AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

Google Leaks Your Alternate Email Addresses to Unauthenticated Users

infonews

security

Source: Embrace The RedJune 5, 2019

Summary

Google's login system leaks alternate email addresses to anyone who calls an unauthenticated endpoint (a service that doesn't require you to prove who you are) with just an email address. An attacker could use this to find backup accounts linked to a target email, then use those accounts for phishing (tricking people into giving up passwords) or to take over the main account if the alternate email is set up for password recovery.

Solution / Mitigation

The source mentions two mitigations: (1) 'Remove all alternate account associations' and (2) 'Make sure that any alternate account is not your password recovery or 2FA to minimize attack surface.' However, these are user-level workarounds. Google declined to fix the issue itself after review.

Classification

Attack SophisticationTrivial

Original source: https://embracethered.com/blog/posts/google-email-leak/

First tracked: February 12, 2026 at 02:20 PM

Classified by LLM (prompt v3) · confidence: 95%