Phone numbers are a finite resource. So when one goes out of a service, there’s a good chance telecom companies will reuse it for a new phone plan. That can be a big problem on WhatsApp. In some cases, if you get your hands on a phone number that was tied to an existing WhatsApp account, you can hijack it and assume that users’ identity, including their name and profile photo. You’ll receive all their incoming messages and gain access to their group chats. There’s no way for other people to know you’re an imposter. WhatsApp has known about this problem for years, but there are no fixes in sight unless you take proactive steps to protect yourself.
“It’s a massive privacy violation,” said Eric, who asked that we withhold his last name. Eric should know, because he works on privacy issues at a large tech company—and because his son accidentally took over someone else’s WhatsApp account a few months ago.
Eric’s son Ugo was living in Switzerland, but got a new job and moved to France in October 2022. There, Ugo got a new phone plan and eventually popped open WhatsApp. He used the app’s built-in feature to change to his new number. But when he typed in his new French digits, something strange happened.
“As soon as he switched his phone number, his WhatsApp profile picture changed to a woman’s photo, and a bunch of conversations started appearing in his app,” Eric said. “He realized that his account had been merged with someone else’s. My son was getting all of their incoming messages, even conversations about work. He started talking to this person’s grandmother and other people to tell them what happened.”
Sound surprising? It didn’t to WhatsApp.
Since Eric works at a tech company, he knows what to do about a serious security problem. He reached out to WhatsApp through the company’s bug disclosure program. When WhatsApp got back to him, an employee indicated the company knew about the issue, brushed him off, and closed the ticket.
“I couldn’t understand how Meta [WhatsApp’s parent company] could be so dismissive of an issue this huge,” Eric said. Alarmed by the lackadaisical response, he decided to reach out to the press, but not before letting WhatsApp he was going to do it. He gave the company three months to respond.
To be clear, this doesn’t give you access to another user’s messaging history, only messages sent to them after you take over the account. But it’s a big problem. Not only can this happen by accident, but experts Gizmodo spoke to agreed that this leaves WhatsApp users vulnerable to a SIM swapping attack, where a hacker tricks a phone company into transferring a victim’s phone number to them.
Eric assumed this was a one-in-a-million glitch. People change phone numbers all the time, after all. But then he went to test the account takeover himself. He bought two prepaid SIM cards and was able to recreate the problem in a matter of minutes.
WhatsApp’s response: New phone, who dis?
It turns out Ugo’s number switcheroo isn’t news for WhatsApp—because it was news three years ago. The exact same thing happened to Joseph Cox, a Vice cybersecurity reporter, who wrote about the problem in 2020. It seems very little has changed since then.
Essentially, WhatsApp said the problem is the fault of phone companies and users who aren’t taking recommended security precautions. “We take many steps to prevent people receiving unwanted messages, including expiring accounts after a period of sustained inactivity,” said a WhatsApp spokesperson. “In the extremely rare circumstances where mobile operators quickly re-sell phone lines faster than usual, these additional layers help keep accounts safe.”
The spokesperson stressed that WhatsApp does not store copies of user messages, and said this problem is not a bug or a flaw in WhatsApp, comparing the issue to getting someone else’s mail when you move to a new house.
If you get a new phone number, WhatsApp recommends you switch the number tied to your account immediately, or delete your account if you don’t want to use it anymore. WhatsApp also strongly encourages everyone to set up two-factor authentication, which uses a pin code rather than text messages. All these measures should protect you from an account takeover.
“WhatsApp is so big there’s a good chance any phone number you get will have been used on WhatsApp at some point. Even if it’s a 1% chance, at their scale it’s going to be a lot of people,” said Cooper Quintin, a security expert and senior staff technologist at the Electronic Frontier Foundation.
“I don’t think WhatsApp is blameless, but there are a number of imperfect systems and imperfect solutions here,” Quintin said. For one, phone companies should wait longer before they recycle phone numbers, he said.
WhatsApp requiring all users to turn on two-factor authentication would entail a trade-off between security and ease of use. It’s not exactly clear what the right move is. Similarly, the app could adopt user names rather than phone numbers, which are impermanent. Gmail, by comparison, never reuses email addresses under any circumstances. But that too is a tradeoff. Phone numbers are part of what makes WhatsApp so popular and simple to use.
“WhatsApp needs to have more of a process to ensure people know that their messages are going to the right person,” said Patrick Jackson, chief technology officer at the security company Disconnect and a former wireless and mobile security researcher for the NSA. Jackson said it’s a big mistake for WhatsApp to assign another account’s profile photo when you use the “new phone number” feature on the app. “That’s a clear signal that it’s a different account, it doesn’t make sense,” he said.
Likewise, Jackson said it’s probably not a good idea to automatically merge existing accounts’ group chats. WhatsApp could also send a message to people, letting them know that a phone number has been registered to a new device to ensure nothing goes wrong. “It shouldn’t be this easy to masquerade as another person,” Jackson said. “This is a complex issue, but it’s one WhatsApp can work on, and they should.”
How to protect your WhatsApp account
First off, if you aren’t using two factor authentication, what are you doing with your life? This is an easy way to protect yourself, and you’re a sitting duck if you don’t turn it on. Don’t stop with WhatsApp either, you should use two-factor authentication wherever it’s available.
To set up two-factor authentication: Open WhatsApp and tap Settings > Account > Two-Step verification > Select a six digit pin. WhatsApp will ask for this pin periodically, so make sure you have a way to remember it.
On the Account page, you can also change your phone number, which you should do as soon as possible if you get a new one. Or, if you’re done with the app for good, you can use the “Delete My Account” process from the same menu.