On a Sunday afternoon, Mumbai-based advocate Chirag M. Shah was jolted out of his weekend routine when he learned that his wife’s WhatsApp account had been hacked. What initially seemed like a minor technical issue quickly spiraled into a stark reminder of how even the most vigilant individuals can fall prey to cyber scams.
The compromised number, registered under Shah’s name but used by his wife, Monica, had been targeted in a meticulously planned scheme. It all began with an unassuming yet deceptive message from a trusted colleague.
Monica had received a WhatsApp message from her colleague, urgently asking her to forward a verification code she might have received via SMS. The colleague said that she had erroneously sent it to Monica. Ironically, the notification, much like a standard WhatsApp verification code message, carried the warning: “Do not share it with anybody.”
Trusting her colleague and believing the request to be genuine, she complied without hesitation. Little did she know that the colleague’s number had already been hacked, and this was the scammer’s way of now gaining access to her WhatsApp account.
By using the verification code, the hackers swiftly installed WhatsApp on a new device under Shah’s number, logging out the original account. Once in control, they began messaging Monica’s contacts, posing as her and asking for money.
“Fortunately, a few skeptical friends reached out directly to confirm the requests. This gave us the chance to clarify that Monica’s account had been hijacked,” Shah told Decode.
Shah revealed that spamming the account with repeated verification requests in an attempt to flag it as suspicious—a strategy suggested by well-meaning friends—proved ineffective against the hackers. This approach, while seemingly logical, did not hinder the perpetrators from maintaining control of the account.
To migrate a WhatsApp account to a new device, users must first input the phone number linked to the account. Ownership is then verified by entering a six-digit code sent via SMS or an automated call. Once the code is successfully entered, WhatsApp automatically logs the account out of any previously linked devices and sets it up on the new one.
This seamless migration process, however, becomes a vulnerability when two-factor authentication (2FA) is not enabled. Without 2FA, hackers can bypass additional security layers, gaining unrestricted access to the account, including chat backups, contacts, and linked settings.
Shah and his wife repeatedly attempted to log back into the account from their end, only to find that the verification codes were being sent to an email address. “We never received any of those codes because we had never linked an email address to WhatsApp,” Shah explained.
Upon investigating further, they discovered that the hackers had exploited this oversight. Once the account was compromised, the hackers linked their own email address making it the primary mode for receiving the code. This effectively locked out the rightful user and made it nearly impossible to recover the account without external intervention.
After exhausting all available options, including sending email requests to WhatsApp’s support team, Shah ultimately sought help from the Deputy Commissioner of Police, Cybercrime, Mumbai Police to expedite the process.
“I sent the email to the support id around 2 PM but only received an acknowledgment 3–4 hours later. Using a few contacts, I finally reached out to the police, hoping the matter would be taken more seriously with law enforcement backing it,” he told Decode.
The police filed an urgent request with Meta, WhatsApp’s parent company, to prioritise the account restoration. After multiple emails and the intervention of law enforcement, the account was finally restored by night. However, the ordeal highlighted significant vulnerabilities in the platform's response process.
What to do when your WhatsApp account is hacked?
Referring to Shah’s case of WhatsApp hacking, cybersecurity expert Ashish Jha acknowledged that the hacker's act of changing the associated email ID made the recovery process more challenging. “Even in such cases, the best approach is to contact WhatsApp with evidence. Only the WhatsApp support team can assist effectively in these scenarios,” he explained.
Jha recommended victims email WhatsApp's official support address and use the platform's support page to report a hacked account. To do this, victims should:
- Visit the official WhatsApp Support page and select the ‘Contact Us’ option under the ‘WhatsApp Messenger Support’ section.
- Provide their phone number in international format (e.g., +91 for India), an active email address, and select the platform used (e.g., web, iPhone, or Android).
- Clearly explain the issue in the text box, specifying that the account has been compromised and requesting immediate assistance.
- Submit the form. WhatsApp will respond via email with guidance to recover or secure the account against unauthorized access.
Jha emphasised the importance of acting swiftly and remaining calm. “Don’t panic; presence of mind is crucial. Attempt to log back in immediately and notify your contacts to prevent further misuse of your account.”
He cautioned against excessive spamming with verification code requests, as it could lead to a temporary lockout and complicate the support process. He advised enabling two-factor authentication (2FA) and linking an email ID to the WhatsApp account for added security. “Be aware of where your accounts are logged in and on how many devices,” he added.
To enable 2FA, go to Settings > Account > Two-Step Verification > Enable. Set a 6-digit PIN and optionally add an email address for recovery.
The Case for Stronger Digital Defenses
Reflecting on the incident, Shah emphasised how critical two-factor authentication is for protecting WhatsApp accounts. In the same chain of the hacking attempt, another colleague of Shah’s wife was targeted, but the hacker was unable to bypass 2FA. “It’s a simple step that could save people from immense trouble,” Shah said.
Shah believes platforms like WhatsApp need to do more to protect users from such attacks. He suggested making 2FA mandatory, delaying access to chat backups on newly linked devices for at least 24 hours, or imposing temporary restrictions on account functionality, similar to how banks limit transactions for new payees.
“These are just damage-control measures, but they could make a significant difference,” Shah said. “Hackers are always one step ahead, but it’s the responsibility of platforms and authorities to make their job as difficult as possible—not the lives of unsuspecting users.”
Shah’s ordeal serves as a sobering reminder: trust no message blindly, no matter the source. Verification codes, no matter how urgent the request seems, should never be shared. “As an advocate, I am trained to be suspicious by nature, yet even I couldn’t foresee this possibility,” Shah admitted.
“This could happen to anyone, which is why we all need to stay vigilant and take proactive steps to secure our digital lives,” he said.