Nonetheless, the company is taking the alleged leak “very seriously” and is looking into it, the spokesperson said. Cybernews first reported the data leak, saying the seller posted an ad for a WhatsApp database on November 16. The database allegedly contains the phone numbers of 487 million users from 84 countries. This includes the numbers of 32 million WhatsApp users from the U.S., 45 million users from Egypt, 35 million users from Italy, and 20 million users from France, among others. Companies are obligated by law to report data breaches to authorities. However, data protection authorities from the affected countries are yet to announce the receipt of any such report from either WhatsApp or Meta. At the moment, the source of the leaked data and the seller’s identity remain unknown. There are speculations that the actor responsible for the leak obtained the phone numbers by data scraping. This involves using automated tools to siphon data from online platforms.
Meta Spokesperson Says Breach Is ‘Speculative’
According to the Meta spokesperson, the report of the alleged leak is “speculative,” and the screenshots the seller shared to prove their claims are “unsubstantiated.” However, Cybernews analyzed a sample of the leaked data shared by the seller — approximately 2,000 phone numbers — and confirmed that they belong to WhatsApp users. “We have no information about how the supposed list of phone numbers was collected,” the spokesperson said, adding that the numbers could have been collected in different ways. The spokesperson noted that no other user data had been leaked besides some phone numbers, which may be linked to WhatsApp accounts. On Saturday, Jurgita Lapienytė, Cybernews’ chief editor and the author of the original report, confirmed there was no evidence of a breach at WhatsApp. But “that doesn’t mean it’s any less dangerous for the affected users,” Lapienytė wrote on Twitter. The seller is reportedly selling the data of U.S. users for $7,000, while the UK and German databases are going for $2,500 and $2,000, respectively.
Consequences of Leaked Data
Data scraping currently occupies a grey area in U.S. law. Last year, a California judge ruled that scraping personal data from social media does not qualify as a data breach. However, some companies, like WhatsApp, say that scraping violates their terms of service. Other jurisdictions have taken a harsher stance against scraping and scraping tools. For example, last year, Australia’s privacy regulator said Clearview AI violated the country’s privacy laws by scraping people’s images from social media sites without consent. In 2021, Alibaba was the victim of a months-long data scraping operation by one of its marketing consultants. Malicious actors can use leaked phone numbers in criminal schemes like phishing attacks. The IRS has warned of a significant rise in smishing attacks in 2022. One of the best ways to protect yourself against such attacks is to learn about them. Our guide to social engineering contains information about how to spot such attacks and how to protect yourself.