A Verification Code You Didn't Request Means Someone Has Your Password

An unrequested one-time code usually means someone is trying to log into your account, and the follow-up call asking you to read the code is the actual theft. What to do in the next ten minutes.

By the StoryCheck Team6 min read

A one-time verification code arriving out of nowhere means someone entered your phone number, and usually your password too, on a real login page. The code itself proves the site's security is working; it is the last wall. Which is why the scam that follows is always some variation of a person, by text or call, asking you to read the code back. Nobody legitimate will ever ask. The moment you share it, the wall is gone and the account is theirs.

A suspicious phishing email open on a laptop
An unrequested code means the password wall already fell.

What the unrequested code tells you

One stray code can be a typo by a stranger with a similar number. A code from a service where you hold an account, especially paired with a password-reset email or a follow-up message, means your credentials are in someone's hands, likely from an old breach. Treat the code as a smoke alarm: the fire is the password, and it is probably reused on other doors.

The ten-minute response

1

Never share the code

Not with callers, not by text, not with 'support'. There are no exceptions in any legitimate process.

2

Change that account's password now

From your own device, through the app or typed address. If the password repeats elsewhere, change those too, email first.

3

Turn on app-based two-factor

Authenticator apps beat SMS codes, and both beat nothing. Do it while you are in the settings.

4

Check who contacted you

If a number texted or called asking about the code, run it through a reverse lookup and report it. That trail helps the next target.

When codes keep coming

A burst of codes from many services is credential-stuffing: your email-password pair from a breach being tried everywhere in an automated run. Change the shared password and the noise stops. A burst of codes from your phone carrier specifically deserves a call to the carrier, since it can precede a SIM-swap attempt, where the attacker moves your number to their SIM to receive codes themselves.

Run a private check on any phone number

Get a 60 second report with possible owner, line type, location signals, and risk indicators. The phone owner is not notified.

Run a check

Frequently asked questions

I got a code but no one asked me for it. Am I safe?

Probably, if it stops at one. The login attempt failed at the code wall. Still change that account's password, because the attempt usually means it is known, and enable two-factor if it was off.

Why would Google or Apple text me a code I didn't request?

Because someone entered your number or username on their real login page. The company is doing its job; the person triggering it is the problem. The code being genuine is exactly why sharing it is dangerous.

Can I find out who tried to log in?

The service's security page often shows the attempt's location and device. If a phone number contacted you around the same time, a reverse lookup on it shows the line type and any reports; that number is the human end of the attempt.

Related articles

Check the number. Know more.

Run a private 60 second report. The phone owner will not be notified.

Start your check
Got a Verification Code You Didn't Request? Someone's Trying to Log In 路 StoryCheck