A security flaw on WhatsApp has led to all of the approximately 3.5 billion phone numbers on the platform being compromised, according to researchers from the University of Vienna. The researchers further say that they were able to access profile photos of users in 57 percent of the cases and even the text on their profiles for 29 percent of the users.
Notably, WhatsApp and its parent company Meta were made aware of the vulnerability by different research in 2017 but the company failed to take appropriate action on it.
The researchers warned that if the data had been collected by bad actors, it would have become “the largest data leak in history”, even eclipsing the 2021 Facebook scraping incident where around 500 million records were compromised.
“The dataset contains phone numbers, timestamps, about text, profile pictures and public keys for E2EE encryption, and its release would entail adverse implications to the included users,” the researchers confirmed in their study.
Aljosha Judmayer, one of the researchers who worked on the study, told WIRED, “To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented.”
The researchers say they made WhatsApp aware of the vulnerability in April 2025 and while the company didn’t show much interest in the problem early on, it eventually worked with them to fix the issue and enabled a stricter “rate-limiting” measure by October.
What was the vulnerability with WhatsApp?
WhatsApp has a basic feature called contact discovery: when you upload your address book, the app tells you which of your contacts use WhatsApp. The researchers found that since WhatsApp had no effective rate-limiting, the same feature could be used to scan huge ranges of phone numbers.
And once a number was confirmed to be on WhatsApp, the same loophole could also be used to retrieve other publicly available information like profile picture, profile text, device type and linked companion devices.
Meta acknowledges security issue
Meta acknowledged the security issue in a statement to 9to5Mac. A spokesperson for the company said, “We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty programme. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information.”
“We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defences. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers,” it added.
whatsapp, whatsapp leak
#WhatsApp #massive #security #flaw #put #phone #number #billion #users #risk #heres #happened