Millions of WhatsApp numbers stolen and put up for sale. Know what to expect and how to defend yourself

 Millions of WhatsApp numbers stolen and put up for sale.  Know what to expect and how to defend yourself

Marketing, fraud, identity theft. Selling the database is a “crime” with a “cruel impact” on users, but there are steps they can take to protect themselves and claim their rights (one of which involves a redress action against Meta)

“Hello, today I am selling the following Whatsapp user database”.

The message was posted on a hacker forum on November 16 by an unknown user. The details of the offer followed: some 487 million WhatsApp numbers were sold (for an indefinite period of time), from 84 countries. That is, almost 25% of all songs registered in the application worldwide.

According to data in the post, Egypt, Italy and the United States lead the list of countries with the most compromised users – each with more than 30 million stolen numbers. Portugal tops the list, with 2,277,361 users – a smaller but significant number when compared to the total Portuguese population.

The pirate later shared an excerpt of numbers collected in the United Kingdom and United States at the request of the cybersecurity website Cybernews. It was a “small” sample of about a thousand numbers, which the site checked one by one – and turned out to belong to active users of the platform. However, Meta’s response was the same as in other (numerous) situations like this: the allegations “are based on unsubstantiated screenshots” and “there is no definitive proof” that user data was actually collected by third parties.

The Hacker Publication. Source: Cyber ​​News

And what can happen now? “The possibilities are limitless”

At first glance, the data obtained by pirates may not seem particularly relevant. Numbers and names of millions of people are revealed, but they are only numbers and names – what could be the consequences if this data falls into the wrong hands? In three simple terms: marketing, fraud and identity theft.

The first two are often related, as explained by Elsa Veloso, lawyer and specialist in Privacy and Data Protection. “We are going to receive even more marketing communications, in which they try to sell us products or services that are often fraudulent.” Since the same messages are sent to “monster databases” from different countries, some will contain spelling and sentence construction errors that will quickly expose them as illegal. Others will probably come across as more believable.

“These hackers have increasingly sophisticated practices, the result of past attempts and attacks, and there is great experience here that will lend credence to the attacks,” warns Elsa Veloso. One of these strategies is to ask low amounts from the user precisely to hint at more credibility. “You are entitled to a Christmas basket for only one euro”: it seems like an attractive message of modest value, but if all Portuguese in the database were to fall for the deception, it would result in a profit of more than two million euros for the pirates.

Then there are phishings, smishings and vishings, with a similar method: sending emails, messages or phone calls (respectively) that induce the recipient to disclose confidential information. Again, it is important to reinforce the growing credibility of these strategies. The sites we are redirected to seem legitimate and we are tempted to enter the tax number or change the password for the home banking applications – thus guaranteeing free access to our mobile phones and bank accounts for pirates.

“From the moment someone clicks on a link, they are exposed,” summarizes Nuno Mateus-Coelho, a cybersecurity specialist. Even if you don’t intend to enter any personal information, clicking on the wrong link by a few clicks could lead to an unsolicited download of a worm or ransomware. The strategy is different, but the attackers’ goals remain the same: “steal information, embezzle money and clean people’s accounts”. From the moment the phone is captured, “the possibilities are limitless” – from turning the camera and microphone on and off, to accessing messages and contacts.

Under these circumstances, the user does not even have to provide his personal data to see it compromised. “When the person uses the banking application and makes a payment, the codes can be captured, just like the confirmation SMS,” warns Nuno Mateus-Coelho. Access to messages also allows the pirates’ reach to be extended to the affected user’s entire contact list – when a message is sent on behalf of the sender, everyone who receives (and believes) it becomes equally vulnerable.

In this context, all care is small. Changing the number seems to be one of the most definitive solutions, the cybersecurity expert admits, although not the most practical – especially when considering the population of millions affected by the sale of the database. So what other measures can we take? The simplest and most effective solution is just that: investing in the digital literacy of the population.

“People need to understand that they shouldn’t click on everything that appears in front of them, even within the group of friends, because we don’t know what the vulnerabilities are.” Elsa Veloso agrees, emphasizing that we are dealing with “a global crime of great magnitude”, which “could have a brutal impact on the daily lives of people who have trusted WhatsApp”. At the very least, the way we react to receiving messages requires an extra dose of caution. “There will be aggressive and fraudulent marketing, identity theft attempts – all of which will be on a massive scale.”

