Phone numbers are a finite resource, so reassignment is unavoidable; there is no version of the phone system where numbers are used once and discarded. In the US, the FCC requires carriers to age a disconnected number for at least 45 days before giving it to a new subscriber. After that, it goes back into inventory. Change carriers without porting, let a prepaid SIM lapse, leave the country, or just pick a new number, and this clock starts on the old one.
The problem is what the rest of the internet did while you held that number. Over the last decade, the phone number quietly became a primary key for online identity: the second factor for your bank, the recovery channel for your email, the identifier for WhatsApp and Signal, the lookup handle for people-search sites. None of those systems learn that the number changed hands. From their perspective, whoever receives texts at that number is you.
What researchers actually found
This is not a theoretical concern. In 2021, Kevin Lee and Arvind Narayanan at Princeton studied 259 recycled numbers offered to new subscribers at two major US carriers. Their findings, published as "Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States," were blunt: 66% of the sampled numbers were still linked to previous owners' accounts at popular websites, reachable through ordinary password-reset flows. A large share also appeared in people-search services with the previous owner's name attached, and dozens matched credentials exposed in past data breaches, opening the door to combined attacks where a leaked password plus an inherited SMS code equals a full takeover.
They also observed that available numbers could be browsed during signup at the time, meaning an attacker could shop for numbers that looked valuable before claiming one. No exploit, no malware, no social engineering of a carrier rep. Just signing up for phone service and pressing "forgot password."
SIM swapping is an active attack: someone convinces or bribes a carrier into moving your current number to their SIM. Number recycling requires no attack at all. The carrier hands over the number through the normal signup process, legally, to whoever asks at the right moment. There is no fraud to detect and no one to report.
What the new owner inherits
- SMS two-factor codes. Any account still configured to text codes to the old number will happily text them to its new owner. NIST's digital identity guidance (SP 800-63B) has classified SMS as a "restricted" authentication channel for years, and recycling is one of the reasons.
- Password reset channels. Many services allow account recovery by phone number alone, or phone number plus easily-found personal data.
- Messaging identities. WhatsApp and Signal register accounts against phone numbers. A new owner who registers the number can begin receiving messages that your old contacts believe they are sending to you. Signal's registration lock PIN exists specifically to stop a re-registration from inheriting your profile and groups, but only if you set it.
- Your social graph's assumptions. Friends, family, doctors' offices, and your bank will keep texting the old number. The Princeton study flagged this as a privacy harm in both directions: the new owner receives a stream of someone else's life, whether they want it or not.
- Whatever the previous owner left behind. Recycling runs both ways. The number you just received may still be tied to a stranger's debts, harassment campaigns, or two-factor enrollments, and you may spend months fielding texts meant for them.
Why the fixes are structural, not personal
The deep problem is architectural: the phone number is a rented identifier being used as if it were owned. You do not own your number; you lease it from a carrier, and the lease terminates with your service. Every system that treats a number as a stable, exclusive identity is building on a rented foundation. This is the same design flaw that makes phone-number-based registration a privacy liability, viewed from a different angle.
The US has one partial mitigation at the infrastructure level: the FCC's Reassigned Numbers Database, launched in 2021, lets businesses check whether a number was disconnected after a given date, so that automated calls and texts stop flowing to strangers. It reduces misdirected messages from companies that bother to query it. It does nothing for account security, because password-reset systems do not consult it.
What to do before you give up a number
Treat a number change like moving out of an apartment: you would not leave your keys taped to the door. In rough priority order:
- Inventory where the number lives. Search your password manager for the number and check the security settings of your primary email, bank, and any account you would hate to lose. Your email account matters most, since it is the recovery root for everything else.
- Move second factors off SMS entirely. TOTP authenticator apps, passkeys, or hardware keys are all immune to number recycling. This is worth doing even if you never change numbers, because it also removes the SIM-swap surface.
- Update or remove the number as a recovery channel, account by account. Removing is better than updating where the service allows another recovery method.
- Re-register or delete messaging accounts. Move WhatsApp and Signal to the new number through their official change-number flows, and set Signal's registration lock. Explicitly deleting the old registration is cleaner than letting it lapse.
- Consider parking the number. If you cannot fully untangle it, porting the number to a low-cost VoIP service keeps it under your control for a few dollars a month while you finish the migration. This is a stopgap, not a solution.
- Tell the people who matter. Not a mass text; the short list of contacts who might one day be socially engineered by someone texting from "your" number.
The larger lesson
Number recycling is a quiet illustration of a rule that applies well beyond phones: an identifier you do not control should never be a credential. Email addresses at an employer's domain, usernames on a platform that can reclaim them, and phone numbers all fail this test eventually. The systems that age best are the ones where identity rests on keys you hold rather than identifiers you rent, which is why modern authentication keeps moving toward cryptographic credentials and why messaging systems that require a phone number keep having to bolt on defenses like registration PINs.
Until then, the practical version of the rule is simple: the day you decide to drop a number, the security work starts, and it needs to finish within the aging window. After that, someone else is holding your keys.