19 Billion Reasons to Stop Using Your Phone Number as a Security Device

On the scale of the credential catastrophe that current breach databases represent, why SMS-based two-factor authentication is a security theater performance that state-level attackers have been ignoring for years, and the authentication hierarchy that actually works in 2025.

Sometime in the early 1990s, I sat at a desk in Germany with a gray rotary telephone handset, a device that belonged to the Deutsche Post, pressed against an acoustic coupler attached to my computer’s serial port. The acoustic coupler converted digital signals into audio tones, which the telephone microphone captured and transmitted through a network that had been designed for voice calls in 1975. What I was doing with this contraption was connecting to bulletin board systems in the United States, which required me to first make the call and then stay connected for as long as I wanted information, at international per-minute rates. Since I was 21, owned no significant assets, and had no intention of paying international long-distance rates for the duration of my educational activities, I had worked out an alternative arrangement: I had identified a method to send a specific break signal to a telecommunications satellite of the then-German postal service, which had the convenient effect of keeping the call connected at the billing expense of a US company rather than mine.

What I had stumbled into was the overlap between phreaking, the art and science of exploiting telecommunications infrastructure, and what would later be called unauthorized access to computer systems. The techniques involved were not sophisticated by modern standards; they exploited the fundamental design of a telecommunications network that had been built with the assumption that everyone using it was either a carrier employee or a paying customer, neither of which accounted adequately for the third category. I was aware that what I was doing was technically illegal, and I was aware that at some point someone would notice the billing anomaly. When they did, nothing was ever conclusively proven, and the statute of limitations has long since expired on anything that might have been. The reason I tell this story is not to celebrate my ingenuity at 21, which was considerable, but because that telecommunications network, in its fundamental security assumptions, is still with us. And its weaknesses are still being exploited, today, at a scale that makes my activities of 30 years ago look like a rounding error.

19 Billion Is Not a Metaphor

In July 2024, researchers at Cybernews published what they called the RockYou2024 dataset: a compilation of approximately 10 billion unique plaintext passwords, assembled from breach records going back years, posted publicly on a hacking forum. That was the largest credential compilation in recorded history at the time of its publication. By January 2025, the total number of compromised credentials in active circulation across dark web forums, credential broker databases, and infostealer logs had reached approximately 16 billion. By mid-2025, that figure had grown to 19 billion, with additional data constantly being generated by a class of malware called infostealers, programs like RedLine, Raccoon, Lumma, and Vidar, designed specifically to extract saved credentials from browser databases on infected devices.

In 2024 alone, 3.2 billion credentials were stolen, a 33 percent increase from the previous year, with infostealers responsible for approximately 75 percent of that total. In January 2024, the Cybernews research team documented the Mother of All Breaches, a single exposed database containing 26 billion records aggregated from hundreds of prior breaches. This was not a breach of a single organization; it was the consequence of years of credential accumulation now exposed in a single accessible repository.

The credential stuffing attack is the automated exploitation of these databases. The attacker feeds stolen username-password pairs into automated login scripts directed at any service that accepts those credentials. In 2024 and 2025, compromised credentials had become the single most common initial vector in data breaches, accounting for 22 percent of all incidents, more than phishing, more than vulnerability exploitation, more than any other category (IBM, 2024 Cost of a Data Breach Report). The average time to detect and contain a breach initiated via stolen credentials was 292 days, the longest of any attack vector, because an attacker logging in with a valid username and password is, from the perspective of most access logging systems, indistinguishable from a legitimate user.

The practical consequence is this: if you have ever used the same password on 2 different services, and one of those services was breached, your credentials are likely in one of these databases. The question is not whether they are available to an attacker, but whether an attacker has yet found it worth their time to try them against the services you care about.

Why the Password Is Structurally Broken

The password was a reasonable security mechanism for 1960s mainframe environments with a small number of users and a single point of authentication. It ceased to be a reasonable security mechanism for general internet use somewhere around the late 1990s, when the combination of ubiquitous connectivity, exponentially growing computational power, and the sheer proliferation of services requiring authentication created conditions the password’s design had never contemplated.

A password is a shared secret. You know it, and the service you authenticated to knows it. The service stores some representation of it, hashed with varying degrees of care depending on the security practices of that particular engineering team. When that service is breached, which happens to services of all sizes and apparent security levels, the representation of your password is exposed. When 2 services share the same password, a breach of the less secure one compromises the more secure one. Multiplied across the 100 to 200 online accounts that the average adult maintains in 2025, this creates a security posture in which the resilience of your most important accounts is determined by the weakest service you have ever used that password on.

The solution to password reuse is to use a unique, randomly generated password for every service, which is what a password manager enables and is why password managers are not optional but functionally necessary for anyone who uses the internet in good faith. Applications like Bitwarden, 1Password, KeePassXC, and comparable tools generate cryptographically random strings, store them encrypted with a strong master password, and fill them automatically when you authenticate. The only password you need to remember is the master password, which should be a passphrase of at least 4 to 5 random words of sufficient total length to resist both dictionary and brute-force attacks. NIST’s 2024 password guidance specifically emphasizes length over complexity, recommending a minimum of 15 characters, and removes the previous requirement for mandatory periodic rotation, which research showed produced predictable patterns rather than improved security (NIST SP 800-63B-4, 2024).

