The content of this piece does not represent the views of my employer. The character names are fictional — though the absurdity is, regrettably, real.

Retirement, I always thought, would come from mutual funds, launching AI startups and owning real estate. But over the years in software, I realized there are other avenues like stumbling upon a security bug – the one that makes a company write you a cheque so large so you stop replying to “Hi” on Slack.

On February 17, 2020, I was on my terrace in Mylapore at 8:30 am in the morning, holding a brand-new, fully charged phone. I had bought it for exactly one purpose — to ensure the signal or my voice wouldn’t drop during the call. People have children with less preparation.

The call came. University of California, Berkeley. I answered. I tried to sound like I expected it while pacing the terrace in quiet celebration. A week later, my admission letter arrived — along with a free Mint Mobile SIM card. Because nothing says academic prestige like a free phone plan.

I ignored the SIM for one full year until I moved to the US. In Feb 2021, I finally popped it into my phone. I did the usual – shared my new number to friends, added it to a few sites and then I added it to the world’s largest marketplace. I didn’t realize something odd was happening.

When I keyed in my new number, it did not show me a sign-up screen. It took me to a sign-in screen and sent me an OTP to sign in. At first, it looked like I had made some bizzare purchases months ago. A torchlight. A long rope. This felt like the opening act of a low-budget murder mystery.

Page two escalated. It featured a Swiss knife, then more knives and gears I do not know what it’s used for. Things you buy when you’re either going camping or going to court. And yes, payment cards attached. The name flashed… let’s say Mr Rupert Green.

I had inadvertently walked into Mr Rupert Green’s digital closet and found his wallet inside.

Enter the recycled SIM

In the U.S. over 40 million SIM numbers are recycled. When a number changes hands, the number is not detached from the owner entirely. And if the owner didn’t enable two-factor authentication, all you need is an OTP and you’re in.

The FCC, which sounds like a committee of men in suits deciding the fate of satellites, actually does something far more terrestrial: it manages the life and death of your phone number. Officially, it regulates interstate and international communications—radio, TV, wire, satellite, cable. But in a corner of its empire, it also runs the NANP, the North American Numbering Plan. Think of it as ICANN’s lesser-known cousin; instead of handing out dot-coms, it hands out ten-digit identities.

There are rules. A phone number can loiter unused for only 45 days before it’s yanked back into circulation. The supply is finite—7.92 billion numbers—and while new area codes sprout like weeds, it is still cheaper, easier, and vaguely satisfying to recycle than to exhaust the pool. So, FCC policy demands that carriers do exactly that: pry numbers from the hands of the absent and give them to the next willing soul. Somewhere, a stranger’s old number is waiting to become yours, along with their debt collectors and exes.

It also occurred to me that somebody with looser morals might already be running a small business around this. Step one: Procure as many recycled SIMs as possible. Step 2: Quietly inherit the shopping carts, banking apps, and digital lives of strangers.

By the way, in California, using that access could technically be prosecuted as identity theft – the sort of thing that can get you three years in prison. Which means for a full 15 mins, I was one click away from either early retirement or criminal record. Possibly both.

I reported the incident through the company’s famous bug bounty program. They had reward tiers, but mine was in a category above “critical”. It was in the “buy a house in Atherton and never work again” category.

It also took me several attempts with customer support to tell I was not interested in Mr. Green’s knife collection and get my number diassociated from his shopping account.

Several years later I receive a note from the bug bounty program that they are happy I reported the bug but it had been already reported by someone else before me- pffffff. I am not sure if I should be amazed they actually responded after several years or disappointed they robbed me from my retirement money.

They quietly made MFA compulsory which lowered the odds so much that no one could justify fixing the root problem. In corporate-speak, they reduced the probability instead of removing the problem.

This is how billion dollar companies fail. We imagine elite engineers; I suspect two underpaid interns, one of whom thinks “MFA” is a type of university degree. Somwhere in that building, a team probably printed “We Care About Security” mugs while I was holding Mr. Green’s bank cards.

Later I discovered Mr. Green had also gone to the same university and had been a prof. Which makes me suspect Mint Mobile reserved certain numbers for their student activation program, recycling them back into the university pool…so every new student got mentor-matched whether they liked it or not.

People shy away from reporting bugs – unglamorous work of cleaning up other people’s mess. But this builds product intuition – the ability to sense where a system will fail before it does. Knowing systems so deep that you can smell the exact point where a problem is quietly forming, and because of that, they anticipate user needs better.

And what’s even a user need if you cannot contour it into every crevice of your systems and present it as feature – unless it comes out as a bug.