For the rest, the measures to be taken are the same as those experts in the field of cyber security and data protection have always indicated. Install a computer security system such as an antivirus or anti-ransomware; never share login details with third parties; do not change home banking passwords without personal consultation with the bank; not allow duplication of cards except by hand. And, emphasizes Elsa Veloso, never believe in “supposedly free product offers where we are in fact the product”.

The Meta Monopoly, Cyber ​​Warfare, and User Rights

“There is no evidence of data breaches.” Meta’s response echoes what has been written in previous press releases, under similar circumstances, but the truth is that the successive controversies have an impact on the company’s reputation. Economically not so much. Ireland’s data protection commission this week fined Meta €265 million, on top of another €405 million fine imposed by the same entity in September. Retaliation and lawsuits pile up, but the impact of damage is minimized by the huge profits of this ever-growing giant.

“Its goal is the state above the state: it has billions of people living in it who use Facebook, Messenger, Instagram, WhatsApp every day,” notes Elsa Veloso. “Despite the fines imposed and the apparent decrease in the use of some platforms, Meta is constantly recruiting new platforms and expanding”. Before this name became known, the group was called “Facebook”; later, when it lost some audience to Instagram, it didn’t try to beat the rival – it bought it and absorbed it into the business. The acquisition of WhatsApp happened in 2014, seven years before the Meta name was adopted. It is thanks to this business strategy that the vast majority of our social networks are operated by the same North American group. As a European community “we don’t have platforms that can compete with Meta”.

The platforms most used by the Portuguese population have split origins – on the one hand, we have North American social networks (largely dominated by Meta); on the other, Chinese social networks such as TikTok (which alone rivals the rest). “Moreover, we are being attacked by Russian hackers.” This cybernetic dominance by superpowers in the world requires a more general contextualization of the situation, placing it within the current political scheme. “You need one zoom out”, emphasizes the specialist, “and realizing that there is indeed a global cybernetic war going on and that it is necessary to face it head-on”. It is therefore up to Europe to “create its own platforms” and manage them in accordance with the General Data Protection Regulation (GDPR) and its privacy, confidentiality and information security obligations.

Meta’s response makes it possible to guess what process will follow, which should be the same as all previous ones. Elsa Veloso outlines the likely route: “the databases are sold, someone files a lawsuit against Meta, the sanctions are long fought in court. The Meta usually loses, but what it has gained in the meantime outweighs any loss. It seems like a cyclical process, destined to repeat itself. Until eternity as long as revenue exceeds fines, but experts warn that this cycle is doomed to repeat itself only if we let it.

Nuno Mateus-Coelho shows that “Meta is no longer in good health and fame in the field of computer security,” and the most recent scandal has shaken an already shaky reputation. “A bit more transparency was expected from such an organization and it is now to be hoped that the Portuguese authorities will not let this go unpunished”. As with the fine imposed by Ireland’s privacy regulator, Portugal should also respond and “request an investigation” from the CNPD (National Data Protection Commission). “Otherwise, these companies will continue to make huge profits on our data and ignore the consequences.”

This view is shared by Elsa Veloso, who also emphasizes that it is a “crime” under the Portuguese penal code. Meta is required by law to have a data protection officer in the European Union and to communicate to the controlling authorities in each country that there has been a breach, the impact on users’ lives and what measures are already in place are taken”. In the case of Portugal, this supervisory authority would be the RGPD, “a superior law of the Parliament and the Commission, which obliges the notification of the data breach”.

Alternatively, WhatsApp users themselves can “associate and file a claim against Meta” instead of waiting for the controlling authorities to take action. After all, the initiative can also be taken directly by the injured parties – and crimes of invasion of privacy and unauthorized access to third-party data carry a “prison sentence of up to one year or a fine of 240 days”.

But even the unaffected can get something out of this situation. With each new data protection scandal, “people are becoming aware of the risks they are taking” and changing their pattern of behavior on the platforms. Even if Meta doesn’t take action, “at least people don’t fall for scams that often” – and the pirates’ plans fail.