WhatsApp alleged data breach sees nearly 500 million user records up for sale

Facebook messaging system WhatsApp has been hit with a security breach that the company said could leave users vulnerable to malicious spyware being installed on their smartphones.

A WhatsApp spokesperson told Reuters that the attacked appeared to be orchestrated by a “private company working with governments on surveillance.” The Israeli software used in the attack was designed for intelligence agencies to use in fighting terrorism.

Facebook discovered the breach earlier this month, and last week reported it to the U.S. Justice Department and the European Union’s Data Protection Commission. Facebook has touted the app, which is used by some 1.5 billion people monthly, as being a secure and private messaging system.

Criminals appear to be offering up-to-date phone numbers for millions of WhatsApp accounts for sale, potentially putting users worldwide at increased risk of phishing attacks and impersonation. More than 32 million of the leaked records are said to be from users in the US, with 11 million from UK users. Other affected nations include Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), Turkey (20 million), and Russia (10 million).

According to a news report, hackers were able to install commercial Israeli spyware, developed by Israel’s NSO Group, onto Android and iPhone handsets through the app. The software is able to ring users’ phones and thereby gain access to the device through the WhatsApp call function. The software can work even if the targeted users do not answer the calls.

WhatsApp said it was able to quickly fix the breach, and urged users to update the app and their phone OS to protect themselves against security breaches.

How Dangerous Is the Reported WhatsApp Data Breach?

There are billions of possible phone numbers available, and knowing which ones are active and in use is invaluable to criminals. As a result of the alleged breach, you might expect to see a lot more spam and phishing attacks.

Another concern is that criminals can clone your SIM card, and use your number to impersonate you on WhatsApp—launching phishing attacks on friends, relations, and colleagues.

Although criminals will not be able to restore any messages or media without access to an on-device or cloud-based backup, when they add your WhatsApp account to their phone, they will be able to see and access any groups that you are a part of. This gives them an avenue of attack against your online contacts.

Here’s what you need to know and how you can protect yourself.

There is currently no way of knowing if your phone number is one of those which is being sold online. You should assume that any contact through WhatsApp is an attempt at a phishing attack, and you should take care that your contacts are not acting out of character. It’s entirely possible that their accounts have been compromised, and are being used to attack you. To guard against your account being taken over by criminals, you should enable two-step authentication.

To do this, tap Settings then Two-step verification, then set a PIN. While a criminal may be able to clone your phone number and receive verification steps, it’s unlikely that they will be able to guess a six digit PIN.

Make Sure You Have a Communications Backup
After a data beach which reveals your information to strangers, and makes it easier for criminals to impersonate you and others, it’s difficult to trust anyone you talk to using the app. It’s wise to make sure that you have a backup way to contact your friends. Email is a great way of contacting people outside of WhatsApp to double-check any suspicious messages and that they are still in control of their account.