Level 22
An issue in instant messaging application WhatsApp may provide others with full access to your conversations when replacing phone numbers.

Amazon employee Abby Fuller has reported a potential bug that gained a lot of exposure online lately: when setting up WhatsApp on a new device using a new phone number, the full message archive of the previous owner was restored on the phone.

“Yes it was a new device. No it wasn't second hand. It was not a second hand SIM. Yes I'm sure they weren't my messages, or groups that I was added to. Yes they were in plaintext. I am sure it's my phone number. It was not restored from a backup,” she explained in a follow-up tweet.

Other users who joined the conversation confirmed this happened on their devices as well, also when setting up WhatsApp with a new phone number.

According to WhatsApp’s own support documents, the message history associated with a specific phone number is completely removed after 45 days of inactivity.

“Remember to delete your old account. However, if you didn’t delete your account and no longer have access to your old phone, don’t worry. If the new owner of your old number activates WhatsApp on a new phone after 45 days, all of your account information tied to that phone number will be completely deleted,” WhatsApp says.

Just a bug?
But as Abby Fuller explains on Twitter, this isn’t the case here, as she owned the phone number for more than 45 days, so the message history wasn’t supposed to be there anymore.

“This number has been mine > 45 days (multiple month). Seems like the messages should have been wiped with the account but weren't (or were resent). Either way, account should have been wiped and was not,” she said.

While WhatsApp hasn’t offered an official statement on this, others explain this all happens because the phone number is the unique identifier of the user ID. However, there are questions that need to be answered regarding the storing of user messages, especially when these are restored on new devices.

As PiunikaWeb notes, all evidence seems to indicate this is a bug, so it remains to be seen how and if WhatsApp is planning to resolve it.