When you get a login code for an account you don’t have

What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.

Authentication codes from a service you don't have an account with

We’ve previously covered what to do if you receive an unexpected one-time login code for one of your accounts (spoiler alert: it’s probably a hacking attempt, and it’s time to consider getting reliable protection for all your devices).

But sometimes the situation is different: you get a two-factor authentication code for a service where you’ve never had an account. In this post, we’ll discuss why this might happen, and how to react to such messages.

Why you might receive a code for an unknown account

There are two basic explanations for receiving one-time login codes for an account you’re certain doesn’t belong to you.

The first and most likely explanation: before you got your current phone number, it belonged to someone else. When they canceled their service, the number went back into circulation and eventually landed with you. This is called “phone number recycling” — a standard practice for mobile service providers.

Thus, the previous owner of your number registered an account using it. And now, either they’re trying to log in, or someone else is attempting to hack their account. As a result, one-time login codes are being sent to the number (which now belongs to you).

The less likely scenario is that someone is unintentionally trying to register an account using your phone number. Perhaps they mistyped their own number, or simply entered a random sequence of digits that happened to be yours.

What to do

No matter which of the above scenarios may have occurred, the good news is it’s not your problem. You don’t need to do anything and there’s nothing to worry about — unless you plan on creating an account with that service. If you do, you might run into a problem: your number is already associated with an existing (albeit abandoned) account. In that case, contact the service’s support team and explain the situation, and ask them to detach the unknown account from your number while mentioning that you’re a potential new customer.

If support can’t or won’t help, there’s nothing you can do except get an extra SIM card and link your account to the new number.

What NOT to do

Now, let’s talk about what you absolutely should not do: under no circumstances should you attempt to use the one-time codes you receive to access an account that doesn’t belong to you. Curiosity killed the cat, and in this case it could have serious consequences.

Accessing someone else’s account isn’t just unethical; it’s illegal in most jurisdictions. For example, in the U.S., the very strict Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), covers this. Germany has a Section 202 of its Criminal Code (StGB $ 202), and the list goes on for most if not all countries worldwide. Although the probability of facing legal consequences for accessing someone else’s account may not be high, it’s not worth the risk.

Keep in mind that this probability increases significantly if the account is linked to illegal activity. In that case, law enforcement might take a keen interest in anyone who accesses the account, and sooner or later you could find yourself facing some very uncomfortable questions.

So, the best course of action when receiving a text message with a one-time login code for an account that doesn’t belong to you is to simply ignore it. And to avoid any unnecessary trouble, absolutely do not try to log in to someone else’s account.

Tips