We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers' online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.