Facebook’s WhatsApp messaging service is incredibly easy to set up, but this easy setup process means that your account is open to abuse if you’re not careful. Thankfully, it’s fairly simple to enable an extra layer of security on your account, which means that you won’t lose it if your six-digit activation code gets compromised.
These security options unfortunately won’t stop you from a serious hack such as the one that hit Amazon CEO Jeff Bezos. What it will do is offer another layer of protection if someone manages to trick you into sharing your security code, which is a process known as “social hacking.”
If you need any convincing about why it’s a good idea to use this extra security, then allow me to share a friend’s recent experience about what can go wrong when you don’t.
Bleary-eyed one Sunday morning, she received a WhatsApp message from a close friend that asked if she could forward over a six-digit code that she was just about to receive via SMS. Without thinking, and because she trusted her friend, she sent over the code and suddenly found herself logged out of her WhatsApp account.
You probably realized what happened. That wasn’t just any six-digit code; it was the six-digit code that WhatsApp sends to your mobile number via SMS to associate with your WhatsApp account. In sharing that number, my friend had inadvertently allowed the attacker to log in to her account.
Since her attacker now had control of her account, they were then able to send messages from it to any contacts she was in the same group chat with. That’s how the attacker was able to ask for my friend’s six-digit verification code via another friend’s number; they’d gained control of that account as well and used it to message every contact they could, trying to rope them into the scam.
In theory, having your WhatsApp account taken over should be a fairly easy situation to resolve: just enter your phone number into the app and have it send you another six-digit code. The problem is that hackers can spam your number with a bunch of incorrect six-digit codes so that you get locked out of your account for up to 12 hours. Then, if you hadn’t set up a PIN of your own, this leaves an attacker free to set up one of their own on your account, locking you out for seven days in total.
That’s why it’s so important to remember these two rules:
Somewhat confusingly, the PIN is also six digits long. In order to set it up:
One more thing: it would be remiss of us if we didn’t mention that, in the past, Facebook (WhatsApp’s parent company) has gotten in trouble for using phone numbers provided for two-factor authentication for ad-targeting. The Federal Trade Commission told the company to stop the practice last year. When we asked WhatsApp, it categorically denied that it does this with its backup email addresses, and we think the benefits of providing an email address outweigh the risks.
Vox Media has affiliate partnerships. These do not influence editorial content, though Vox Media may earn commissions for products purchased via affiliate links. For more information, see our ethics policy.