I’ve used plenty of forgot password forms before and entered my phone number to recover accounts, but I never really thought about how much information they could actually leak. It reminds me of those recovery flows from back in the day, where even just the last couple of digits of a phone number could end up being a real vulnerability for attackers. It’s surprising how something that seems harmless, like a simple recovery page, can actually hide some pretty serious security risks.
> It’s surprising how something that seems harmless, like a simple recovery page, can actually hide some pretty serious security risks.
This is something you should include in any personal security checkup. Attempt account recovery using every allowed mechanism. The rules for recovery change over time in a way that classical login doesn't.