The Authentication Hierarchy: From Worst to Best

Not all second factors are equal. This is the most important nuance that the marketing language around “2FA” or “MFA” consistently obscures, and it is the nuance that costs real people real money in real attacks.

SMS-based one-time codes are the most widely deployed second factor and the weakest of those that count as a meaningful improvement over no second factor at all. The weakness has 2 independent origins, either of which is sufficient to defeat SMS authentication on its own. The first is SS7, the Signaling System No. 7 protocol, which routes SMS messages between carrier networks worldwide and which was designed in the 1970s with no encryption and no sender authentication. In 2017, criminals exploited SS7 vulnerabilities to intercept 2FA codes sent by German banks to their customers, draining accounts by redirecting SMS messages at the carrier network level. In February 2024, the FBI and CISA issued a joint advisory documenting Chinese state-sponsored actors using SS7 access to intercept authentication messages from commercial telecommunications networks, not as a theoretical demonstration but as an active operational capability.

The second weakness is SIM swapping, which requires no technical infrastructure at all, only a telephone and a convincing story told to a carrier representative. SIM swapping involves transferring a victim’s phone number to a SIM card controlled by the attacker, at which point the attacker receives all calls and messages addressed to that number, including one-time codes from every service that uses SMS authentication. In 2024, SIM swap fraud cases increased by 1,055 percent compared to the previous year. The introduction of eSIM technology, which allows number transfers via QR code without a physical carrier visit, reduced the average attack cycle from hours to under 5 minutes.

Anyone defending a high-value account, which includes business email, banking, cryptocurrency holdings, cloud infrastructure access, or any account whose compromise would have material financial or professional consequences, should treat SMS 2FA as equivalent to no second factor at all.

Time-based one-time passwords, TOTP, generated by authenticator applications like Authy, Google Authenticator, or the open-source Aegis on Android, represent a substantial improvement. TOTP codes are generated entirely on the device using a shared secret established during setup and the current time, combined via an HMAC-SHA1 algorithm. The code never traverses any network. SIM swapping is irrelevant because possession of the victim’s phone number provides no access to the secret stored in the authenticator application. The primary residual vulnerability is real-time phishing: a convincing fake login page can solicit both the password and the TOTP code, relay them immediately to the legitimate service, and gain access before the code expires. TOTP is significantly better than SMS but is not phishing-resistant.

FIDO2, the standard underlying hardware security keys from manufacturers like YubiKey and NitroKey, and passkeys, the device-native implementation of the same cryptographic foundation, represent the current state of the art. During enrollment, the device generates a key pair, registers the public key with the service, and retains the private key on the device, never transmitting it. Authentication requires signing a challenge with the private key, which the device performs locally after verifying user presence through a PIN or biometric. The credential is bound to the specific service domain during enrollment, meaning a phishing site cannot receive a credential registered for another domain, because the domain binding is cryptographic and enforced by the authenticator hardware. Real-time phishing is structurally impossible: there is no code to intercept, no token to replay, and no credential that transfers.

The practical advice follows directly from this hierarchy: use app-based TOTP as a minimum improvement over SMS, and use FIDO2 hardware keys or passkeys wherever the service supports them. A hardware key costs between 30 and 60 euros and provides more security for any account it protects than any software-based solution.

Have I Been Pwned and the Intelligence of Monitoring

Troy Hunt’s Have I Been Pwned service is the most accessible public interface to the intelligence problem of credential exposure. The service aggregates breach data from thousands of published incidents and allows any user to check whether their email address or phone number appears in the indexed records. As of 2025, the database contains records from hundreds of documented breaches and hundreds of billions of individual records, including the major compilations of 2024. The service also provides a free notification subscription: registering your email address means you will receive a notification the next time that address appears in a new breach.

Several complementary services operate similar databases from different data sources, including the Hasso Plattner Institute’s Identity Leak Checker, operated by the University of Potsdam, and the University of Bonn’s leak-checking service with access to over 30 billion identity records. For users in Germany, both represent institutional-grade alternatives to the US-based primary service.

The use of these services should be understood as incident response, not prevention. They tell you when exposure has already occurred, which is the prerequisite for changing credentials before an attacker uses them. Combined with unique passwords per service, managed by a password manager, and protected by app-based TOTP at minimum and FIDO2 where possible, they form a defensible posture for 2025.

Other services worth knowing:

• Mozilla Monitor: A free service from Mozilla that checks if your email address has been exposed in known data breaches.
• Intelligence X: A search engine and data archive for email addresses, domains, IP addresses, and deep web data.
• HPI Identity Leak Checker: The Hasso Plattner Institute service that checks if your personal data appeared in known leaks.
• Leak Checker by the University of Bonn: Access to over 30 billion identities with active deep and dark web scanning.
• DeHashed: A fast and extensive search engine for data breaches covering email, usernames, and phone numbers.

