WhatsApp Users at Risk After Design Flaw Exposes 3.5B Phone Numbers
WhatsApp is once again under fire for a major privacy scare, but not because its encryption was broken or messages were hacked. Instead, a design flaw in one of the messaging app’s oldest features quietly allowed researchers to scrape 3.5 billion phone numbers and profile details. Experts say this is the largest phone-number exposure ever recorded.
WhatsApp flaw exposes 3.5 billion phone numbers
This wasn’t a breach of WhatsApp’s servers, but the result of how it verifies whether a number is registered on the platform. The feature is meant to help you check whether someone in your contact list is on WhatsApp. However, until recently, this process lacked proper safeguards, and a research team from the University of Vienna and SBA Research turned it into a major privacy loophole.
By feeding billions of automatically generated phone numbers into WhatsApp’s servers, the researchers were able to confirm 3.5 billion accounts. They could also collect limited but sensitive metadata such as profile photos, display names, and bio/about. Additionally, the researchers could see whether the number is active on WhatsApp.
There was no access to chat logs, messages, media, or backups. End-to-end encryption stayed intact. But that doesn’t mean users are safe. A verified, global list of active WhatsApp numbers is extremely valuable for attackers. It can be used for high-precision phishing and scam campaigns, long-term identity profiling, linking WhatsApp accounts to other leaked datasets, and other forms of attacks.
The researchers also compared their findings with Meta’s 2021 Facebook leak. Shockingly, half of the phone numbers from that breach were still active on WhatsApp, proving that scraped data can stay useful to attackers for years. The incident highlights a recurring problem with messaging apps that rely on phone numbers for identity.
Meta has closed the loophole, but users must be careful
The flaw was disclosed to Meta earlier this year, and the company has since added stricter anti-scraping protections. It says the enumeration method no longer works at scale, adding that the leak only exposed publicly visible information. However, similar scraping attempts may have already occurred in the past, so users should tighten their privacy settings.
Always set Profile Photo, About, and Last Seen to My Contacts or Nobody, rather than Public. You should also remove old or unused SIMs from WhatsApp accounts. More importantly, treat unexpected WhatsApp messages with extra caution, as attackers now have huge verified lists. Avoid clicking on unknown links and keep the app updated for maximum security.
Follow us on Google Discover & set us as a preferred source in Google News
Share this Post
___________________________
New Blog Posts
___________________________
First Set of Pixel 11 Pro XL Renders Are Here
Pixel 11 Pro XL CAD renders show minimal design changes
Is Samsung Preparing One UI 8.5 Beta for Galaxy Z Fold 5 and Flip 5?
Samsung may launch a One UI 8.5 beta program for its 2023 foldables
Galaxy S25 One UI 8.5 Beta May Run Longer Than Expected
Galaxy S25 series’ One UI 8.5 beta may stretch to 10 rounds
