A critical security flaw in WhatsApp has allowed researchers to expose the phone numbers of 3.5 billion users, marking one of the most significant data leaks ever documented.
This vulnerability, rooted in the app’s contact discovery feature, persisted despite warnings to Meta dating back to 2017, raising serious concerns about user privacy on the world’s most popular messaging platform.
The exploit relies on WhatsApp’s built-in mechanism for finding contacts, which reveals whether a user is on the service and public details like profile pictures and status texts when a phone number is entered.
Security researchers from the University of Vienna demonstrated the flaw by systematically querying billions of potential numbers, confirming active accounts at a rate of over 100 million per hour without any restrictions from WhatsApp.
Their study, conducted between December 2024 and April 2025, generated a comprehensive dataset using a tool called libphonegen to create realistic phone numbers across 245 countries.
By leveraging WhatsApp’s XMPP protocol through a modified open-source client, the team accessed not only phone numbers but also encryption keys, timestamps, and public profile information for 56.7% of accounts.
WhatsApp Vulnerability Exposes 3.5 Billion Users
WhatsApp’s contact discovery tool, designed for convenience, lacks robust rate-limiting, enabling automated scraping on a massive scale. The researchers used just five authenticated accounts on a single university server to probe 63 billion potential numbers, identifying 3.5 billion active ones in under six months.
For 29.3% of users, “about” texts revealed sensitive details such as political views, religious affiliations, or links to other social media profiles.
Alarmingly, the study uncovered 2.9 million cases of public key reuse, including identity and prekeys, which could undermine end-to-end encryption if exploited by malicious actors using unofficial clients.
One extreme example involved 20 U.S. numbers sharing a key of all zeros, suggesting potential fraud or broken implementations.
This vulnerability echoes earlier warnings; a researcher flagged the issue in 2017, yet Meta delayed fixes for eight years. The exposed data overlaps significantly with prior breaches, like the 2021 Facebook leak of 500 million numbers, where nearly half remained active on WhatsApp, heightening risks for scams and targeted attacks.
Users in countries banning WhatsApp, such as China, Iran, and North Korea, face amplified dangers, including state surveillance or persecution.
Meta acknowledged the findings through its bug bounty program in April 2025 and implemented stricter rate limits in October 2025, claiming the data was already public and messages stayed encrypted.
WhatsApp VP of Engineering Nitin Gupta stated the company was developing anti-scraping measures, and the research helped stress-test them, with no evidence of malicious exploitation found.
The researchers responsibly deleted their dataset and emphasized that private profiles limited exposure, but they criticized Meta for not encountering defenses during the probe.
Despite the patch, experts warn of lingering threats. Business accounts, comprising 9% of those scraped, often unwittingly expose more data via WhatsApp Business features.
The flaw highlights broader issues in enumeration attacks, where convenience features become privacy pitfalls, potentially fueling phishing, SIM-swapping, or doxxing campaigns. Cybersecurity analysts urge users to set profiles to private, avoid sharing personal details in statuses, and monitor for suspicious activity, especially post-leak.
This incident underscores the challenges of securing platforms with billions of users, where even “public” data aggregation creates a shadow profile ecosystem.
As WhatsApp dominates messaging in regions like West Africa, where 80% of profiles were public, the risks of identity theft and cyberattacks escalate.
| Rank | Country | # Accounts | Global Share | Android (%) | iOS (%) | Picture (%) | About Text (%) | Business (%) | Companions (%) |
|---|---|---|---|---|---|---|---|---|---|
| 1 | India | 749,075,246 | 21.67% | 95 | 5 | 62.2 | 29.5 | 9.8 | 6.2 |
| 2 | Indonesia | 235,245,077 | 6.81% | 92 | 8 | 49.1 | 27.5 | 10.7 | 9.3 |
| 3 | Brazil | 206,949,224 | 5.99% | 81 | 19 | 61.1 | 41.5 | 10.3 | 15.5 |
| 4 | United States | 137,859,284 | 3.99% | 33 | 67 | 44.0 | 32.8 | 2.4 | 6.1 |
| 5 | Russia | 132,855,022 | 3.84% | 76 | 24 | 61.7 | 33.5 | 3.6 | 9.4 |
| 6 | Mexico | 128,324,166 | 3.71% | 82 | 18 | 46.1 | 23.3 | 4.1 | 11.7 |
| 7 | Pakistan | 98,277,665 | 2.84% | 95 | 5 | 58.5 | 20.0 | 21.7 | 5.4 |
| 8 | Germany | 74,565,425 | 2.16% | 58 | 42 | 51.0 | 35.4 | 2.2 | 13.4 |
| 9 | Türkiye | 72,131,903 | 2.09% | 73 | 27 | 48.0 | 33.4 | 3.0 | 12.0 |
| 10 | Egypt | 69,317,806 | 2.01% | 90 | 10 | 53.2 | 25.1 | 11.3 | 6.1 |
| 11–245 | Others | 1,552,021,571 | 44.90% | 77 | 23 | 56.9 | 27.9 | 9.3 | 9.0 |
| Global | (245 countries) | 3,456,622,389 | 100.00% | 81 | 19 | 56.7 | 29.3 | 9.0 | 8.8 |
Regulators may scrutinize Meta further following GDPR fines for past lapses, pushing for proactive defenses such as advanced CAPTCHA or behavioral analysis.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
