Nearly half a billion WhatsApp users' mobile phone numbers are allegedly for sale on a dark web community forum, according to multiple sources, including Binance's billionaire Changpeng "CZ" Zhao.
"A new set of 487 million WhatsApp phone numbers for sales in the Dark Web," CZ tweeted Sunday. He said a sample of hacked data "indicates the phone numbers are legit."
CZ warned users on the Meta-owned platform that "threat actors downstream will use this data to conduct smishing (phishing messages) campaigns."
A new set of 487 million WhatsApp phone numbers for sales in the Dark Web. A sample indicates the phone numbers are legit. Please stay vigilant as threat actors downstream will use this data to conduct smishing (phishing messages) campaigns. Stay SAFU. 🙏 pic.twitter.com/ZuDVXlzz4F— CZ 🔶 Binance (@cz_binance) November 27, 2022
Cybernews initially confirmed the hack. They said:
On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.
The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.
Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).
The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens' phone numbers.
The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.
Cybernews also posted a screenshot of the seller's post on the forum featuring the total number of phone numbers per country.
Cybernews investigated a sample of the stolen database and concluded this is legit.
The report adds massive data sets "could be obtained by harvesting information at scale, also known as scraping, which violates WhatsApp's Terms of Service." The seller claims all numbers belong to active users.
"In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data.
"We should ask whether an added clause of 'scraping or platform abuse is not permitted in the Terms and Conditions' is enough. Threat actors don't care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint," head of Cybernews research team Mantas Sasnauskas said.
This is not the first time Meta and its platforms have had users' personal data published on the dark web. Last year, someone on a low-level hacking forum published the phone numbers and personal data of 533 million Facebook users from 106 countries for free.
Meta has vowed to crack down on data-scraping after Cambridge Analytica scraped the data of over 80 million users to target them with political ads in the 2016 election.