Quick answer: A thief cannot pull your eSIM out and sell it — it is written into the phone's chip and locked behind your passcode, which makes it far safer than a physical SIM. The trade-off is that you cannot rescue it by swapping a card into a spare phone either. In the first hour, do this: put the phone in Lost Mode but do not erase it yet, get your home number reissued so your two-factor codes can reach you, then file a police report. Erasing too early is the mistake that turns a stolen phone into a locked-out bank account.
Nobody plans for this. You put your phone on the café table in Barcelona, or your bag goes missing on the overnight train, and suddenly the device holding your boarding pass, your bank app and your only working phone number is gone. If your connectivity was an eSIM rather than a plastic SIM card, the next few hours work differently — in some ways much better, in one way considerably worse. Here is exactly what happens, and the order to do things in.
Can someone steal or use my eSIM?
Practically, no. This is the genuine security advantage of an eSIM, and it is worth understanding why.
A physical SIM is a removable card. A thief pops the tray with a paperclip, moves your card into their own phone, and now they receive your calls and SMS — including the one-time codes your bank sends. It takes about ten seconds and no technical skill.
An eSIM is not a card. It is a profile written into a soldered-in chip called the eUICC, and it is tied to that specific device. There is no tray to open. To reach the profile at all, a thief needs to get past your lock screen first, and on a modern phone removing or transferring an eSIM requires the device passcode or biometrics. There is no equivalent of "swap the card into a burner phone."
An eSIM profile also cannot be cloned in the way people imagine. The credentials are provisioned into secure hardware and are not exportable — you cannot read one off a phone and write it onto another. We cover the wider picture in <a href="/blog/is-esim-safe-security-privacy">is an eSIM safe?</a>
The practical upshot: with a stolen eSIM phone that has a decent passcode, your number is not immediately compromised. With a stolen physical SIM, assume it is.
So what is the downside?
The same thing that protects you also traps your plan.
Because the profile lives inside the stolen device, you cannot move it to a replacement phone by moving a piece of plastic. Recovering a line means reissuing it — a new profile has to be provisioned onto the new device.
And a travel eSIM QR code is effectively single-use. This is not a provider policy choice but a property of the GSMA specification that governs eSIM: a profile is cryptographically bound to one specific chip at the moment it installs, and once installed it cannot be downloaded again. The QR code in your email is not a spare key, and no screenshot of it changes that.
That matters at the worst possible moment, because you are standing in a foreign city with a borrowed or newly bought phone and no data. (Moving a plan between devices you still own is a different and much easier problem — see <a href="/blog/how-to-transfer-esim-between-devices">how to transfer an eSIM between devices</a>.)
Do this first — the order matters
The sequence below is deliberate. Doing step 5 early is the single most common way people make this much worse.
1. Lock the device — do not erase it. From any browser or a friend's phone, sign in to Find My (Apple) or Find Hub / Find My Device (Android) and put the phone into Lost Mode. This locks the screen, displays a contact message, and keeps location reporting alive.
2. Leave the erase button alone for now. See the section below on why.
3. Get your home number back. Contact your home carrier and have them suspend the stolen line and reissue it to a replacement device or spare phone. This is urgent, and not because of call costs — it is because your bank, your email and your airline all send verification codes to that number.
4. File a police report. You need it for travel insurance and for any bank dispute. Ask for a copy or a reference number, and give them the IMEI if you have it recorded. Reporting the IMEI is what lets carriers blacklist the handset so it cannot be used on local networks.
5. Change the passwords that matter. Email first — it is the reset path for everything else. Then banking, then anything holding payment cards.
6. Only now consider erasing. Once you have your number back and you are confident the phone is not coming back, remote-wipe it.
Why "Erase my phone" is the button to think twice about
This is the part almost no guide mentions, and being honest about it means admitting some genuine uncertainty.
When you erase a phone that is *in your hands*, Apple gives you an explicit choice to keep or delete the eSIM, and warns that deleting it means contacting your carrier to reactivate the plan. When you erase *remotely*, neither Apple nor Google documents what happens to the eSIM profile at all. On Android, the system flag that wipes eUICC data is a separate opt-in, which suggests a wipe need not remove it — but no platform commits to a public answer.
