Criminals appear to be offering up-to-date phone numbers for millions of WhatsApp accounts for sale, potentially putting users worldwide at increased risk of phishing attacks and impersonation. Here’s what you need to know and how you can protect yourself.
What Happened in the Alleged 2022 WhatsApp Data Breach?
On November 16, 2022, a user on a popular hacking forum created a post which advertised scraped data from 487 million WhatsApp accounts. Users from 84 countries are affected, including 32,315,282 in the US alone.
Enquiries from potential buyers were posted on the forum almost immediately.
Although the initial advertisement was placed on the hacking forum, the seller asked for sales and other contacts to be made over Telegram, where data samples can be provided to interested parties.
Data sets are being sold individually, with prices varying by country. The US data set, for instance, went on sale for $7,000.
Although the data for sale contains only phone numbers, these are thought to be valid and current. At the time of writing, WhatsApp owner, Meta, has not released any data on the alleged breach; however, the data appears to be genuine.
How Dangerous Is the Reported WhatsApp Data Breach?
There are billions of possible phone numbers available, and knowing which ones are active and in use is invaluable to criminals. As a result of the alleged breach, you might expect to see a lot more spam and phishing attacks.
An additional worry is that criminals can clone your SIM card, and use your number to impersonate you on WhatsApp—launching phishing attacks on friends, relations, and colleagues.
Although criminals will not be able to restore any messages or media without access to an on-device or cloud-based backup, when they add your WhatsApp account to their phone, they will be able to see and access any groups that you are a part of. This gives them an avenue of attack against your online contacts.
How to Protect Yourself After a Data Breach
If reports from outlets like TechRadar are genuinely, there is currently no way of knowing if your phone number is one of those which is being sold online. You should assume that any contact through WhatsApp is an attempt at a phishing attack, and you should take care that your contacts are not acting out of character. It’s entirely possible that their accounts have been compromised, and are being used to attack you.
To guard against your account being taken over by criminals, you should enable two-step authentication.
To do this, tap Settings then Two-step verification, then set a PIN. While a criminal may be able to clone your phone number and receive verification steps, it’s unlikely that they will be able to guess a six digit PIN.
Make Sure You Have a Communications Backup
After a data beach which reveals your information to strangers, and makes it easier for criminals to impersonate you and others, it’s difficult to trust anyone you talk to using the app. It’s wise to make sure that you have a backup way to contact your friends. Email is a great way of contacting people outside of WhatsApp to double-check any suspicious messages and that they are still in control of their account.