So the attacker has known in advance that the secret was stored in google photos? Is it a common way to store passwords, or is some piece missing here?