WhatsApp Security Flaw Exposes 3.5 Billion Phone Numbers
A critical WhatsApp vulnerability has exposed phone numbers of over 3.5 billion users worldwide, allowing potential harvesting of profile photos, status updates, and personal information through the app’s contact discovery system.
Key Takeaways
- WhatsApp’s contact discovery mechanism exposed user phone numbers globally
- Attackers could scrape profile photos, status updates, and personal details
- Meta claims the issue has been mitigated with no evidence of abuse
- Security experts call this a wake-up call for phone-based identity systems
How the Vulnerability Works
Researchers from the University of Vienna and SBA Research discovered that WhatsApp’s contact discovery feature, which matches phone numbers from address books to its database, could be exploited to systematically enumerate and collect user information.
“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences,” said researcher Gabriel Gegenhuber from the University of Vienna.
“They show that security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves.”
Fundamental Design Flaw
Security experts describe the discovery as highlighting a core problem with using phone numbers as digital identities.
“This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability,” said Marijus Briedis, CTO at NordVPN.
“WhatsApp uses numbers as its core identity system, [so] attackers were able to automatically test billions of them and pull back profile details at extraordinary speed.”
Potential Attack Scenarios
With access to phone numbers, profile photos, and status information, cybercriminals could build highly-targeted impersonation attacks and sophisticated phishing campaigns.
“At scale, this becomes a goldmine for scammers, criminals and well-resourced cyber groups,” Briedis noted.
Meta’s Response
Meta, WhatsApp’s parent company, states it has addressed the vulnerability and found no evidence of malicious exploitation.
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program,” a spokesperson said.
“Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.”
Related Legal Action
The security flaw discovery follows recent allegations by former WhatsApp security chief Attaullah Baig, who served from 2021 to 2025. Baig filed a lawsuit in September alleging WhatsApp failed to address the hacking and takeover of more than 100,000 accounts daily.
