PSA: Whatsapp messages and contacts stored with mobile number

Whatsapp is a very popular messaging service but for all its popularity it's probably one of the least secure apps on our smartphones. Whatsapp has been plagued for a very long time with privacy and security concerns and now you can add one more to that list.

The app works by tying all your info on the phone such as messages and contacts with your mobile phone number. As such, if you change your SIM from one device to another you still have access to your info. But this doesn't work quite as well as most folks would like. Or rather, it works too well. Such is the case, as described by one of our forum users, below:

If you change your number and someone else takes it after a few months, all your contacts/messages are accessible by the next person who installs WhatsApp on the same phone number unless the account was deleted manually. I got a new phone number and can access the previous owner's contacts/messages (using my smartphone!) This is ridiculous!

Ridiculous is indeed the proper term. It's quite mind boggling that a service which apparently has more users than Twitter, whatever that means, is so lax on security that every few weeks a new major issue pops up. Of course, the issue above isn't really new. It has been reported before and some of you may have even encountered it in real life. But maybe, just maybe, the company will finally start taking users' concerns seriously.

So remember folks, the next time you change your phone number you should probably delete all sensitive info manually instead of trusting companies.

Thanks to our users for pointing this out! | Image via Wikimedia

Report a problem with article
Previous Story

LG sees 20 percent smartphones sales increase in Q1 2013

Next Story

Report: Twitter now testing two-factor authentication option

23 Comments

Commenting is disabled on this article.

I'm not a WhatsApp user, but if the platform is this open what prevents people from spoofing the phone number on the phone and accessing the information of existing users? Other than needing to know the user's phone number before hand...

LogicalApex said,
I'm not a WhatsApp user, but if the platform is this open what prevents people from spoofing the phone number on the phone and accessing the information of existing users? Other than needing to know the user's phone number before hand...

I think you'd need to be able to receive an SMS on the spoofed number to activate Whatsapp on your device for that account. It might be feasible but not trivial.

It'd be far easier to just sniff people's connections when they are on WiFi.

ichi said,

I think you'd need to be able to receive an SMS on the spoofed number to activate Whatsapp on your device for that account. It might be feasible but not trivial.

It'd be far easier to just sniff people's connections when they are on WiFi.

I don't know about other platforms (would be weird if it didn't) but Whatsapp encrypts messages on Windows Phone.

Ok, I'm a little curious about how this works. Maybe someone can explan...

If I keep my old number, but use other ones in between (cos I usually buy a new sim card when I travel), could I be at any risk? Does my account get tied to any of those numbers? I always thought it was just the one you had when you made the account, that's why people can still message you even if they don't have your new number, but I guess this's made me a little paranoid

Yeah, are we sure this means OLD messages? Are they even stored server-side? I would think they would only get new messages, which makes sense. If I send a text to a number, the current owner gets the message, whether or not the owner has changed.

I'm sure you cannot access the contacts of the old owner of an account as whatsapp pulls this from your local address book.
All your contacts from your local address book are then sent to whatsapp servers to match with any existing whatsapp users.


We had to block whatsapp on our company BlackBerrys for privacy reasons.Only whatsapp themselves have access to this information though.

If somebody takes over an old number that is tied to a whatsapp account, they will receive any PENDING messages but the only contacts shown will be local.

Well how do you expect them to fix it? WhatsApp is based on phone numbers, they can't detect who is using the number...

Change it so that it does not rely purely on phone numbers. iMessage does it, so why can't they? They probably don't want to, for one reason or another, but that's a different kettle of fish...

You're supposed to delete your account when changing numbers but I can see how a lot of people won't do it. The option to delete it, in the WP version, is hidden away in the settings. As for being able to read people's messages, I thought they were stored locally. There's an option to backup messages and it lets you restore it when you reinstall the app.

Anyway, the solution to this would be to educate users about the deleting option.

I see your point but also WhatsApp is at fault here. Any users can change numbers for whatever reason. WhatsApp should make it clear you delete your account before changing numbers.

Better yet, they should have the option, given its popularity, to tie your number to an account (email/pass) and store your info with it. If anyone needs to change their phone, just log in with your email/pass, confirm the new number (and/or delete the old number tie to your data) and your old info would be restored from the cloud.

Milan - said,
who changes phone number these days?

I did not long ago, moved from one country to another. Closed the number in the country i left and i have a new one now. I believe a lot of people move between countries these days for work or other reasons.
Sometimes people have phones from work and when leaving the job they need to return it, that's another reason to change a number.

I'm sure there are others.

The question is - why to Service provider recycle mobile phone numbers.
IT is not just a problem with whatsapp but with everything that links people to a number. ie vcards - homepages etc.

But whatsapp sucks anyways .. how does viber do it

. I couldnt register my girlsfriends new tmobile number on their homepage because the number was already used for a login. apparantly someone had the number before

yeah this, you can port your number over to new networks
also
why discard an old number because you're "moving country" ???
just take the sim out and either store it or eat it
simples, no number recycling can occurr then either

just take the sim out and either store it or eat it
simples, no number recycling can occurr then either

Um your cell phone provider will cancel your service when you stop paying your bill...so your number will be recycled.

-adrian- said,
The question is - why to Service provider recycle mobile phone numbers.
IT is not just a problem with whatsapp but with everything that links people to a number. ie vcards - homepages etc.

But whatsapp sucks anyways .. how does viber do it

. I couldnt register my girlsfriends new tmobile number on their homepage because the number was already used for a login. apparantly someone had the number before

Phone numbers are recycled for the same reason anything is recycled... They are a finite resource and recycling is the best way to maximize finite resources...

I agree with the concern. My friend whose sim is provided by her company was used by an ex-colleague and she got random messages from unknown persons.
When someone closes their account they should have an option of intimating friends in their contact list so that they delete the contact.