WhatsApp privacy nightmare: 3.5 billion phone numbers exposed

A shocking security flaw in WhatsApp has exposed the phone numbers and in many cases, profile photos and public status texts of 3.5 billion users worldwide.

Researchers from the University of Vienna and SBA Research discovered that WhatsApp’s contact‑discovery feature, designed to show which contacts are on the platform, could be exploited at massive scale.

By automating queries, they confirmed billions of active accounts, collected metadata, and even found accounts in countries where the app is banned, such as China and Myanmar. Some accounts reused encryption keys, raising concerns about unauthorized clients. Private messages, however, remained secure.

Meta responded by implementing rate-limiting to prevent mass scraping and emphasized there is no evidence the flaw was abused maliciously. Still, experts warn that even “public” profile data becomes dangerous when harvested on such a scale, enabling spam, phishing, or more serious abuses.

The incident highlights a fundamental vulnerability: using phone numbers as the main identifier makes users easy targets for mass enumeration. It also underscores the value of metadata, profile photos, status texts, and device info, which can be weaponized when aggregated.

Users are advised to review privacy settings, limit who can see profile photos and “About” texts, and stay alert for phishing. WhatsApp has patched the flaw, but the episode is a stark reminder: in the digital world, even public information can be perilous when collected at scale.