Here is an uncomfortable fact about WhatsApp security: the app's encryption is excellent, yet accounts are hijacked every day. That is because attackers do not break the encryption. They walk in through the front door, by tricking you into handing over the six-digit verification code that registers your number on a new phone. One setting, two-step verification, slams that door shut, and most people have never turned it on.
This guide covers the full landscape: how the verification-code hijack works, the linked devices feature and how it gets abused, WhatsApp Web risks, SIM swapping, backup encryption, and exactly what to do if your account has already been taken. All of it is about protecting and recovering your own account. Nobody can lawfully or technically sell you access to someone else's WhatsApp, and the ads claiming otherwise are scams, full stop.
How do WhatsApp accounts get hacked?
Your WhatsApp identity is your phone number. Whoever can register your number on their device, by receiving or obtaining the verification code, owns your account. That design creates a short list of real attack routes:
- Verification-code hijack. The attacker enters your number on their phone, WhatsApp texts you the code, and the attacker tricks you into sharing it. This is the number one method worldwide.
- Linked-device abuse. Someone with brief physical access to your unlocked phone scans a WhatsApp Web QR code, silently adding their browser as a linked device that mirrors all your chats.
- SIM swapping. The attacker convinces your mobile carrier to move your number to their SIM card, then receives your verification code directly.
- Voicemail interception. If you miss the verification call, the code lands in your voicemail. Attackers who know default voicemail PINs can fetch it.
- Unencrypted backups. Your chat history sitting in Google Drive or iCloud is only as safe as that cloud account, unless you turn on end-to-end encrypted backups.
What is the WhatsApp verification code scam?
It usually arrives as a message from a friend whose account was already taken: "Hey, I accidentally sent my code to your number, can you forward it to me?" Or it poses as WhatsApp support, a delivery company, or a contest, anything that gives a plausible reason for a six-digit code arriving by SMS. The moment you share that code, the attacker completes registration of your number on their device, and you are logged out of your own account.
From there it gets worse fast. The attacker messages your contacts asking for emergency money transfers, harvests codes from your friends to take their accounts too, and if you never set a two-step PIN, they set one themselves, locking you out for up to a week.
The rule that defeats this scam completely: a WhatsApp verification code is for your eyes only, always. There is no legitimate scenario in which anyone, including WhatsApp itself, asks you to read a code back or forward it. Treat every such request as an attack, even when it comes from your best friend's account, especially when it comes from your best friend's account.
What is two-step verification and why is it the setting that matters?
Two-step verification adds a PIN of your choosing on top of the SMS code. With it enabled, registering your number on a new device requires both the six-digit code and your PIN. Even an attacker who steals the code through trickery, SIM swap, or voicemail hits a wall.
Turn it on now: open WhatsApp, go to Settings, then Account, then Two-step verification, and tap Enable. Choose a PIN that is not your birth year or 123456, and add your email address as a reset path in case you forget the PIN. WhatsApp will periodically ask you for the PIN so you do not forget it.
One more critical warning: if you ever receive an email about resetting your two-step PIN that you did not request, ignore it. That is an attacker mid-takeover trying to clear the PIN hurdle. Never tap reset links you did not initiate.
Can someone read my WhatsApp through linked devices?
Yes, and it is the most common form of close-range snooping. WhatsApp's linked devices feature lets you use your account from a browser or desktop app by scanning a QR code. It takes about ten seconds. A partner, colleague, or anyone else with momentary access to your unlocked phone can link their own browser, and from then on every chat you send and receive mirrors to them, silently and indefinitely.
Check right now: open WhatsApp, tap Settings, then Linked Devices. Every active session is listed with the device type and last activity. If anything is there you do not recognize, tap it and log it out. Make this check a monthly habit, and immediately after any period when someone else could have handled your phone.
Reduce the risk going forward by using a strong phone passcode, enabling app-level lock for WhatsApp with your fingerprint or face, and never leaving your phone unlocked around people you do not fully trust. If you suspect someone has been monitoring your phone more deeply than a linked session, our guide on how to tell if your iPhone is being tracked walks through the warning signs.
Is WhatsApp Web safe to use?
WhatsApp Web itself is safe, but it concentrates risk in two places. First, any computer where you stay logged in becomes a window into your chats for anyone who uses that computer, so always log out on shared or public machines. Second, fake WhatsApp Web sites exist: phishing pages at lookalike addresses that display a real QR code relayed from the attacker's session, so that scanning it links your account to them. Only ever type web.whatsapp.com yourself, and treat any QR code that arrives by link or email as hostile.
