A Codebook reader has shared new details about a persistent privacy flaw in encrypted messaging service WhatsApp that's proven difficult for the company to squash.

What's happening: Eric — who works in the tech industry but requested we withhold his last name — told Axios he discovered the flaw when his son moved to France for work, got a new SIM card and updated his WhatsApp account with a new phone number.

• When Eric's son did this, his profile picture changed and new messages from random users started to pour in. Eric quickly realized his son had taken over the account of another WhatsApp user who used to have that phone number.
• Eric reported the problem through WhatsApp parent company Meta's bug bounty program. Meta quickly dismissed the report, telling Eric that the issue was a concern but was outside the company's ability to fix.
• A Vice reporter wrote about how he also accidentally hijacked someone else's WhatsApp account three years ago. WhatsApp acknowledges this can happen, although it says it's extremely rare.

The big picture: Eric's discovery is part of a broader issue with telecom providers quickly reassigning phone numbers after they've been forfeited.

• The Federal Communications Commission currently requires telecom providers to wait at least 45 days before reassigning old numbers. Doing so gives the former owner of the number time to update accounts like WhatsApp.
• However, that process doesn't always go smoothly. In a 2021 Princeton study, 66% of a sample of 259 phone numbers were still connected to accounts belonging to the previous owners.

Between the lines: This was the first time Eric had reported a potential security vulnerability to a tech vendor as an individual — and he found the bug bounty process "decent" since it gives vendors ample time to patch the flaw if they want and still allows researchers to go public if they're ignored.

• "The reality is that it is designed for and works well for researcher-to-researcher teams," Eric told Axios. "That's a lot better than nothing."
• "What we're describing here is really just a bug or a bad design," he added. "It's not the heart of what these programs are all about."

The other side: A WhatsApp spokesperson told Axios this problem happens in "extremely rare circumstances," and the issue stems from mobile operators quickly reassigning old phone numbers after they're forfeited.

• WhatsApp also deletes accounts after 120 days of inactivity, and if an account is unused for 45 days and then is reactivated on a different device, WhatsApp deletes the account data it stores, like profile pictures.

The intrigue: Eric is going public with his findings so he can raise awareness about the issue with other WhatsApp users.

• "I knew who to go and talk to because I'm in industry," he told Axios. "My son would've had no idea who to contact about this."

Be smart: If you change your phone number, be sure to quickly update any apps tied to it — including WhatsApp, Signal or other messaging apps — to prevent a future, accidental takeover of your account.

A better quality of life on the internet is becoming increasingly pricey, Axios' Hope King and Sara Fischer write.

Driving the news: The world's biggest social platforms are experimenting with charging people for everything from improved account security and support to the promise of wider public exposure.

• Meta said on Sunday that it's starting to trial a new paid verification service for Instagram and Facebook users to receive a badge signifying that they've authenticated their identity. For $11.99 or $14.99 monthly, customers also receive "proactive account monitoring for impersonators" and "access to a real person" for account issues.
• The move follows Twitter's announcement on Friday that two-factor authentication via text message will be offered only to paying Twitter Blue customers after March 20.
• With Twitter Blue now relaunched, customers can pay monthly to have a blue checkmark on Twitter, have the ability edit tweets, see fewer ads "soon," post longer tweets, and be featured more prominently on other users' timelines, among other perks.

Between the lines: While both companies are in many ways targeting their most prolific users — or creators — for new revenue, internet watchdogs have long viewed authentication and identity protection features as basic responsibilities of online platforms, not premiums or frills.

What's happening: Legacy web-based companies are maturing, looking for greater ways to squeeze money from users while fighting for loyalty through new features as consumers demand novel experiences online.

• In that fight, internet players ranging from social media companies and delivery apps to media networks and business software providers have been rolling out paid extras.

Go deeper

Twitter's decision to stop texting login codes to nonsubscribers is causing confusion about what security tools free users can still enable.

Driving the news: Last week, Twitter started notifying users who don't subscribe to its paid Twitter Blue service that the company will stop sending texts with login codes to users after March 20.

• These login codes are an added form of security to verify that the person who is logging in to the account is the actual owner.
• However, while texts will end, the company will allow nonsubscribers to set up multifactor authentication (MFA) for their accounts through app services, including those from Google and Microsoft.
• Nonsubscribers should "consider using an authentication app or security key method instead," the company wrote in a blog post last week.

Why it matters: Receiving a login code via text is the most popular form of two-factor authentication among the small number of Twitter users who enroll in the service.

• According to data from July through December 2021, the latest numbers available, 2.6% of Twitter users have MFA enabled. Among those, nearly 75% use text-based MFA.
• And it's unlikely those Twitter users will all move to a different authentication service, like Google Authenticator.

Yes, but: Malicious hackers have increasingly targeted people via text-based MFA requests, leading to several high-profile data breaches in the last year.

The big picture: Even with text-based login codes enabled, Twitter has still had its fair share of account takeovers and breaches.

• In 2020, hackers took over several high-profile Twitter users' accounts — including now-owner Elon Musk's — after nabbing several employees' internal accounts.
• Earlier this month, the U.S.'s top cyber diplomat said his personal Twitter account had been hacked.

Between the lines: Twitter is framing the choice as a move to better secure users' accounts from malicious hackers.

• However, Musk said the change was also because "Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages."

@ D.C.

🏛 The Supreme Court will soon decide whether to hear Wikimedia's case about the legality of a major NSA surveillance program. (CyberScoop)

💰 The federal government's Technology Modernization Fund awarded $40.6 million to three agencies to upgrade their cybersecurity and digital services. (Nextgov)

@ Industry

👀 Hackers are starting to sell login credentials for data centers tied to some of the world's largest corporations, including Amazon, Apple and Microsoft. (Bloomberg)

📉 Cybersecurity company Darktrace has hired EY to review its finances after short-seller scrutiny. (Reuters)

@ Hackers and hacks

📆 GoDaddy says it suffered a data breach in which attackers had access to its networks for several years and stole source code. (BleepingComputer)

💻 Suffolk County in New York started restoring its online services over the weekend, five months after a ransomware attack took it offline. (Wall Street Journal)

🐦 Spain is extraditing a 23-year-old U.K. national allegedly connected to the 2020 Twitter hack. (Risky Business News)

I'm excited to be back in your inboxes, but part of me is still in the Costa Rican jungle 🦥.

• I missed out on seeing any sloths, but I did see my fair share of coatis, monkeys and waterfalls.
• If the country isn't on your travel bucket list already, add it! 🇨🇷