulB' — was produced by hitting the keyboard randomly, and includes a mixture of letters and other characters. It's a good length, contains no personal information, and is obviously impossible to guess. It does have one flaw, which is the lack of an upper-case letter — adding a couple in would make it even stronger. A passphrase consisting of several real words is an awful lot easer to remember than a randomly-generated password, making it an attractive option. However, you shouldn't be tempted to use related words or a quotation, such as 'BigBrownDog' or 'ShallICompareThee', as this could potentially be guessable. Instead, use completely unrelated words, such as 'BillPlantKitchenEngine'. A passphrase will be stronger if it, too, contains numbers or special symbols: 'Bill&PlantKitchenEngine1', for example. An ideal password is one that you can remember, but others can't guess, and one possibility is to create one based on a string of characters that means something to you, but nothing to anyone else. You could, for example, start with the sentence 'My new house is in San Francisco and is painted white with blue trim'; then take the last letter of each word to come up with 'ywesnnodsdehem'. This does have the failing that it lacks upper-case letters or symbols, but could easily be improved by adding a couple in. Some sites allow you to use alternative methods to verify your identity and access your account. This may be facial recognition, a fingerprint or a passkey, which will be sent to you by text or email and which you then use to sign in. All these methods are more secure than passwords — and in the case of biometric identification, are also quicker to use and a good deal less hassle. Bottom Line We're constantly told about the importance of using a strong, unique password — but it's not necessarily clear how to do that. A good password is one that's impossible to guess, so you should avoid anything obvious or based on findable information, like your children's names. Go for something long, with a mixture of letters and symbols instead. How Often Should You Change Your Password? However strong your passwords are, it's a good idea to change them regularly — especially passwords for sensitive accounts like your bank or other financial services. Many experts recommend doing this every three months or so. You should also change all your passwords if you've been hacked, or if a service you use has experienced a data breach. Some security experts recommend changing passwords if you've used public wifi too. It's worth noting that, while some organizations demand that staff change their passwords regularly, this is considered a bad idea by cyber security authorities, as the hassle of doing it means that people are more likely to reuse passwords or even write them down. How Long Should A Password Be? Many sites impose a minimum length for a password, often eight characters, as the longer a password, the more secure it is. Security firms have different recommendations, but generally speaking suggest a minimum character count of between 12 and 20. There's no maximum — apart from the length of time you're prepared to spend typing — but anything longer than 30 or 40 characters is probably overkill. Some password generators create passwords of more than 100 characters, but as password managers store these for you, there's no extra hassle involved. Should You Be Password Recycling? While it's tempting to reuse your passwords from one account to another, there are very good reasons for using a radically different password for all of your online accounts. When criminals get hold of one of your passwords they will often use a technique called credential stuffing to try the same one against all your other accounts and potentially gain access. And, note, it's not enough to just change a password slightly — if you're using Tibbles123 on one account, they'll check Tibbles321, and other variations, too.
