Digital Identity at Risk: The Silent Threat of SIM Recycling in Nigeria

By Shuaib S. Agaka

A few months ago, Mr. Y lost his mobile phone and, with it, his SIM card. At first, it seemed like a minor inconvenience. But months later, he discovered he could no longer access his WhatsApp, Facebook, or email accounts. Unbeknownst to him, his former phone number had been reassigned to another user who inadvertently gained access to these platforms through SMS-based verifications.

What began as a lost SIM had quietly escalated into a full-blown identity breach, locking Mr. Y out of his digital life. This isn’t an isolated incident. In Nigeria’s increasingly connected world, SIM cards are no longer just tools for making calls or sending texts; they’ve become digital lifelines. From banking and messaging to authentication and national identity systems, the average phone number now holds the keys to a person’s digital footprint. Yet, telecom operators continue to recycle inactive SIM cards, deactivating and reassigning them without adequately warning users or severing previous digital connections.

As mobile fraud surges and critical services rely heavily on phone-based verification, SIM recycling has become a dangerous and often invisible gateway to identity theft, impersonation, and significant financial loss.

SIM recycling refers to the practice by mobile network operators (MNOs) of deactivating and reassigning numbers that remain unused for a specified period, typically 180 days. In Nigeria, the Nigerian Communications Commission (NCC) sanctions this practice to manage the country’s limited pool of mobile numbers.

Once a line is deemed dormant, it is recycled and issued to a new subscriber, with no obligation to inform or protect the previous owner. Telecom providers defend this policy as a necessity. With over 200 million citizens and millions of new mobile connections registered annually, the recycling of dormant lines is seen as a way to maintain network efficiency and subscriber growth. Inactive numbers, from their perspective, represent missed revenue and unused infrastructure.

However, what telcos view as business optimization comes at a significant cost to users who are kept in the dark about the true implications of number loss. Unfortunately, many subscribers are unaware that losing access to a SIM could mean far more than just missing calls; it could mean losing control over their entire digital identity. Phone numbers are now deeply embedded in the architecture of social media platforms, mobile banking apps, email services, and government databases. Without proper warnings or offboarding procedures, telcos are handing over live credentials to new users, often with full access to their predecessors’ sensitive information.

The risks of SIM recycling go far beyond inconvenience. One of the most immediate threats is OTP (One-Time Password) interception. Most Nigerian banks and digital platforms rely on SMS-based OTPs for verifying logins and authorizing transactions. If a recycled number still receives these codes, the new owner could unknowingly or maliciously gain access to the former user’s private accounts.

WhatsApp hijacking is another major concern. Because WhatsApp automatically links accounts to phone numbers, inserting a recycled SIM into a phone can instantly trigger account access. Unless the original user had enabled two-factor authentication, the app may sync messages, contacts, and backups to the new device, exposing private data. The banking sector is especially vulnerable as well.

Recycled numbers can be exploited to reset mobile banking credentials, receive transaction alerts, or gain access through USSD codes. Fraudsters have been known to deliberately acquire secondhand SIMs, hunting for any links to dormant accounts. Victims often only discover the breach when money disappears or when their accounts are frozen due to suspicious activity. Social media platforms and email services are not exempt. They frequently use mobile numbers as recovery methods, sending password reset codes via SMS. Once a number is recycled, a new user could receive these codes, gaining unauthorized access to someone else’s Facebook, Instagram, or Gmail account. For influencers, entrepreneurs, or professionals, this isn’t just a privacy issue; it’s a threat to business, reputation, and livelihood.

The dangers of SIM recycling first gained widespread national attention in 2020, when Mr. Anthony Okolie, a trader in Delta State, was detained for ten weeks by the Department of State Services (DSS). He had unknowingly activated a SIM card previously assigned to Hanan Buhari, daughter of Nigeria’s former president. Though he had no criminal intent, Mr. Okolie was swept into a national security investigation simply because of a recycled number. The case, which ignited public outrage, pushed the NCC to finally clarify its SIM reassignment policy.

However, that response exposed a deeper problem: regulatory inertia masked as reform. Instead of proactively alerting the public or creating safeguards, the NCC’s policy clarification came only after a political embarrassment. It was damage control, not foresight. And like many policies in Nigeria, it came too late for the person it affected most. Since then, similar incidents have continued across the country. In Ilorin, an anonymous source revealed that he routinely receives bank alerts and birthday messages intended for someone else, linked to a number reassigned to him. At least three others have reported the same. Just last week, a new SIM buyer tried to open a Facebook account, only to find it was still tied to a previous owner. With no extra verification, he accessed chats, contacts, and even private photos. These aren’t isolated cases; they’re signals of a systemic failure.

This growing crisis is shared by several players. The Nigerian Communications Commission (NCC), as regulator, falls short. While it permits SIM recycling under its guidelines, its rules are vague and insufficient. There’s no mandated grace period, no public registry of recycled numbers, and no obligation to ensure previous digital ties are severed before reassignment. This regulatory blind spot has left millions of Nigerians vulnerable, often without their knowledge. Also, Telecom providers, including MTN, Airtel, Glo, and 9mobile, reassign dormant numbers with little concern for the lingering digital trails attached. Despite profiting from reissued lines, they rarely notify former users or enforce security buffers that could mitigate risk.

To protect users and build a truly secure digital economy, immediate action is required from all stakeholders. First, telecom operators must prioritize timely and direct communication. Before deactivating any inactive number, telcos should make multiple attempts to notify the original owner via SMS, email, alternate contact numbers, or even national identity records. Once notification has been served, there should be a mandatory “cooling-off” period, ideally 90 days. During this window, sensitive messages like OTPs and recovery codes should be blocked, allowing the previous user adequate time to delink their digital accounts and reclaim the number if desired. This approach ensures both transparency and security in the reassignment process.

On the policy front, the NCC must step up. It should establish a centralized database or API service that banks and digital platforms can use to check whether a number has been recently recycled. Additionally, a regulatory audit trail that logs number ownership history, akin to SIM-NIN tracking, would provide crucial transparency and prevent avoidable breaches. Furthermore, platform providers must diversify their security protocols. Phone numbers should no longer serve as the default recovery or identity tool. Platforms should implement multi-factor authentication, support authentication apps like Google Authenticator, and require users to confirm identity with more than just a mobile line.

Finally, public education campaigns, led jointly by government, telcos, and civil society, are essential to inform users about the risks of losing a SIM and the immediate steps to take afterward.

If Nigeria is serious about building a secure digital economy, it must start by protecting the very thing that connects us all: our numbers. Until that happens, the SIM card you lost last year might still be out there, living a life you no longer control.

Shuaib S. Agaka, a tech journalist, writes from Kano State.