You probably don’t spend much time thinking about your phone number - how you got it, when you got it, or what it actually is. It’s been a while since then, huh?

For most people now, when they get their first phone number, chances are it already has a much more complicated past than they’d imagine. Mobile phone numbers have been around since the early 1990s, and the first generations who owned them - now in their forties or fifties - didn’t have to worry about a thing. Those numbers were fresh out of the box, and no internet service was asking for them.

Fast forward to today. As time passes, more and more phone numbers are reassigned to unsuspecting newcomers. That “fresh” number you just activated may have spent years tied to someone else’s bank accounts, social media, or tax records. To you, it’s just a string of digits. To the digital world, it might still be the magic key that unlocks another person’s identity. Telecom operators routinely recycle unused numbers to prevent exhaustion of available combinations. It’s an efficient business move - but a privacy disaster waiting to happen.

The hidden risks of number recycling

Your phone number isn’t just digits; it’s a key to your digital identity. It connects to your banking apps, your email, social media accounts, even two-factor authentication systems. When carriers reassign a number too quickly, the new owner inherits its digital footprint.

Imagine receiving OTPs for someone else’s Facebook or PayPal account. Or getting calls from banks chasing debts that aren’t yours. It happens more often than you’d think. In many cases, telecom operators recycle numbers after just 90 days of inactivity.

Researchers have demonstrated how attackers could deliberately buy recently recycled numbers to hijack accounts still linked to them. Victims often don’t even realize their old number still guards the gates to their digital life.

A case study in unintended access

A Reddit user shared an experience after buying a new SIM card from Airtel. Within days, they were receiving loan calls, spam, and even found they could log into the previous owner’s accounts on various apps and services. The number hadn’t been dormant for long - only 90 days - yet was deeply tied to another person’s identity.

This isn’t a one-off. Similar cases have emerged globally, across carriers and countries. The pattern is consistent: recycled numbers, insufficient cooling-off periods, and reused digital identities.

Why cooling-off periods matter

When a phone number is surrendered, it remains tied to dozens of online services that still trust it. Banks, email providers, and apps use SMS verification as proof of identity. If a carrier reassigns that number too soon, the new owner inherits its access privileges. They can receive password reset codes, confirm transactions, or log in where they shouldn’t.

A cooling-off period gives the system time to flush out those associations. It allows users to update accounts, and services to mark numbers as inactive. Without this buffer, number recycling becomes a race between a user updating their details and a stranger activating the same number.

Regulatory blind spots and regional differences

Most regulators treat numbers as technical resources, not identity assets. The assumption is that if a number is inactive for a few months, it’s safe to reuse. That assumption fails in a world where phone numbers are part of authentication.

Policies vary across regions:

• Romania: ANCOM regulates number allocation and portability but doesn’t publish a defined cooling-off period before reuse. The result is uncertainty - carriers may recycle numbers faster than users can update their accounts.
• France: ARCEP enforces a 40-day quarantine for cancelled numbers before reuse or transfer. It’s a step forward, though far from foolproof in the context of long-lived account ties.
• United Kingdom: Ofcom sets rules for number allocation and portability but lacks a clear, standardized cooling-off mandate. Practices differ by carrier.
• Germany: No explicit national rule for dormancy before reassignment. EU switching directives apply, but they focus on portability, not identity protection.
• Italy: Similar situation - portability is regulated, but there’s no clear public dormancy rule for reallocation.

Even within the EU, rules are inconsistent and usually too short. A 40- or 90-day wait doesn’t match the lifespan of a number’s presence in online databases.

What needs to change

Telecom providers should introduce longer cooling-off periods - ideally a year - before recycling numbers. This allows digital residues to fade and reduces the risk of cross-identity leakage. Providers should also verify that numbers are fully disassociated from banking and authentication services before reallocation.

Big tech players share some of the blame. Google, Meta, and X rely on users to manually update or remove old numbers from their accounts, but none have robust automatic safeguards for recycled numbers. Google lets users change recovery numbers but doesn’t detect if an old one gets reassigned. Facebook has no clear mechanism to unlink recycled numbers from legacy accounts, while WhatsApp attempts a 45-day decay period that only partly helps. X, for all its rebranding energy, has no published guidance on the issue. In other words, the people holding the digital keys haven’t built locks that understand when those keys change hands.

For regulators, numbers must be treated as privacy-sensitive identifiers, not mere inventory. A consistent EU-wide policy could help bridge the gap between technical management and identity protection. Big tech should complement that by designing automated checks to identify and retire phone numbers tied to inactive or dormant accounts, rather than assuming the user will remember to do it.

At the same time, the authentication landscape is evolving. SMS-based OTPs are being phased out in Europe - the EU Login system itself will stop allowing SMS for MFA by 30 June 2025. This shift is critical: if phone numbers are moving away from being trusted security anchors, carriers and regulators need to treat them as such now. Part of the reform must include ensuring that when a number changes hands, any lingering linkage to identity, accounts, or authentication flows is systematically broken.

Conclusion, but no advice

Phone number recycling is a quiet vulnerability that barely registers in most privacy discussions. As our digital lives still rely heavily on SMS-based authentication and recovery, this loophole grows into a serious threat. Cooling-off periods aren’t just bureaucracy - they’re essential decay time for digital identities.

Otherwise, one day, your new phone number might come with a stranger’s past - and all their unfinished business attached.