Could Your Old Phone Number Hack You?

Study shows that recycled phone numbers let attackers hijack accounts and bypass SMS 2FA, putting users at risk

Have you ever wondered what happens to your old phone number after you change carriers or swap SIMs? A study presented at APWG’s eCrime symposium shows that the answer carries more risk than most people realize. Researchers from Princeton University found that attackers can hijack online accounts, harvest personal data, and even bypass multi‑factor authentication simply by claiming a “new” number that once belonged to someone else. Phone number recycling makes it all too easy.

Inside the study

The team queried the self‑service number‑change portals at Verizon and T‑Mobile, collecting a random sample of 259 numbers offered to new customers. A striking 83 percent (215 numbers) turned out to be recycled.

Of those, 171 were still linked to online accounts, and 100 had leaked passwords in public breach dumps. This means an attacker could seize control of those accounts with little more than a password reset text. Such account hijacking is not hypothetical; it’s baked into today’s systems.

Recycled numbers create an open door for hackers.

To understand the scale, the authors estimated that Verizon alone makes roughly one million recycled numbers available every month. This choice ensures a constantly refreshed pool of potential targets, creating a nightmare for mobile carrier security teams.

How attackers exploit recycled numbers

The researchers documented eight distinct attack scenarios. They tested three low‑cost techniques in depth:

PII indexing: New owners feed the number into people‑search services to unearth names, addresses, and social media handles tied to the previous subscriber, raising identity theft risk.
Account hijacking via recovery: Many sites still rely on SMS 2FA for password resets. Therefore, controlling the number often means controlling the account.
Account hijacking without password reset: When breached credentials exist online, an attacker can log in directly and intercept codes, blurring the line with SIM swap attacks.

Because carriers let customers preview entire phone numbers during checkout, an adversary can cherry‑pick blocks that are statistically more likely to be recycled. Then, they can cycle through numbers until they find one with valuable links. Importantly, it requires no software vulnerability. The phone company’s website supplies the attack surface.

Carrier policies add fuel to the fire

Although U.S. rules mandate a “number‑aging” period before reassignment, the study’s mystery‑shopper calls revealed astonishing confusion among carrier support staff. Customer‑service reps gave answers ranging from one hour to one year when asked how long a number sits idle.

Such inconsistency leaves subscribers guessing, and often forgetting, to unlink numbers from bank, email, and social accounts before they become someone else’s credentials.

The real-world impact of recycled digits

In a one‑week honeypot test, nearly 10 percent of 200 recycled numbers still received sensitive texts or calls meant for former owners. Think medical results, two‑factor codes, and ride‑share receipts. Even privacy‑conscious users who avoid phishing links can become a victim if a trusted website keeps texting their abandoned number.

Mitigations for carriers, companies, and consumers

The authors urge carriers to tighten their portals, shorten preview windows, and clearly disclose recycling timelines. Websites should treat phone numbers as transient identifiers, never sole authentication factors. In addition, adopt app‑based or hardware keys for 2FA.

Meanwhile, consumers can protect themselves by purging numbers from every account before switching plans, enabling authenticator apps, and watching for unusual login alerts in the weeks after a change.

Until carriers treat number recycling as the security issue it is, the risks will persist. As the researchers warn, recycled digits are easy catches for opportunistic criminals. They present a reminder that our phone numbers, like our usernames before them, should not stand in for identity.

To stay educated on additional ways that cybercrime can reach you, read up on these studies about how hackers can utilize your autofill feature and the risk of fitness tracker smartwatch hacking.

Written and Edited by Lizzy Schinkel & WhatIsMyIP.com® Editorial Contributors

Lizzy is a tech writer for WhatIsMyIP.com®, where she simplifies complex tech topics for readers of all levels. A Grove City College graduate with a bachelor’s degree in English, she’s been crafting clear and engaging content since 2020. When she’s not writing about IP addresses and online privacy, you’ll likely find her with a good book or exploring the latest tech trends.