Sometime ago, a friend's WhatsApp account was stolen by a hacker. We noticed it as the hacker starting spamming Anti-Christ and pornographic messages in the group chat. I blocked the account immediately. Several of us also warned others to be careful as the hacker may use contact details to hack others.
Fortunately, my friend managed to regain control of the WhatsApp account after a week or so. After confirming that my friend had recovered the account via out-of-band mechanism, I have removed the block.
This were the actions my friend took to recover the account:
Deactivate Voice Mail
In the even there are confidential voice messages in the voice mail inbox, this should help to prevent loss of information.
Submit a Police Report
One of the first thing to do is to submit a police report. While the police may not be able to help in the recovery of the account, it serves to protect us incase hackers uses the compromised account to commit further crimes.
Inform the Telco Service Provider
To deter further loss of information and other accounts associated with the phone number, inform the telco service provider to deactivate the phone number. This should also terminate other services associated with the account such as voice mail (above).
Contact WhatsApp about the hack
Obviously, we have to inform WhatsApp about the hack and attempt to regain control of the account. The support email account is firstname.lastname@example.org and their contact website is https://www.whatsapp.com/contact/.
For normal users, click on the WhatsApp Messenger Support.
This will lead us to their form where we can provide our contact details and inform about the hack.
Protection is always better than cure. This applies to all online accounts.
Deter hackers with Two-Factor Authentication
Use Two-factor authentication to protect your accounts. Most banks already implemented this and it is used in many online site like Facebook, Google, Microsoft, Linked In etc. I used both Microsoft Authenticator and Google Authenticator. WhatsApp has a two-step verification mechanism too.
Never share One-Time Password
Regardless who the person maybe, one basic rule applies and that is Never share OTP. Official sources (such as banks) will never ask for the OTP. My friend probably fell for this WhatsApp OTP scam.