A bizarre security flaw involving recycled phone numbers is allowing some users of the taxi-hailing app Lyft to access other riders’ accounts, exposing names, e-mail addresses, complete ride histories, and credit card information.

The bug was brought to Ars’ attention by a Lyft user named Felix, who says he signed up for the service for the first time earlier this month. He went through the normal registration process, entering his name, e-mail, credit card, and a new phone number, which was recently assigned to him by T-Mobile.

But Felix realized something was wrong when drivers kept addressing him by someone else’s name—a woman’s name he didn’t recognize. At first, he brushed it off. “I was like, uhh no, it’s Felix. But whatever, you’re here,” he told Ars, recalling some confused moments during his first week using the ridesharing service.

When it kept happening, he decided to investigate, so he opened the app’s settings. It was then that Felix noticed the app had loaded the personal information of another Lyft user from the Boston area: full name, e-mail address, and the type and last four digits of their credit card.

The app also displayed the previous user’s complete ride history, including time-stamped maps of every trip they had ever taken using the app. By looking at patterns in those GPS routes, it would be trivially easy to discover where the former owner of Felix’s phone number lives and works, what bars and gyms they frequent, and much more.

Felix (as provided to Janus Kopfstein)

Felix (as provided to Janus Kopfstein)

Felix (as provided to Janus Kopfstein)

Felix (as provided to Janus Kopfstein)

Like many apps, Lyft doesn’t use traditional passwords, instead authenticating users by having them enter their phone number and then sending an SMS with a verification code to that number. This speeds up the registration process significantly, but it can also lead to serious security problems if the phone number previously belonged to another user—an increasingly likely occurrence given that carriers now routinely recycle numbers from lines that are no longer in use.

Other Lyft users have reported this problem in the past. In a Hacker News post from last year, one user claims to have discovered someone in San Francisco getting free rides off their credit card after the user abandoned a phone number.

A Lyft spokeswoman told Ars that the app has “safeguards in place to prevent unauthorized activity on recycled phones,” but the representative declined to comment on what those safeguards are and did not indicate that the company intends to issue a fix. “We are aware this happens on occasion, though it is extremely rare as there are safeguards in place to prevent unauthorized activity on these recycled phone number accounts,” the Lyft spokeswoman said.

Security experts say it’s not clear that Lyft actually could address the problem under its current system. They warn that cases like this will only become more common and intractable as more and more apps start using phone numbers and other single-factor authentication methods instead of passwords. “It’s become commonplace now to try to improve user convenience by making login/password recovery easier over SMS,” John Adams, a security researcher and former Twitter engineer, told Ars in an e-mail. “This is a poor decision on the part of any app developer.”

Carriers will also undoubtedly continue to reuse phone numbers, attempting to delay the inevitable exhaustion of all possible 10-digit number combinations. Phone companies typically buy and sell phone numbers in large blocks and tend to give them a rapid turnover rate, especially when they’re used for mobile prepaid lines. In 2011, the Federal Communications Commision estimated that 37 million phone numbers are brought back into circulation each year. Previous reports have also shown that decommissioned numbers can be back in use in as little as five months.

This seems to be true in Felix’s case. According to the ride history that appeared on his device, the previous owner of his number last used their Lyft account in May of 2015.

Ars contacted the previous owner of the account to inform them that their information was compromised, but we received no response at the time of publication. To protect this user’s privacy, Ars has chosen to redact any personally identifiable information and avoid publishing location data that could be used to identify them.

“These application vendors should require much more in the way of user authentication before permitting access to the account,” Adams said. “It proves once again that the old adage of ‘security, convenience, cost—you only get two’ still holds true.”