According to a statement from the Lebanese Internal Security Forces (ISF), several WhatsApp users have complained that their accounts have been hacked and their information stolen by unknown parties who managed to exploit SMS activation codes sent by the company to users’ phones via SMS.
These unknown parties are scamming WhatsApp users by taking advantage of those who have not activated the app’s two-step verification feature. When first registering a phone number with WhatsApp on a new device, the app does not require a username or password. Instead, WhatsApp sends a text message with an activation code, which the user then enters into WhatsApp to verify their phone number on their device. According to user complaints, hackers are attempting to register WhatsApp accounts using existing phone numbers. After then calling these numbers under the pretense that they had mistakenly entered a wrong phone number when requesting their activation code, they ask the owner of the number to send them the activation code they received.
If the owner of the number gives them the activation code, the hackers take control of the account and prevent the owner from accessing any of their WhatsApp data. When they have control of the account, they send a slew of abusive messages to the owner’s contacts. Then, they ask the owner to pay them to regain access to the account, according to the ISF.
Before WhatsApp introduced the two-step verification in February 2017, users were able to request their activation code a number of times. However, in an effort to prevent unknown parties from accessing individuals’ WhatsApp accounts, the company introduced a two-step verification option meant to offer added protection for users. The two-step verification process, which can only be enabled within an existing WhatsApp account’s settings, requires users to choose a PIN for the registration process. Once this PIN is created, users will be required to provide it in addition to the SMS activation code when verifying their phone number on a new device. This means that even if an unknown party were able to gain access to another WhatsApp user’s activation code, they wouldn’t be able to use it without also knowing the PIN created by that user.
Though several media outlets covered WhatsApp’s introduction of two-step verification, the application itself has failed to properly inform its users of this capability, leaving them vulnerable to account theft and hijacking.
What you need to do to prevent a “hacking” attempt on your WhatsApp account:
- For any text message you receive on your phone, be sure to read and verify who sent it, what its contents are, and whether it contains any personal information about you.
- When possible, avoid requesting verification codes over text message; instead, try using the phone call feature.
- Do not share any verification codes related to the applications and services you use with anyone, especially if you receive any that you haven’t specifically requested yourself.
- Activate two-step verification on WhatsApp. This adds another layer of security to your account, by requiring a PIN of your choosing to be provided along with a verification code during any attempt to verify your phone number. To enable two-step verification, open WhatsApp on your phone and go to Settings > Account > Two-Step Verification > Enable.
- WhatsApp recommends that you provide a verifiable email address where a link to temporarily disable two-step verification can be sent, to avoid getting locked out of your account in the event that you forget your PIN. If you do not provide an email address when enabling two-step verification, you will not be able to access your account for seven days if you forget your PIN.
- If you receive an email from WhatsApp about disabling two-step verification on your account, but did not request this, ignore the email and do not click on the confirmation link. Someone could be attempting to steal or hijack your account by verifying your phone number..
If you are a victim of WhatsApp account theft, you can contact WhatsApp to report your case, deactivate and reactivate your account. You can also tell us about such cases by emailing info[at]smex.org.