More than 1.8 million New Zealand users of WhatsApp might have had their phone numbers exposed in a significant data scrape.
In a post on a hacking forum this month, a user said they were selling up to an estimated 1 billion records of users of the app, which had been gathered in November.
The user, who 1News has decided not to name, said they had scraped the phone numbers of 1,824,589 WhatsApp accounts.
The claim was investigated by Cybernews, which is reporting it is likely to be true.
In a sample of 1914 phone numbers provided to them, all were linked to WhatsApp users.
According to the publication, the threat actor is selling the US dataset for US$7000 USD (NZ$11,000), the UK dataset for US$2500 (NZ$4000), and the Germany dataset for US$2000 (NZ$3200).
WhatsApp's reportedly said in a statement to the Times of India that the report is based on "unsubstantiated screenshots" and that there is "no evidence of a 'data leak'".
"The claim written on Cybernews is based on unsubstantiated screenshots. There is no evidence of a 'data leak’'from WhatsApp," the spokesperson said.
However, Cybernews is saying there is no evidence of a hack, saying the data has likely been 'scraped' from the app.
This could still be dangerous for users, as phone numbers could be used for scams or phishing attempts.
No 'serious or imminent security threat' - CERT
CERT New Zealand told 1News in a statement they "are aware of this incident".
"We have assessed the information that is being offered and do not believe it is a serious or imminent security threat to New Zealanders," CERT NZ's manager of incident response Jordan Heersping said.
"The information appears to be only mobile numbers, however, this can mean an increase in spam and phishing messages over WhatsApp and SMS, especially as we are heading into the busy Christmas season."
He advised people potentially affected to turn on two-factor authentication on their WhatsApp account and other apps.
"We recommend all WhatsApp users in New Zealand to be vigilant for spam messages and links being sent to them from unknown sources. This includes shopping offers or messages about deliveries," he said.
Anyone who receives a suspicious SMS message has been asked to forward it free of charge to 7726. Suspicious links can also be reported to CERT NZ to have them removed.
'A wake-up call' - Privacy Commissioner
In a statement, the Privacy Commissioner called the potential breach "a wake-up call for organisations to ensure they earn people's trust or risk losing their business".
It comes after a report from the office, released in May, found three out of five New Zealanders reported concern around the security of their information online.
"From the circumstances Cybernews is describing, this is sensitive personal information," a spokesperson for the Office of the Privacy Commissioner told 1News.
"No one should contribute to its widespread dissemination. Spreading this information or profiteering from it causes anxiety and distress to victims.
"It is important that anybody who receives information in relation to this report do the right thing. Do not spread it. Do not share it. Report it to the New Zealand Police."
Anyone who believes they have been harmed as a result of the breach has been urged to contact the Office of the Privacy Commissioner.
1News has approached WhatsApp's parent company Meta for comment.
SHARE ME