Key Takeaways
- WhatsApp security flaw exposed 3.5 billion phone numbers to potential data scraping
- Researchers accessed profile photos (57% of cases) and profile text (29% of users)
- Vulnerability existed despite 2017 warnings; fixed with rate-limiting in October 2025
- Meta confirms no evidence of malicious exploitation; messages remained encrypted
A massive security vulnerability in WhatsApp put approximately 3.5 billion user phone numbers at risk of exposure, according to University of Vienna researchers. The flaw could have become “the largest data leak in history” if exploited by malicious actors.
Security experts found they could access not just phone numbers but also profile photos for 57% of users and profile text information for 29% of accounts. The potential breach would have eclipsed Facebook’s 2021 scraping incident involving 500 million records.
Aljosha Judmayer, one of the study researchers, told WIRED: “To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented.”
Notably, WhatsApp and parent company Meta had been alerted about similar vulnerabilities as early as 2017 but failed to take adequate action at that time.
How the WhatsApp Security Flaw Worked
The vulnerability existed in WhatsApp’s contact discovery feature, which normally helps users find contacts already on the platform. Researchers discovered that without effective rate-limiting, this feature could be exploited to scan massive ranges of phone numbers.
Once a number was confirmed as active on WhatsApp, the same method could retrieve publicly available information including:
- Profile pictures
- Profile about text
- Device types
- Linked companion devices
Meta’s Response and Fix
Meta acknowledged the security issue and collaborated with researchers after they reported it through the Bug Bounty program in April 2025. The company implemented stricter rate-limiting measures by October 2025 to prevent such scraping attacks.
A Meta spokesperson stated: “We are grateful to the University of Vienna researchers for their responsible partnership. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits.”
The company emphasized that user messages remained secure due to WhatsApp’s default end-to-end encryption, and researchers have securely deleted all collected data. Meta confirmed finding no evidence of malicious actors exploiting this vulnerability.