How does SIM swapping lead to a WhatsApp takeover?
In a SIM swap, an attacker calls your mobile carrier pretending to be you, claims a lost phone, and asks for your number to be activated on a new SIM. With your number in hand, they receive your WhatsApp verification code directly, no trickery needed. You usually notice when your own phone suddenly loses signal for no reason.
Defenses: ask your carrier to add a port-out PIN or security passphrase to your account, and treat unexpected loss of mobile service as an emergency, contacting your carrier immediately. And again, the two-step PIN saves you here: even with your number, the attacker cannot finish registration without it.
Are my WhatsApp backups encrypted?
By default, no, not end to end. Your nightly backup to Google Drive or iCloud is protected only by that cloud account's security. Anyone who compromises your Google or Apple account can restore your entire chat history to their device. WhatsApp offers end-to-end encrypted backups, which seal the backup with a password or 64-digit key that only you hold. Enable it under Settings, then Chats, then Chat backup, then End-to-end encrypted backup. Store the password safely, because nobody can recover the backup without it, including WhatsApp.
While you are at it, secure the cloud account itself with a unique password and app-based two-factor authentication. If Gmail is your backup home, our walkthrough on securing and recovering your Gmail account covers it step by step.
My WhatsApp was hijacked. How do I get it back?
- Re-register immediately. Install WhatsApp on your phone, enter your number, and complete SMS verification. Registering your number on your device automatically kicks the attacker off theirs. This is the core of WhatsApp recovery, and it works even while the attacker is active.
- If asked for a two-step PIN you never set, the attacker enabled one. WhatsApp lets you reset it via the email route or, without email, after a 7-day wait. Start the process immediately, and email support@whatsapp.com from the address tied to your account describing the hijack, which can help.
- Warn your contacts fast through SMS, another app, or mutual friends. The attacker's first move is asking your contacts for money or verification codes.
- Once back in, enable two-step verification before anything else, then check Linked Devices and log out everything you do not recognize.
- Assess the damage. If the attacker impersonated you to extract money, or threatened people with content from your chats, preserve screenshots and report it. If the situation has turned into extortion, our guide on reporting online blackmail explains exactly what to document and where to report.
If your case is tangled, for example a SIM swap plus a stolen account plus an attacker actively scamming your contacts, getting the sequence right matters, and that is what our account recovery service does. We help victims reclaim their own accounts lawfully, secure every connected service, and document the incident for police and platform reports.
Frequently asked questions
Can someone hack my WhatsApp with just my phone number?
Not silently. Knowing your number lets an attacker start a registration attempt, but completing it requires the verification code from your SMS, your voicemail, or a SIM swap, plus your two-step PIN if you set one. With the PIN enabled and codes kept private, a number alone gets an attacker nowhere.
Can WhatsApp be hacked without my phone?
The realistic remote routes are tricking you into revealing the verification code, SIM swapping, or compromising your cloud backup. None of them break WhatsApp's encryption, and all are blocked by the two-step PIN, carrier security, and encrypted backups respectively.
How do I know if someone else is reading my WhatsApp messages?
Check Settings, then Linked Devices, for sessions you do not recognize, and watch for signs like messages marked read that you never opened, or chats appearing or vanishing. If your account was registered elsewhere entirely, your own phone will tell you that your number is in use on another device.
What is the difference between the verification code and the two-step PIN?
The verification code is the six-digit SMS that proves control of the phone number during registration. The two-step PIN is a code you invented that WhatsApp additionally demands on registration. The code can be stolen from you in transit. The PIN lives only in your head, which is why it is the stronger lock.
Someone is asking me to forward a code that came to my phone. What do I do?
Do not forward it, even if the request comes from a close friend or family member. Their account has almost certainly been taken over, and the code is the key to yours. Contact them through a different channel and tell them their WhatsApp is compromised.
Can a hired hacker recover or monitor a WhatsApp account for me?
No legitimate service can access someone else's WhatsApp, and offers to do so are scams or crimes. For your own account, recovery runs through re-registration and WhatsApp support, and a lawful recovery service can guide and accelerate that process after verifying the account is yours.
Related service
Regain access to your own hacked email, social, and website accounts.
Account Recovery