diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
index 262c958f4..35cc5caa5 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@@ -285,7 +285,7 @@ public class AccountController {
         long                                 timeRemaining = TimeUnit.DAYS.toMillis(7) - (System.currentTimeMillis() - existingAccount.get().getLastSeen());
         Optional<ExternalServiceCredentials> credentials   = existingAccount.get().getRegistrationLock().isPresent() &&
                                                              existingAccount.get().getRegistrationLockSalt().isPresent() ?
-                                                               Optional.of(backupServiceCredentialGenerator.generateFor(number)) :
+                                                               Optional.of(backupServiceCredentialGenerator.generateFor(existingAccount.get().getUuid().toString())) :
                                                                Optional.empty();
 
         if (Util.isEmpty(accountAttributes.getPin()) &&
diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureBackupController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureBackupController.java
index 2bf52cf40..310ef3b50 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureBackupController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/SecureBackupController.java
@@ -26,6 +26,6 @@ public class SecureBackupController {
   @Path("/auth")
   @Produces(MediaType.APPLICATION_JSON)
   public ExternalServiceCredentials getAuth(@Auth Account account) {
-    return backupServiceCredentialGenerator.generateFor(account.getNumber());
+    return backupServiceCredentialGenerator.generateFor(account.getUuid().toString());
   }
 }
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
index 7f07e3472..75626153b 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
@@ -50,6 +50,7 @@ import java.security.SecureRandom;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Optional;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 
 import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
@@ -68,6 +69,8 @@ public class AccountControllerTest {
   private static final String SENDER_PREAUTH     = "+14157777777";
   private static final String SENDER_REG_LOCK    = "+14158888888";
 
+  private static final UUID   SENDER_REG_LOCK_UUID = UUID.randomUUID();
+
   private static final String ABUSIVE_HOST             = "192.168.1.1";
   private static final String RESTRICTED_HOST          = "192.168.1.2";
   private static final String NICE_HOST                = "127.0.0.1";
@@ -150,6 +153,7 @@ public class AccountControllerTest {
     when(senderRegLockAccount.getRegistrationLock()).thenReturn(Optional.of(registrationLockCredentials.getHashedAuthenticationToken()));
     when(senderRegLockAccount.getRegistrationLockSalt()).thenReturn(Optional.of(registrationLockCredentials.getSalt()));
     when(senderRegLockAccount.getLastSeen()).thenReturn(System.currentTimeMillis());
+    when(senderRegLockAccount.getUuid()).thenReturn(SENDER_REG_LOCK_UUID);
 
     when(pendingAccountsManager.getCodeForNumber(SENDER)).thenReturn(Optional.of(new StoredVerificationCode("1234", System.currentTimeMillis(), null)));
     when(pendingAccountsManager.getCodeForNumber(SENDER_OLD)).thenReturn(Optional.of(new StoredVerificationCode("1234", System.currentTimeMillis() - TimeUnit.MINUTES.toMillis(31), null)));
@@ -608,9 +612,9 @@ public class AccountControllerTest {
 
     RegistrationLockFailure failure = response.readEntity(RegistrationLockFailure.class);
     assertThat(failure.getBackupCredentials()).isNotNull();
-    assertThat(failure.getBackupCredentials().getUsername()).isEqualTo(SENDER_REG_LOCK);
+    assertThat(failure.getBackupCredentials().getUsername()).isEqualTo(SENDER_REG_LOCK_UUID.toString());
     assertThat(failure.getBackupCredentials().getPassword()).isNotEmpty();
-    assertThat(failure.getBackupCredentials().getPassword().startsWith(SENDER_REG_LOCK)).isTrue();
+    assertThat(failure.getBackupCredentials().getPassword().startsWith(SENDER_REG_LOCK_UUID.toString())).isTrue();
     assertThat(failure.getTimeRemaining()).isGreaterThan(0);
 
     verifyNoMoreInteractions(pinLimiter);