In mid-November, a threat actor posting on a dark web forum claimed to have stolen the personal information of almost 500 million WhatsApp users.
Now, Check Point Research (CPR) has published a new advisory analyzing the exposed files and confirming the leak includes 360 million phone numbers from 108 countries.
While CPR was unable to confirm the leaked numbers belonged to WhatsApp users, their analysis showed that the phone numbers varied in quantity among countries, ranging from 604 in Bosnia and Herzegovina to 35 million attributed to Italy.
According to the document, the whole list went on sale for four days and is now being distributed for free among dark web users.
“While the information on sale is only active phone numbers and not the content of any messages themselves, this is a very large-scale breach of a popular mobile application used by millions worldwide,” said Deryck Mitchelson, field CISO of EMEA at CPR.
“One immediate consequence of the breach is the potential for those numbers to be used as part of tailored phishing attacks through the app itself.”
At the same time, Karol Paciorek, a security researcher from the computer security incident response team of the Polish financial sector (CSIRT KNF), claimed on Twitter on Tuesday that the leaked database is a re-use of an older 2019 Facebook breach.
“The WhatsApp ‘leak’ is nothing more than phone numbers obtained from the Facebook ‘leak’ that took place in 2019,” Paciorek claimed. “The sample of 5000 WhatsApp data records from Poland is identical to those we already saw in 2019.”
Another security expert, Alon Gal from Hudson Rock, dismissed the claims entirely, saying the WhatsApp breach ‘rumors’ are false.
“[The threat actors] basically scraped all numbers to see if there is a WhatsApp account for them or not. No real risk here,” Gal wrote in a recent LinkedIn post.
As security experts continue to analyze the leaked data, Mitchelson called for WhatsApp users to take steps to increase their security posture.
“We urge all WhatsApp users to be extra vigilant about messages they receive and practice extreme caution when it comes to clicking on any links and messages shared on the app,” the executive concluded.
Additional steps to defend against phishing, vishing and smishing attacks deriving from potentially compromised phone numbers are available in the CPR advisory.
Its publication comes two months after Meta sued three Chinese developers for allegedly tricking users into downloading fake versions of WhatsApp that harvested their login details.
