So it looks like someone is selling 500M leaked WhatsApp user records from all around the world. That means 500 million. Yes, that makes a quarter of all WhatsApp users, estimated at 2 billion. Two billion divided by four makes 500 million. Yes, that constitutes 25% of WhatsApp users.
Sorry if I repeat myself, but the amount of leaked phone numbers makes my head spin.
And yeah, I guess my number’s probably in there too. Paint me angry.
500M Phone Numbers
I found this first on Cybernews, but multiple sources were quick to relate the availability of the 500M leaked WhatsApp records, like IT Security News or even the RTBF (the Belgian Radio-television of the French Community).
So what happened? At the time of writing this, no one exactly knows. The sellers remain secretive about their method (according to Cybernews). All clues point to scraping, which consists an automated method to harvest and collect user data from websites, databases or any other available sources.
Every System Will Be Hacked
But the real question is this one: once inside the system, what data can you steal? In my opinion, at some point, an intruder will probably manage to read all data available to the system itself, to system administrators. etc.
So how could a system protect itself against that?
Do Not Store Sensitive Data
Yep, the best way to prevent a leak of sensitive data (my data, your data!) is to avoid storing the data in the first place.
And when you must store data, make sure the user encrypts it first, with a key the system (or system administrators) cannot use.
It looks easy enough. However, since WhatsApp must access that sensitive info to turn it into advertising data, they cannot fully encrypt it.
How Seeld Does It
I don’t pretend to be any better that WhatsApp or Facebook engineers. I might not like these companies’ strategies, but hey, they know coding and security better than anyone. But their business model, making the application free but to harvesting data in exchange, puts our privacy at risk.
Therefore, on Seeld, we ask as little info as necessary: your pseudonym and your display name (the name to display when requesting to connect with others). And that display name is encrypted using your Private Key, so we cannot even know what it is, unless you send us a connection request.
And where’s your Private Key stored? On our servers… BUT protected by your passphrase (password). And the Seeld App or Web App never sends that passphrase over to the servers (how? See our FAQ).
If an intruder manages to break into our servers, he will only collect a list of pseudos and PGP-encrypted messages.
You can’t leak what you don’t store, can’t you!