I'm pretty sure that "have access to someone's account number once" => "have access to past and future traffic usage forever" is not good security practice regardless if there are or are not obvious vulnerabilities, and you really don't have to think very hard to construct a scenario where it can be abused.