WhatsApp Exposed 3.5 Billion Phone Numbers for Years: Researchers Reveal Massive Privacy Gap
WhatsApp’s explosive global growth has long been fueled by its simple onboarding process. If you have someone’s phone number, you can find them on the app. But that same convenience has now been revealed as a major privacy flaw. According to a team of Austrian security researchers, WhatsApp inadvertently exposed the phone numbers of all 3.5 billion of its users, making them easy targets for hackers, scammers, and data harvesters.
Researchers Extracted Billions of Phone Numbers from WhatsApp With Ease
The discovery is alarming not because of an advanced hacking technique, but because of how simple the data extraction was. Researchers merely automated the process of adding phone numbers through WhatsApp Web, the browser-based version of the app. If a number was linked to an account, WhatsApp displayed the user’s profile photo and status text, just as it would for any regular user.
Using this method at scale, the researchers were able to check approximately 100 million numbers per hour, ultimately confirming active accounts tied to all 3.5 billion users. For 57% of those, profile photos were accessible, and for 29%, profile status text was also revealed.
Meta Was Warned Years Ago, and Didn’t Act
What makes the situation even more troubling is that the vulnerability was first reported in 2017. Despite the warning, WhatsApp’s parent company Meta did not implement safeguards to prevent mass enumeration of accounts. This meant that, for years, malicious actors could have quietly collected user data without detection.
It wasn’t until the Austrian researchers notified Meta again in April of this year that the company finally took action. By October, Meta had rolled out rate-limiting measures designed to prevent rapid, automated lookups at such an enormous scale.
In a statement responding to the findings, Meta emphasized that all exposed data was “basic publicly available information.” The company added that profile photos and status text would only appear for users who elected to make them public.
Meta also asserted that there was “no evidence of malicious actors abusing this vector” and stressed that no private or hidden data was accessed by the researchers.
A Wake-Up Call for WhatsApp’s Billions of Users
While Meta downplays the risk, the scale of the exposure has sparked renewed debate about WhatsApp’s privacy model. The ability to confirm whether any phone number is linked to an account, and to scrape public profile details, creates opportunities for stalking, targeted scams, phishing, and mass surveillance.
This incident highlights a critical tension between ease of use and user privacy. And although the loophole has finally been limited, the years of unprotected access mean billions of users may have already had their data quietly collected.
Read more of our articles below!
