A new zero-day vulnerability was discovered and privately reported by application security engineer Brett Buerhaus to Google on September 1 and the company fixed the flaw within 17 days. Google paid the researcher $5,000 as a reward under its bug bounty program. The XSS flaw allowed attackers to force the admin to do the following actions: Creating new users with “super admin” rights, disabling 2FA and disabling two-factor authentication (2FA) and other security measures from existing accounts or from multiple domains.
Source: https://thehackernews.com/2015/01/google-account-hacking.html