Thoughts about WhatsApp data leak

What are your thoughts and comments about the recent WhatsApp data leak, where hackers obtained phone numbers of 500 million WhatsApp users, and put that data on sale. Information about this security incident is very limited though.

There are still questions about the leak. Like, the article you cite points out that is it unclear how the WhatsApp users’ numbers were obtained. However, it raises the possibility of data scraping.

However, r/privacy has a pretty insightful commentary/discussion about it, which you can read here:

Given this database/data leak is the result of scraping, I would then see this incident as a case that criticizes the over-reliance on phone numbers and the existence of data brokers, as they engage in data scraping, which is more severe. Here, phone numbers were compiled. But data brokers compile addresses, court records, and even incorrect records, creating a defamation risk. And do phone numbers deserve to be semi-official Social Security numbers? Why is SMS 2FA universally deprecated among the cybersecurity and digital privacy community? Phone numbers are just numbers, not IDs.

However, if this data leak was the result of a data breach/cyberattack, then I am further curious about how WhatsApp got breached. And I would also like to better comprehend the security operations and practices of Signal.

The number is actually closer to 280 million. The user that posted the 500 million number count was a guy trying to scam others and pretty much was a copy from another user selling the information. The data is mostly Name + phone number with the rest being just phone number, apparently all active accounts.

I would think its the first one, the attacker got the phone numbers from data brokers. Meta is notorious for giving user data to data brokers. WhatsApp communications are end to end encrypted, but the parent company, Meta, still has access to profile data and chat metadata, which they are known for giving to data brokers.

2 Billion people use WhatsApp. If the WhatsApp server was breached, wouldn’t all 2 Billion phone numbers be compromised, unless if it was just one storage server that has hacked? Maybe the attacker got phone numbers from a data scraping service, but since so many people use WhatsApp, by coincidence most of the numbers they got are active WhatsApp accounts.

Thanks for linking to a reddit discussion on the topi!

What has likely happened was a public scrape of all this information, which might explain why some of these don’t have names attached to them. Likely source of the scrape was when the introduced the wa.me links which is basically a telegram link, except it uses your phone number in the URL. This probably bypassed the previous rate limiting Facebook had and made them available on search engines.

was just typing out a response saying this lol, beat me to it.
Mental outlaw also uploaded a video talking about it.
https://redirect.invidious.io/watch?v=pHu0_ksUAbQ

1 Like