Here’s a link that discusses the situation without needing to make an account:
A researcher discovered that it is possible to brute force a US phone number in 1 hour and a UK one in 8 minutes. The relative lengths of the phone numbers explain the differences.
Attackers would need to first know a target’s Google display name. To get this, the researcher transferred ownership of a document from Google’s Looker Studio to the target.
They then changed the document’s name to be millions of characters, preventing the target from being notified of this change of ownership.
Using custom code, they then bombarded Google with guesses of the phone number until they landed upon a hit. The victim would not be notified that this has happened. Luckily, the issue was reported and fixed, with the researcher in question receiving compensation.