So now hackers can use your phone's sensors to steal your PIN number

Yeah, so this isn't good.

What if the very act of tapping your smartphone's passcode was all it took to expose that code to hackers?

Are you sitting down right now? You should probably sit down.

Remember that story on how fingerprint locks on smartphones can be duped? And that Samsung's facial recognition system can be tricked with a photo of a person?

Well, as more and more of our personal data is stored on smartphones, the ways of securing those phones continue to be revealed as less and less robust. Next on the chopping block is your trusty PIN.

Modern smartphones come equipped with tons of sensors: cameras, microphones, GPS, accelerometers, gyroscopes, etc. According to a new study published in the Journal of Information Security and Applications, this data in aggregate is precise enough to determine what actions a user is taking with her phone — right down to the password she taps to unlock it.

A little malicious code plus the sensors that come standard on most smartphones is apparently all that it takes these days to render your phone's security moot.

The study authors haven't found this attack in the wild, but rather demonstrated that it works. Which, frankly, is scary enough. As Wikileaks' dump of alleged CIA hacking tools has shown, known attacks have a way of getting passed around.

"Our study confirms that embedded JavaScript code can compromise user sensitive information by listening to the side channel data provided by the motion and orientation sensors without any user permission, through an inactive tab, iframe, or minimised browser (even when the screen of the mobile phone is locked)," wrote study co-author Dr. Maryam Mehrnezhad on the Newcastle University blog. "We demonstrate the practicality of this attack by collecting data from real users and reporting high success rates, up to 70% identification of digits (PIN) in Android and 56% in iOS."

A lot of browsers are susceptible, including Chrome, Firefox, and Safari. That means you don't even have to click a weird link or download a strange file to accidentally leak your taps to a malicious hacker or government official.

Simply going about your daily routine is enough to render your password pwned — providing perhaps an unfortunate metaphor for seemingly more and more of online life.