All Collections
Public safety advice
Online safety
Whatsapp data leak: How to stay safe
Whatsapp data leak: How to stay safe
Alexander Pan avatar
Written by Alexander Pan
Updated over a week ago

Whatsapp is one of the most popular messaging apps out there, with over 2 billion users worldwide. But following reports that Whatsapp suffered a horrendous data leak in November 2022, it's important to refresh everyone's memory on what to do in situations like this and how to stay safe.

As such, we're going to take a look at exactly what happened, what's been leaked, and how to protect yourself from potential scams and cybercriminals that may pop up as a consequence of this Whatsapp data leak.

Just remember that if you need support or someone to talk to, our Sonder support team is available 24/7 to chat whenever you need it.

So what's the deal with this Whatsapp data leak?

It's been reported that a cybercriminal managed to gain access to a 2022 database of nearly 500 million up-to-date Whatsapp mobile numbers and is selling this data online. This database of nearly 500 million Whatsapp users allegedly contains data from 84 countries - about 7.3 million of which belong to users in Australia.

Should cybercriminals get their hands on this user data, they can use it for 'smishing' and 'vishing' attacks, both of which aim to scam unsuspecting users of their personal and financial information. We'll take a look at both of these attacks in the next section.

That's...really bad

Yep, it's really bad.

How do I stay safe from this data leak?

Let's take a look at what smishing and vishing attacks are, and how to protect yourself from them.

If you want more information about staying safe and security when using Whatsapp, head over here and here.

Smishing (SMS Phishing)

This is a cybersecurity attack that's carried over mobile text messaging. Also known as 'SMS phishing', it's a variant of the common phishing scam and operates in a similar manner by tricking victims into giving sensitive information to a scammer. There are two methods by which cybercriminals can trick victims into giving away their information with a smishing attack:

  1. Malware: The phishing SMS sent contains a URL link that downloads malware (which disguises itself as a legit app) onto the user's device when clicked on and then tricks the user into typing in personal information using said malware.

  2. Malicious websites: The phishing SMS contains a URL that directs users to a fake website aimed at tricking people into giving their personal information away. These fake websites are usually well-made duplicates of legitimate websites, which makes it easier to trick unsuspecting victims.

If you are sent a smishing text, make sure you:

  • Do not respond - Even prompts to reply like texting “STOP” to unsubscribe can be a trick to identify active phone numbers.

  • Slow down if a message is urgent - Approach urgent account updates and limited-time offers as caution signs of possible smishing.

  • Call your bank directly - Legitimate institutions don’t request account updates or login info via text.

  • Avoid using any links or contact info in the message - Especially if they make you feel uncomfortable.

  • Check the phone number - Odd numbers, like 4-digit ones, can be evidence of email-to-text services.

  • Never keep credit card numbers on your phone

  • Use multi-factor authentication - An exposed password may still be useless to a smishing attacker if the account being breached requires a second “key” for verification (e.g. two-factor authentication).

  • Never provide a password or account recovery code via text - Only use on official sites.

  • Report all smishing attempts to Scamwatch.


Vishing is a phishing scam that's carried over voice call and is a combination of "voice" and "phishing". This scam involves a scammer calling up the victim and using social engineering to get them to share personal information and financial details.

These cybercriminals are usually frantic and speak with a sense of urgency to try and strongarm unsuspecting victims. Some of the things that vishing scammers may say include:

  • Claiming to represent some government agency (like Medicare to the Tax Office).

  • Claiming to represent your bank and telling you that your account has been compromised.

  • Offering to help install some kind of software to protect you.

  • Asking for your personal information.

If you get a phone call from an unknown number that you suspect is a vishing scam, make sure you:

  • Don’t pick up the phone, especially if you don’t recognise the number.

  • Hang up and block the number.

  • Don’t press buttons or respond to prompts.

If you have any questions or need extra support, we're here to help you anytime in any language. Simply start a chat with us via the home screen of the Sonder app.

Information sourced from: CyberNews, Imperva, Kaspersky, Norton, and Tom's Guide

Image credit: Marina Stroganova at Flickr

All content in Sonder's Help Centre is created and published for informational purposes only. It is not intended to be a substitute for professional advice.

Did this answer your question?