How WhatsApp Accounts Get Stolen

WhatsApp accounts are hijacked with a shockingly simple trick. An attacker registers your phone number on their device, which makes WhatsApp send a verification code to your phone by SMS. Then they contact you pretending to be a friend or WhatsApp support: "I accidentally sent my code to your number, can you forward it?" The moment you share that code, your account is theirs, along with your groups and your contact list, which they'll use to scam your friends next.

Two-step verification kills this attack. It adds a six digit PIN that only you know. Even with the SMS code, an attacker can't register your number without the PIN.

How to Enable Two-Step Verification

The setting takes under a minute:

  1. Open WhatsApp and go to Settings.
  2. Tap Account → Two-step verification.
  3. Tap Turn on (or Enable).
  4. Create a six digit PIN and confirm it.
  5. Add an email address for PIN recovery. Don't skip this.

Done. WhatsApp will now require this PIN whenever your number is registered on a new device.

Choosing a PIN That Actually Protects You

  • Avoid your birth year, 123456, or repeated digits. Attackers who know you will try those first.
  • Don't reuse your bank card PIN. One leak shouldn't unlock two things.
  • Make it random. Six random digits are easy to memorise after a week of occasional prompts. WhatsApp asks for the PIN periodically, which doubles as memory practice.

If you like the idea of randomness done properly, our password generator can produce numeric PINs using your browser's cryptographic random source.

Why the Recovery Email Matters

Forget your PIN with no recovery email set, and you'll have to wait seven days before you can register your number without it. Seven days locked out, while attackers who set a PIN on your hijacked account get the same one week head start. Adding an email removes both problems: you can reset the PIN instantly through a link.

Make sure that email account itself has strong protection. Here's our guide on enabling 2FA on Gmail.

Two-Step Verification vs Regular 2FA

WhatsApp's system is a bit different from the TOTP codes you may use elsewhere:

FeatureWhatsApp Two-StepStandard TOTP 2FA
Second factorStatic six digit PINRotating six digit code
Changes over timeNo, you set it onceYes, every 30 seconds
When it's askedNew device registration + periodic promptsEvery login (or new devices)
Protects againstNumber hijacking, SIM swap takeoverPassword theft

Curious how rotating codes work? Our TOTP explainer breaks it down, and you can generate live codes with our free 2FA generator.

More Ways to Harden WhatsApp

  • Never share a verification code with anyone. Not with friends, not with "support". WhatsApp staff will never ask for it.
  • Enable a screen lock (Settings → Privacy → App lock) so the app opens with your fingerprint or face.
  • Review linked devices (Settings → Linked devices) and remove anything you don't recognise.
  • Turn off SMS preview on your lock screen. A visible verification code on a locked phone is a gift to anyone holding it.

The "friend in trouble" scam works because the message really does come from your friend's account. Their WhatsApp was hijacked first. A PIN protects your friends from your account being next.

Frequently Asked Questions

What if I forget my WhatsApp PIN?

If you added a recovery email, tap "Forgot PIN" and reset it through the link. Without an email, WhatsApp makes you wait seven days before removing the PIN, as a protection against attackers doing exactly that.

Is WhatsApp two-step verification the same as the SMS code?

No. The SMS code verifies you own the phone number. The PIN is an extra secret on top. The SMS code can be stolen or phished, and the PIN exists precisely to cover that case.

How often will WhatsApp ask for my PIN?

Periodically, roughly once a week or two, when you open the app. This is intentional: it keeps the PIN fresh in your memory and confirms the account holder still knows it.

Someone stole my WhatsApp account. What do I do?

Sign in to WhatsApp with your phone number immediately: entering the SMS code logs the attacker out. If they enabled two-step verification with their own PIN, email support@whatsapp.com asking them to deactivate your number, and register again once it's done. Warn your contacts in the meantime, since the attacker will likely message them asking for money.

Does the PIN protect my chat backups too?

No. Chat backups in Google Drive or iCloud are separate. Enable end-to-end encrypted backups (Settings → Chats → Chat backup → End-to-end encrypted backup) so a compromised cloud account can't read your history.

Shoyeb Akter

Written by

Security Tools Developer and creator of 2FA Fast — a privacy-first browser-based authenticator and security tools platform.