WhatsApp is the latest major company to be hit with a threat of a data leak from an anonymous online actor, with claims phone numbers of millions of users around the world could be exposed.
Earlier this month, a post emerged on online hacking website BreachForums offering the sale of a database containing the phone numbers of 487 million WhatsApp users across 84 countries.
A screenshot of the post, shared by research-based online publication Cybernews, shows the anonymous poster claimed the database also included the recent phone numbers of more than 7.3 million Australians.
Cybernews reported that the poster told the publication they were selling the US dataset, containing more than 32 million phone numbers, for $US7000 ($A10,500).
They also said they were offering the phone numbers of 11 million UK citizens for $US2500 ($A3750) and those of users in Germany for $US2000 ($A3000).
Stream more tech news live & on demand with Flash. 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer available for a limited time only
The publication reported the user provided a sample dataset, which included 1097 UK and 817 US user phone numbers.
After investigating the numbers, Cybernews said it had confirmed that all of the phone numbers were linked to WhatsApp users and it was “likely” the claims of the online poster were true.
However, a spokesperson from WhatsApp, which is owned by Meta, told The Times of India that there was “no evidence” the messaging app had been impacted by a data leak.
“The claim written on Cybernews is based on unsubstantiated screenshots. There is no evidence of a ‘data leak’ from WhatsApp,” the spokesperson said.
The sample dataset inspected by Cybernews equates to less than .00041 per cent of the total phone numbers the poster claims to have access to.
While the seller did not reveal how they allegedly obtained the phone numbers, Cybernews reported such information could have been obtained using a method called “scraping” which allows user data to be harvested and is a violation of WhatsApp’s Terms of Service.
“This claim is purely speculative. However, quite often, massive data dumps posted online turn out to be obtained by scraping,” the publication said.
The editor of Cybernews, Jurgita Lapienytė, later posted to Twitter confirming there was no evidence WhatsApp had been hacked, but that didn’t mean that users weren’t still at risk.
“The leak might be a scrape but that doesn’t mean it’s any less dangerous for the affected users,” she said.
Phone numbers are often used in phishing scams, where scammers attempt to trick people into giving out their personal information, such as bank account numbers, passwords and credit card details.
Often in these scams, the scammers pretends to be from a legitimate business such as a bank, telephone or internet service provider.
They then ask you to confirm your personal details.
“For example, the scammer may say that the bank or organisation is verifying customer records due to a technical error that wiped out customer data. Or, they may ask you to fill out a customer survey and offer a prize for participating,” ScamWatch Australia warns.
“Alternatively, the scammer may alert you to ‘unauthorised or suspicious activity on your account’. You might be told that a large purchase has been made in a foreign country and asked if you authorised the payment.”
If you then reply you didn’t, the scammer will ask you to confirm your credit card or bank details so they can investigate the situation.
Facebook hit by massive data leak last year
Data leaks and hacking threats are something that major companies are continually having to protect against.
Just last year, the phone numbers, locations, email addresses and other personal details of 533 million Facebook users were found on a website used by hackers.
The breach included the records of 32 million US profiles, 11 million UK profiles and 6 million users members from India.
Although the information (which also included full names, bios and birthdates) was believed to be a few years old, the Business Insider confirmed it could still provide cybercriminals with the details necessary to scam or impersonate compromised individuals.
The leak was first discovered in January 2021 when the co-founder and chief technology officer of respected cybercrime intelligence company Hudson Rock Alon Gal found an automated bot advertising the data on the same hacking forum.
Mr Gal then found the entirety of the data collection on Saturday.
Despite this, Facebook’s director of strategic response communications, Liz Bourgeois, claimed the company has already “found and fixed”.
“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” she tweeted.
Mr Gal, however, disputed her claims, saying “533,000,000 accounts having their personal information leaked is apparently considered ‘fixed’ by Facebook’s definitions”.
The cyber security expert also called on the social media giant to improve their management of sensitive user information, stating that members have the right to feel “fed up”.
“I’m reading your comments about Facebook’s data leak and I can sense people are fed up with their private information being mismanaged, you are absolutely right to feel so,’ he tweeted. “Facebook needs to acknowledge this breach and not with just a ‘we value your information’ statement.”