I just got a notification on my Android phone that a phone number was successfully added to my primary Google account as a verified phone number. Wait a moment. Is somebody editing my profile, requesting text message and also verified it?

I quickly logged in to the my account page and used the search function to look for phone number. There were of course multiple submenus, but I really found an unrecognized new phone number. What's even worse, the page describes that phone number can be used to approve 2 factor logins… WTF?

1. I immediately deleted the phone number. I already experienced account theft and believe me if that happens you need to act fast. It was about 22:30, typical time for attackers hoping that the victim will not notice anything this time.

2. I looked for my contact list, but nothing.

3. I searched online with a targeted search with no hits.

4. I checked my active sessions and devices, but everything looked good, I recognized each and every logins. Weird!

I ran out of ideas so I changed my LLM from Gemini flash to the limited Gemini 2.5 pro. This is a series topic. (Recently I use Gemini a lot).

I explained the situation and a very long list of possibilities was shown but none of that looked realistic so I only read the main titles.

Then I realized something. My phone has a SIM card only for emergencies, I never use, I even don't know the corresponding phone number. I always use an other sim card in an other phone (yes, I go everywhere with 2 phones, maybe story for next time).

I called my 2nd phone and the shown phone number was indeed the newly register trusted phone number so I asked Gemini how is this not a security flaw…

What if you have physical access to your roommates phone and you insert a 2nd sim card while showering for automatic trusted phone registration to ask a password reset…