“Thank you very much friend, [I send] a big hug,” one of the WhatsApp messages from a number I didn’t recognize read in Spanish. “Good. I like hearing good news,” another from a different person read.
Other messages included pictures, YouTube links, and videos of children that people sent to me. Hundreds of messages from dozens of people; all of whom were strangers.
That’s because due to an issue in how phone numbers are issued, I had accidentally hijacked someone’s WhatsApp account when I signed up with a new phone number, and was receiving all of the direct and group messages meant for the original owner of the number. The issue highlights how users can unexpectedly be cut off from online services their phone number is linked to, the security problems that come with that, and the importance of adding two-factor authentication to WhatsApp.
Earlier this month, I bought a pay-as-go SIM card because I needed a fresh number for a particular article I was working on. I then downloaded WhatsApp and registered with my new number.
When I logged into WhatsApp for the first time, something was wrong. I was immediately in multiple group chats with other people and numbers I did not know. I checked my ‘status’ in the app, and my profile picture was of a blonde woman. This, I quickly realized, wasn’t really my WhatsApp account, but someone else’s.
Do you work at WhatsApp, or did you used to? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
For more than a week, when I turned the phone back on it vibrated with a stream of new WhatsApp messages. At least some of these people likely did not know the account of their friend or perhaps relative had been accidentally taken over by someone else. I didn’t have access to any historical messages from before I logged into the account, but I did receive messages in real-time after that.
The root of the problem appears to be phone number reuse. When a phone number has not been used in some time, a carrier may re-assign or recycle it. This can end up with people inadvertently possessing phone numbers that already act as a piece of two-factor authentication for someone else’s online accounts, or, in this case, their identifier on WhatsApp, even though this re-assigning is beyond WhatsApp’s own control.
On its website, WhatsApp says “To help eliminate confusion with recycled phone numbers, we monitor account inactivity. If an account is unused for 45 days and then becomes newly activated on a different mobile device, we take this as a sign that a number has been recycled. At this time, we’ll remove the old account data tied to the phone number—like the profile photo and About.” In this case however, the WhatsApp account appeared to be in active use.
“Do not share this code with anyone.”
A WhatsApp spokesperson told Motherboard in an email, “We take many steps to prevent unauthorized account usage, including expiring accounts after a period of sustained inactivity and providing ways for people to delete or transfer their account to a new phone number. We also strongly encourage the use of two-step verification. In the extremely rare circumstances where mobile operators quickly re-sell phone lines faster than usual, these practices help keep accounts safe.”
To avoid this problem, users can try to make sure their phone number remains active or their carrier doesn’t recycle it. If a user still has the SIM card, make sure to insert it into a phone and top it up with credit or make some calls. For WhatsApp, users should turn on two-factor authentication, which means new registrations with your number will also require a PIN you choose yourself. Users can also enter their email address in case they forget their PIN. This feature won’t stop someone getting hold of a phone number if it is recycled, but it can at least stop someone getting into a WhatsApp account.
I don’t know if the original owner ever managed to get back into their WhatsApp. Seemingly when they tried to log into the account, I received the text message with their registration code.
“Do not share this code with anyone,” the text message from WhatsApp read in Spanish.
Subscribe to our new cybersecurity podcast, CYBER.