UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

Steps to reproduce the problem:
1. My fiance forgot his gmail password and he is moved to another country as part of his job. So he changed his Mobile no. So as to he can't access his gmail via phone number.
2. His gmail account is already signed in from my mobile phone, also me too not remembering the password.
When I'm going to change the password from gmail it ask for the old password, which I don't know.
3. All the security questions were not easy as well, and I tried to change password from my gmail too.Bad luck!
At last Could reset it using my mobile number.

So the problem is if his account was logged in any of other person instead of me, What will happen. Also his Facebook is linked in from this gmail too.
So it is very easy to attack by other one's.

What is the expected behavior?
If the security question was easy, it was great. Also if he  login via his new phone number.

What went wrong?
If someone who knows the security questions(When created the gmail -  basic questions) it easy for them to attack the account. Also they can access via phone number if they got access on it.

Did this work before? N/A 

Chrome version: 64.0.3282.186  Channel: n/a
OS Version: 10.0
Flash Version: