Today there has been a new interesting development. A number of Iranians reported they are being informed by Google that “Government-backed attackers may be trying to steal your password”. Below screenshot is sent to me by a friend reporting the same from Canada:

This is a familiar alert for us, but what is interesting is the possible attack vector: users inside Iran aside, the users who got this alert outside the country all had Iranian mobile numbers assigned in their Google accounts as backup / recovery number.

This means as suspected earlier, SMS interception in Iranian mobile operators is being used for resetting the password of Iranian users.

We recommend using TOTP using your mobile, using U2F keys, and not using any Iranian mobile phone number as backup number in your Google profile.