A leaked phone number might seem like a minor inconvenience — more spam calls, maybe a few suspicious texts. But in reality, your phone number is a gateway to your most sensitive accounts. It is tied to your two-factor authentication, your banking apps, your email recovery options, and your identity. When your number is exposed through a data breach, a data broker listing, or a social media scrape like the Facebook leak that exposed 533 million phone numbers, the risks go far beyond robocalls. Here is exactly what to do if your phone number has been compromised.
Why a Leaked Phone Number Is Serious
Your phone number is not just a way to reach you — it is a critical piece of your digital identity. When it falls into the wrong hands, attackers can use it for:
- SIM swapping: Criminals contact your mobile carrier, impersonate you, and transfer your phone number to a device they control. Once they have your number, they receive your two-factor authentication codes and can access your bank accounts, email, and social media.
- Phishing and smishing: Targeted text message scams become far more effective when attackers already know your name, address, and other personal details alongside your phone number.
- Account takeover: Many online services use your phone number as a recovery option. With your number, attackers can trigger password resets and lock you out of your own accounts.
- Identity theft: Combined with other leaked data — your name, date of birth, address — your phone number helps criminals build a complete identity profile to open fraudulent accounts in your name.
- Spam and harassment: Once your number is on leaked databases, it gets sold and resold to spam operations, scam call centers, and marketing firms indefinitely.
SIM Swapping Is More Common Than You Think
SIM swapping attacks have surged in recent years, with the FBI reporting tens of millions of dollars in losses annually from this single attack vector. If your phone suddenly loses service, shows "No Signal" or "Emergency Calls Only" in a location where you normally have coverage, contact your carrier immediately — you may be in the middle of a SIM swap attack.
Immediate Steps to Take
1. Check If Your Number Has Been Compromised
Before taking action, confirm the scope of the exposure. Visit Have I Been Pwned (haveibeenpwned.com) and enter your phone number and email address to see which breaches have included your data. This will tell you what other information — email, password, address — may have been exposed alongside your phone number, which helps you prioritize your response.
2. Contact Your Mobile Carrier Immediately
Call your carrier's fraud department and take these specific actions:
- Set a port-out PIN or transfer lock: This prevents anyone from transferring your phone number to another carrier or device without providing the PIN. Every major carrier — AT&T, Verizon, T-Mobile — offers this protection, and it is the single most important defense against SIM swapping.
- Add a fraud alert to your account: Ask the carrier to flag your account so that any changes require additional identity verification.
- Review recent account activity: Ask if any changes, SIM swaps, or device updates have been made to your account that you did not authorize.
3. Secure Your Primary Email and Financial Accounts
Your email account is the master key to your digital life — password resets for almost everything go through it. Immediately:
- Change your email password to a strong, unique password (15+ characters)
- Change passwords for banking, investment, and payment apps
- Review recent login activity and sign out of any unrecognized sessions
- Check for unauthorized email forwarding rules that could be silently redirecting your messages
4. Switch From SMS-Based Two-Factor Authentication
If your phone number is compromised, SMS-based two-factor authentication becomes a liability rather than a protection. Attackers who control your number through a SIM swap will receive your verification codes. Switch to a more secure authentication method:
- Authenticator apps: Google Authenticator, Microsoft Authenticator, or Authy generate codes locally on your device and are not tied to your phone number.
- Hardware security keys: Physical devices like YubiKey provide the strongest form of two-factor authentication and are virtually immune to remote attacks.
- Passkeys: An increasingly supported standard that replaces both passwords and SMS codes with cryptographic authentication tied to your device.
Prioritize switching 2FA on your email, banking, and social media accounts first. These are the highest-value targets for attackers.
5. Block Unwanted Communications
Once your number is on leaked lists, the spam calls and texts will increase. Take steps to manage the flood:
- Enable your carrier's built-in spam filtering (T-Mobile Scam Shield, AT&T ActiveArmor, Verizon Call Filter)
- Use third-party call-blocking apps for additional protection
- Register your number with the National Do Not Call Registry at donotcall.gov — this stops legitimate telemarketers but will not stop scammers
- On iPhone, enable Silence Unknown Callers (Settings > Apps > Phone > Silence Unknown Callers) to send unfamiliar numbers directly to voicemail
- On Android, enable Caller ID & spam protection in your Phone app settings
6. Notify Your Close Contacts
Alert your family, friends, and close colleagues that your phone number has been compromised. Scammers may use your number or impersonate you to send phishing messages to people in your contact list. A quick heads-up can prevent someone you care about from falling for a scam that appears to come from you.
7. Monitor for Suspicious Activity
In the weeks and months following a leak, stay vigilant:
- Watch for unexpected password reset emails or verification codes you did not request
- Monitor your bank and credit card statements for unauthorized transactions
- Check your credit report for accounts you did not open — you can access free weekly reports at annualcreditreport.com
- Set up transaction alerts with your bank so you are notified of any activity in real time
8. Consider Getting a New Number
If the exposure is severe — if you are receiving targeted phishing attempts, if a SIM swap has already been attempted, or if the harassment is unmanageable — it may be worth getting a new phone number. This is disruptive, but sometimes it is the most effective solution. If you do get a new number:
- Update your number with your bank, employer, and critical services first
- Do not post your new number on social media or public platforms
- Use a secondary number (Google Voice, Hushed, or a similar service) for any public-facing or low-trust interactions going forward
Use a Secondary Number Going Forward
Whether or not you change your primary number, consider using a free service like Google Voice for online sign-ups, marketplace transactions, and any situation where your number might become public. Keep your real number limited to trusted contacts, your bank, and your employer. This simple habit prevents future leaks from exposing your primary number again.
How Your Phone Number Ends Up Exposed
Understanding how phone numbers get leaked can help you prevent future exposure:
- Data breaches: Large-scale breaches at companies like Facebook (533 million records), Telegram, and countless other services regularly expose phone numbers alongside other personal data.
- Data broker sites: People-search websites like Spokeo, WhitePages, BeenVerified, and dozens of others compile your phone number from public records, marketing databases, and other sources — then publish it for anyone to find.
- Social media scraping: Automated tools harvest phone numbers from social media profiles where users have not restricted their privacy settings.
- App permissions: Many mobile apps request access to your contacts, then upload those phone numbers to their servers, where they can be sold or breached.
- Public records: Voter registrations, property records, court filings, and business registrations often include phone numbers that become part of data broker databases.
Remove Your Phone Number From Data Brokers
Even after you have secured your accounts and locked down your carrier, your phone number likely remains listed on dozens of data broker and people-search sites. These sites make your number findable by anyone with a search engine, and they are a primary source of data for scammers, spammers, and identity thieves.
Manually opting out of each site is possible but extremely time-consuming — there are over 100 known data brokers that may have your information, each with its own opt-out process, and many re-list your data within weeks or months.
PrivacyOn automates this entire process. PrivacyOn continuously scans and removes your phone number and other personal information from 100+ data broker and people-search sites, submitting opt-out requests on your behalf and monitoring for re-listings. This is not a one-time fix — it is ongoing protection that keeps your phone number from being publicly available to the next scammer, spammer, or data scraper who comes looking for it.
A leaked phone number does not have to define your security going forward. By acting quickly — securing your carrier account, switching away from SMS-based 2FA, and removing your data from the brokers that keep it exposed — you can significantly reduce your risk and take back control of your privacy.