That uncertainty is itself the argument for not rushing. Three things are clear:
- It cannot be undone. Apple's own guidance is to make sure you have tried everything else first, precisely because erasing cannot be reversed.
- Tracking behaviour differs by platform. Apple says an erased device can still be located. Google says the opposite — once erased, the location is no longer available in Find Hub. So on Android in particular, erasing really does end the search.
- Lost Mode already protects you. It locks the device behind your passcode immediately. The urgent protection is the lock; the wipe is a separate and permanent decision you can take later.
The right instinct is: lock immediately, erase deliberately. If the phone holds something genuinely sensitive and you would rather destroy it than risk it, wipe it — that is a legitimate call. Just make it as a decision rather than a panic reflex, and if your home number was an eSIM on that phone, get the line reissued first.
The two-factor trap — and why it is usually breakable
Here is the scenario people fear. Your home SIM was an eSIM, your travel data was an eSIM, both lived on the stolen phone, and your bank sends its login code by SMS to a number you can no longer receive. You cannot log in to check your cards, and you cannot easily pay for the replacement phone that would fix everything.
The reassuring news is that the carrier half of this loop is usually solvable. Many operators let you download a replacement eSIM yourself, from their app or website, once you are signed in to your account — EE and O2 both document exactly this for a lost or stolen device, and a number of other carriers offer the same. If you can reach your carrier account from any borrowed device, you can often restore your own number without the old phone and without visiting a shop.
Policies differ, though. Some carriers still require a phone call, a posted SIM, or ID shown in person — which is precisely the awkward case when you are thousands of miles away. Worth checking yours before you travel rather than discovering it afterwards.
The harder wall is usually one level up: your Apple or Google account. Apple states plainly that if your iPhone is your only trusted device and holds your only trusted number, you will not receive verification codes, and account recovery can take several days with no way to speed it up. If you have an Apple recovery key and cannot produce it, that lockout can be permanent. Google's recovery similarly runs to days and asks you to be somewhere you normally sign in — which a hotel abroad is not.
If you use an authenticator app rather than SMS you are in a far better position, provided its backup was enabled. Check which one you use, though: some authenticators still require a code sent to your original number before a backup can be restored, which puts you right back in the loop.
Getting back online in the next hour
You need data before you can fix anything else. Options, roughly in order of speed:
- A spare phone in your luggage. Even an old handset turns this from a crisis into an errand. One important caveat, though: you cannot pre-install the *same* eSIM on it as insurance. A profile installs to exactly one chip, so a backup device needs its own separate plan — bought in advance, and ideally left uninstalled until you actually need it.
- Hotel or café Wi-Fi. Enough to reach Find My, your carrier and your email. Avoid doing banking on open Wi-Fi where you can.
- A travelling companion's hotspot. Fastest route to getting a new eSIM installed on a replacement device.
- A newly bought phone. In most cities you can buy an unlocked handset the same day. Because a travel eSIM is delivered digitally, you can be online within minutes of powering it on — no shop queue, no paperwork, no local ID requirement. Check the handset supports eSIM first on our <a href="/compatibility">compatibility page</a>, and see <a href="/how-it-works">how it works</a> for the install steps.
That last point is the quiet advantage of eSIM in this whole mess: replacing the *phone* no longer means replacing the *connection*.
eSIM vs physical SIM when your phone is stolen
| Physical SIM | eSIM | |
|---|---|---|
| Thief can remove and reuse the line | Yes, in seconds | No — bound to the device |
| Protected by your passcode | No | Yes |
| Can be cloned onto another handset | Historically a real risk | Not practically |
| Move your plan to a spare phone | Easy — move the card | Requires reissuing the profile |
| Reinstall from your original QR code | N/A | Usually not — most are single-use |
| Get a replacement line while abroad | Local shop, ID, possibly a queue | Digital, minutes, no shop |
| Risk of losing the line to a remote wipe | None | Real — wipe removes profiles |
Seven things to do before your next trip
These take about fifteen minutes at home and change the entire outcome.
