[Andys]

Why the hell were they storing it? just delete it after marking the account as verified.

[viraptor]

Even if it needs to be verified afterwards, the numbers could be bcrypted with high enough iteration count to make them impossible to brute force but easy to verify every few years if necessary... Say 10sec per id?