I don't see a security vulnerability, but bad security practice.
Either they: Delete the account. All is well.
Either they: Take over the account. It is common sense then to change the phone number associated with the account. All is well.
You could solve this "bug" by reading the documentation and creating a better security protocol (which is currently putting your organizations' data at risk).
I clicked the title with just one thought it the back of my mind: "If this is an active serious vulnerability then why did OP not apply for the vulnerability program and have it fixed beforehand"?
My experience with the vulnerability team has been great (one honorable mention and one pay-out). If you did not get an honorable mention then it means the security team did not file a bug report. Your feedback could probably still be used to improve the UI.
As an aside: Hunting real security bugs on Google domains is insanely addictive (because they are so hard to find). Try to generate all their different error screens. Try to find the Google property running on aspx. To practice there is also https://google-gruyere.appspot.com/
Either they: Delete the account. All is well.
Either they: Take over the account. It is common sense then to change the phone number associated with the account. All is well.
You could solve this "bug" by reading the documentation and creating a better security protocol (which is currently putting your organizations' data at risk).
I clicked the title with just one thought it the back of my mind: "If this is an active serious vulnerability then why did OP not apply for the vulnerability program and have it fixed beforehand"?
My experience with the vulnerability team has been great (one honorable mention and one pay-out). If you did not get an honorable mention then it means the security team did not file a bug report. Your feedback could probably still be used to improve the UI.
As an aside: Hunting real security bugs on Google domains is insanely addictive (because they are so hard to find). Try to generate all their different error screens. Try to find the Google property running on aspx. To practice there is also https://google-gruyere.appspot.com/