Mobile phone on a computer keyboard with the WhatsApp logo showing data leak sold on dark web

Nearly 500 Million WhatsApp Records Allegedly Stolen in Data Leak, Offered on Dark Web for a Few Thousand Dollars

The world’s most commonly used messaging app may have suffered a data leak impacting about 487 million of its users, if a dark web posting is to be believed.

The threat actor is offering the information for a relatively low cost, dividing it up by country of origin and offering each package for prices in the range of several thousand dollars. It remains to be seen if the entire collection is legitimate, but samples provided by the hackers have been verified by security researchers. If the full data leak is legitimate, it would impact about a quarter of WhatsApp’s global user base.

Massive data leak exposes private phone numbers, may have been API scraping attack

The data leak does not appear to have compromised WhatsApp messages in any way, at least going by the information and samples posted to the dark web. It instead contains phone numbers that are used for account verification and creation and that are usually kept private.

The hacker would not reveal their methods, but the focus on phone numbers connected to accounts (combined with the huge scale of the data leak) points to an API vulnerability as the most likely culprit. While a hidden phone number would likely only have some direct value if it belonged to a celebrity or public figure, hackers can combine it with other available information on an individual (often conveniently accessible in massive “combination files”) and make use of bots to bombard targets with scam and phishing attempts. There is a particular risk from “smishing” and “vishing” attacks that make use of text messages and phone calls to circumvent usual lines of defense.

The dark web post says that the information was collected in 2022 and contains records from 84 countries. Some of the largest sets come from Egypt (44 million), Italy (35 million), the United States (32 million), Saudi Arabia (29 million), France and Turkey (20 million each). Little is known about the threat actor, but it seems likely that they are not based in Russia as the records of 10 million of that country’s WhatsApp users have also been put up for sale; unwritten rules of decorum in the region generally stop Russian attackers from going after domestic targets or allies of the country.

The attackers are asking various prices for each nation’s data set, with the largest amount ($7,000) requested for the set of 32 million US phone numbers. That represents a little under half of the estimated WhatsApp users in the country. 817 US numbers were among the sample verified by security researchers as being legitimate. Security firm Check Point has obtained the data and is reporting that it contains at least 360 million legitimate phone numbers in total, but also indicates that some of it may be inflated by material from a 2019 Facebook data leak.

Exploitation of API vulnerabilities to capture private profile information has become more common as of late, and a number of the major tech platforms have recently experienced attacks. Data leaks of hundreds of millions of records have recently been disclosed by Facebook and LinkedIn, and a similarly large breach of Twitter profile data that took place in 2021 was just made available for free on a dark web forum. While holes in APIs generally do not allow attackers access to highly sensitive information, personal data of some value to criminals can be scraped quickly and in large quantities with little to nothing in the way of difficulty from company security (or even detection).

API scraping increasingly profitable for attackers

WhatsApp has yet to confirm the data leak, with a spokesperson stating that the only evidence thus far consists of unsubstantiated screenshots posted to the dark web. It is far from unheard of for criminals to take old material from prior data leaks and try to repackage it as a new collection, hoping to pull off a couple of quick sales on the dark web before the underground buyers sniff them out.

Regardless of the actual size or legitimacy of the WhatsApp data leak, API vulnerabilities are expected to become one of the most common attack vectors in the coming year by a number of cybersecurity analysts. In addition to being easy to find and exploit, the risk is about as low as it gets; in many places it is not even an illegal act, simply a violation of the platform terms of service at worst. Dark web listings demonstrate the value that even fairly basic profile information has.

And the information that is taken will inevitably be used to feed illegal acts via the dark web, the most dangerous of these being targeted scams and phishing attempts. And this is the peak time of year for this sort of activity, with criminals taking advantage of the online shopping frenzy running between the Black Friday/Cyber Monday sales and Christmas. Some major companies, such as Amazon, have observed phishing attempts nearly doubling during this period of the year.

Threat actor is offering the alleged WhatsApp data for a relatively low cost, dividing it up by country of origin and offering each package for prices in the range of several thousand dollars via a #darkweb forum. #cybersecurity #respectdataClick to Tweet

Almog Apirion, CEO and Co-Founder of Cyolo, sees this relative ease of access as another validation of a zero trust approach to network security: “While WhatsApp has not yet confirmed the data breach, the alleged user records obtained in the attack emphasize the potentially damaging effects this type of stolen information has on its victims … Implementing strong identity-based access control is one way to mitigate this threat and the associated challenges (e.g., access to personal financial information, corporate data, etc.) To safeguard themselves, the collaboration and communications tools used within the businesses are in dire need of strong zero-trust practices, in order to protect internal, external, third-party, customer, and even business partner’s user data. Identity based access control supports companies integrating an improved security posture as well as gaining visibility and control over their systems. The organizations will be better equipped to mitigate these threats as they arise and protect their business-critical systems and information.”