A security expert issued a warning to all WhatsApp users this week, revealing a vulnerability that lets anyone deactivate their accounts with a single email — and the worst part is: That email can come from anyone.

If a smartphone is lost or stolen, WhatsApp lets users deactivate their accounts to protect their data. But literally anyone with the phone number attached to your brand's account can request this and remotely deactivate your brand's account.

📧 One Email Away

According to the WhatsApp support page, the process involves sending an email to a specified address with the phrase “Lost/Stolen: Please deactivate my account” and the associated phone number, resulting in the account being instantly deactivated.

When an account is deactivated, it isn't immediately deleted, and your contacts can still view your profile and send you messages. The messages, however, remain pending for up to 30 days after deactivation, giving users time to reactivate their accounts before deletion. 

Luckily, the fix is simple — your account gets reactivated when you log back in.

But that's not comforting news for brand managers who might use Meta's APIs to connect to WhatsApp, which wouldn't result in a login, since the third-party tool would be working there, not the mobile app.

🚨 Exploiting the Vulnerability

The security researcher also found that they could probably get an account permanently closed by simply sending deactivation emails every day for 30 days. 

WhatsApp has made updates in response to this issue, and has changed this feature. Now, users will receive a confirmation receipt for the deactivation request, followed by a further verification step to prove account ownership which requires documentation like a copy of the phone bill or contract.

But either way, it's always a good idea to log into your brands' accounts regularly and double-check your security settings.

Image: Canva / Twitter / WhatsApp