On Thursday, T-Mobile confirmed that some of its customer data was breached in an attack the company discovered on Monday. It's a snappy disclosure timeframe, and the carrier said that no financial data or Social Security numbers were compromised in the breach. A relief, right? The problem is the customer data that was potentially exposed: name, billing zip code, email address, some hashed passwords, account number, account type, and phone number. Pay close attention to that last one.

The cumulative danger of all of these data points becoming exposed—not just by T-Mobile but across countless breaches—is that it makes it easier for attackers to impersonate you and take control of your accounts. And while the passwords are bad news, perhaps no piece of standard personal information has more value than your phone number.

That's because phone numbers have become more than just a way to contact someone. In recent years, more and more companies and services have come to rely on smartphones to confirm—or "authenticate"—users. In theory, this makes sense; an attacker might get your passwords, but it's much harder for them to get physical access to your phone. In practice, it means that a single, often publicly available, piece of information gets used both as your identity and a means to verify that identity, a skeleton key into your entire online life. Hackers have known this, and profited from it, for years. Companies don't seem interested in catching up.

'If it’s not a secret, then you can’t use it as an authenticator.' Jeremy Grant, Better Identity Coalition

Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.

"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can’t be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public."

Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.

The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.

"The issue being exposed with SIM swaps is that if you control the phone number you can take over the authenticator," Grant says. "A lot of it gets to the same issue we run into with Social Security numbers, which is leveraging the same number as both an identifier and authenticator. If it’s not a secret, then you can’t use it as an authenticator."

It's a tangle. But it doesn't have to be like this. Thomas Hardjono, a secure identities researcher at MIT's Trust and Data Consortium, points to credit card numbers, identifiers authenticated with a chip plus a PIN or a signature. The financial industry realized decades ago that the system wouldn't work if it wasn't relatively easy to change credit card info after it was exposed. You can get a new credit card as needed; changing your phone number can be incredibly inconvenient. As a result, they become more and more at-risk over time.

It's a tangle. But it doesn't have to be like this.

So if you're looking for an alternative to the phone number, start with something more easily replaceable. Hardjono suggests, for example, that smartphones could generate unique identifiers by combing a user's phone number and the IMEI device ID number assigned to every smartphone. That number would be valid for the life of the device, and would naturally change whenever you got a new phone. If you needed to change it for whatever reason, you could do so with relative ease. Under that system, you could continue to give out their phone number without worrying about what else it might affect.