Viral claims of unsubstantiated WhatsApp data leak draw regulators’ attention
Unsubstantiated claims that hundreds of millions of WhatsApp users’ phone numbers were leaked have prompted inquiries from data protection regulators over the weekend.
A post on the hacking site BreachForums last Wednesday, made by a new user with just a handful of previous posts, offered for sale phone numbers belonging to more than 487 million WhatsApp users.
The post did not state it had combined any additional details with the numbers themselves, meaning the seller was offering a list of numbers rather than an actual “database” with multiple columns. It also did not attempt to explain how the seller accessed these numbers or compiled the data.
Privacy regulators in the Republic of Ireland and Hong Kong have been in contact with WhatsApp’s parent company Meta regarding the reports. A spokesperson from the company told The Record that there is “no evidence of a data leak from WhatsApp.”
The BreachForums post listed the count of phone numbers beside the countries they were associated with, incorrectly including “Africa” despite the continent being home to more than 50 states with unique country calling codes, several of which were independently included among the countries it listed. Following the closure of RaidForums, which has a similar low barrier to entry, BreachForums has become a popular open-web destination for various actors claiming to sell hacked materials.
The post went viral after being reported by Cybernews, a cybersecurity research organization, which was then picked up by several publications in India. Over the weekend and on Monday morning the hashtags #WhatsApp and #DataLeak have been trending on Twitter linking to posts referencing these stories.
Cybernews claimed the database was “likely” authentic after it “investigated” a sample provided by the seller. The sample data it described contained just under 2,000 numbers which the website was able to confirm were registered with WhatsApp by entering them into the app, which confirms to senders whether the number is using the service.
The numbers selected by the seller were a non-representative sample picked from just two of the countries which they claimed to have data regarding (the United States and the United Kingdom), amounting to less than 0.00041% of the total dataset.