The German State and the Hacker It Cannot Find

The Bundesamt für Sicherheit in der Informationstechnik has for years advertised positions for cybersecurity professionals and struggled to fill them with people who can actually operate at the required level. The Bundeswehr has sought skilled penetration testers with similar difficulty. The structural problem is that the people who are actually skilled at penetrating systems did not learn this skill in a university cybersecurity program, because such programs did not exist when the relevant skills were being developed, and because the development of genuine attack capability requires practical engagement with systems under adversarial conditions that no university curriculum can safely replicate.

The best penetration testers, the people who are genuinely capable of finding the vulnerabilities that matter in systems that matter, typically have histories that begin with the kind of activities I engaged in at 16 and 21, which is to say histories that are technically criminal under most current legal frameworks and that therefore make them difficult to employ in formal government settings where security clearances are required and criminal records are disqualifying.

Germany’s approach to this problem has been to hire computer science graduates and call them security professionals, which produces administrators who understand protocols and frameworks but who have never actually broken anything, which is not the same skill set. A computer science degree certifies someone as a penetration tester about as reliably as a degree in musicology certifies someone as a jazz musician. The instrument has to be played, preferably under conditions that were not entirely sanctioned. The United States has been somewhat more pragmatic about the pipeline problem, operating programs that offer structured pathways for people with relevant histories who are willing to redirect that energy toward defensive and authorized offensive work. The German bureaucracy has not yet developed equivalent comfort with the ambiguity this requires.

A Word Before the End

It is easy to read statistics in the billions and feel that the problem is too large to be personally relevant. It is not. The credential stuffing attack is fully automated and requires no human attention per target: an attacker feeds 2 billion stolen email-password pairs into a script that tests them against a service’s login endpoint, and the script reports back which pairs succeeded. Whether your account is one of them depends entirely on whether you have reused a password that appears in the breach databases, and on whether the service you care about accepts that credential without a second factor the attacker cannot also supply.

Enabling TOTP-based authentication on your 10 most important accounts, installing a password manager and generating unique passwords for every service, and checking your email addresses against Have I Been Pwned costs approximately 2 hours of your time. It reduces your probability of credential-based account compromise by a factor that is difficult to overstate. There is no other security investment with a comparable return per hour of effort.

Closing

The acoustic coupler in the photograph at the top of this article is not a curiosity from a distant era. It is a piece of hardware that was used to exploit a telecommunications infrastructure whose fundamental security assumptions have not changed in 50 years, whose authentication weaknesses are still being leveraged by the same categories of actors using the same categories of techniques, and whose main protection mechanism is still the shared secret, the password that the user knows and the service stores, with all the structural vulnerabilities that implies.

The 19 billion compromised credentials in circulation in 2025 are not a sign that the internet is unusually dangerous. They are a sign that we have been operating systems whose security model was adequate for a research network in 1975 at the scale of the global economy in 2025, and that the gap between those 2 contexts has been generating a compounding debt that attackers continue to collect on, automatically, around the clock, at rates that increase by approximately one-third per year.

Use an authenticator application. Use a hardware key where possible. Use a password manager. Check your email addresses in the breach databases. Do these things in that order, today, and not because I am recommending them, but because 19 billion stolen credentials and a 1,055 percent increase in SIM swap fraud in a single year constitute a dataset whose recommendations are more compelling than any individual’s.

References

• Authn8. (2026). Why CISA and the FBI say stop using SMS for 2FA. https://authn8.com/blog/sms-2fa-risks-why-authenticator-apps-are-safer
• BlackFog. (2025). The world’s largest credential leak hits 16 billion records. https://www.blackfog.com/worlds-largest-credential-leak-hits-16-billion/
• Cybernews Research Team. (2024). RockYou2024: 10 billion passwords exposed. Cybernews.
• Deepstrike.io. (2026). Password statistics 2026: Reuse, breaches, MFA & passkeys. https://deepstrike.io/blog/password-statistics-2025
• Deepstrike.io. (2025). Compromised credential statistics 2025: Breach costs and controls. https://deepstrike.io/blog/compromised-credential-statistics-2025
• IBM Security. (2024). 2024 Cost of a data breach report. IBM Corporation.
• Keepnet Labs. (2026). SIM swap fraud 2025: Stats, legal risks and defenses. https://keepnetlabs.com/blog/what-is-sim-swap-fraud
• NIST. (2024). Digital identity guidelines (NIST SP 800-63B-4, 2nd public draft). National Institute of Standards and Technology.
• Psono. (2025). SMS-based 2FA is insecure. https://psono.com/blog/sms-based-2fa-insecure
• Trustle. (2025). 60 essential cybersecurity statistics for 2025. https://www.trustle.com/post/2025-cybersecurity-statistics