[slantedview]

But it is secure information. If I recall, last 4 digits were part of how the CIA chief's e-mail was hacked recently.

[SomeCallMeTim]

No, it's not secure information.

Any time you use last-4 as something secure, you're doing it wrong.

As mentioned above, last-4 is sent by email frequently, and email passes, unencrypted, through intermediate servers all over the Internet. Any compromised host can observe all of the email that passes through it.

Any process that uses last-4 to unlock a password or otherwise as a secure token is broken by design.

[CamperBob2]

Any time you use last-4 as something secure, you're doing it wrong.

It's not a question of what I use those digits for, it's a question of what everyone else uses them for.