- Record your IMEI somewhere that is not your phone. Dial `*#06#` to display it, and save it to your email or a password manager. Without it, the police report and the carrier blacklist are much harder.
- Turn on Find My / Find Hub and confirm it actually works before you fly.
- Move two-factor off SMS where you can, onto an authenticator app with cloud backup enabled. This is the single highest-value change on this list.
- Set a real passcode. Six digits or alphanumeric, not 0000. Everything above depends on the lock screen holding.
- Bring or plan for a second device — an old phone, or at minimum know that you can buy one and be online immediately with a digital plan.
- Save your provider's account login, not just the QR email. If your plan can be reissued at all, it will be through your account, and the account is what you will need on a new device.
- Turn on Stolen Device Protection if you have an iPhone (iOS 17.3 or later). When you are away from familiar locations it requires Face ID or Touch ID — with no passcode fallback — before anyone can set up or transfer an eSIM, turn off Lost Mode, or erase the device. That closes the gap where a thief who watched you type your passcode can undo everything. Android has a narrower equivalent under Settings → Security → Confirm SIM deletion. Both must be switched on before the theft to be any use.
What about the travel eSIM itself?
Whether an unused travel plan can be moved to a replacement device depends entirely on the provider, and policies genuinely differ — some will reissue a profile to a new device on request, some will not, and some allow it only if the plan was never activated. There is no universal rule here, so do not assume either way.
What you can do is ask before you buy. A provider that supports reissuing a profile after device loss, and that keeps your plans in an account rather than only in a one-time email, is meaningfully more useful in an emergency. If you are already travelling, contact support with your order reference — that is the fastest path, and it is one of the things a real support team is for.
Frequently asked questions
Can a thief use my eSIM data plan? Not without getting past your lock screen. The profile is tied to the device and removing or transferring it requires your passcode or biometrics, so unlike a physical SIM there is nothing to pop out and drop into another phone.
Should I erase my stolen phone immediately? Lock it immediately; erase it deliberately. Lost Mode already protects your data behind the passcode, and erasing cannot be undone. On Android an erase also ends location tracking, and neither Apple nor Google documents what a remote erase does to your eSIM profiles. Wipe once you have your number back and recovery genuinely looks hopeless.
Can I reinstall my travel eSIM on a new phone using the same QR code? No. Under the GSMA specification that governs eSIM, a profile is bound to one specific chip when it installs and cannot be downloaded again afterwards — so the old QR code will not work on a new device, no matter how carefully you saved it. Recovery means the provider issuing a new profile, so contact support with your order reference.
My home number was an eSIM on the stolen phone — how do I get it back abroad? Contact your home carrier and ask them to reissue the line to a replacement device. Do this early, because that number is where your bank and email send verification codes. Having a spare handset makes this dramatically faster.
Does an eSIM protect me from SIM-swap fraud? It removes the physical theft route entirely, since there is no card to steal. It does not protect against social-engineering attacks where someone persuades your carrier to move your number, so a carrier account PIN or port-out lock is still worth setting up.
Will erasing my phone cancel my travel data plan? Erasing does not cancel the plan itself. What it does to the eSIM profile on a remote wipe is not documented by either Apple or Google, but in practice you will not be able to use the remaining data until a profile is reissued to another device — and whether that is possible depends on your provider.
My home number was an eSIM too — can I get it back without the phone? Often yes. Many carriers let you download a replacement eSIM straight from their app or website once you are signed in, which restores your number on a new device without a shop visit. Others still require a call, a posted SIM or ID in person, so it is worth checking your carrier's process before you travel.
What is the very first thing to do? Lock the device from any browser using Find My or Find Hub. It takes under a minute and it is what protects everything else.
*Written by the TripoSIM team — a travel eSIM by BroadNet Technologies, 20+ years connecting travelers worldwide.*
Save 10% on your first eSIM
Enter your email for an instant discount code + occasional travel connectivity tips.
We’ll email your code + occasional travel tips. Unsubscribe anytime.