WhatsApp’s Global Data Gap: 3.5 Billion Numbers at Risk
Meta failed to prevent the leak of the phone numbers of 3.5 billion WhatsApp users—even though it had been warned in advance back in 2017. As a result, the immensely popular encrypted messaging app is now linked to one of the largest data-exposure incidents recorded so far.
The breach occurred due to flaws in WhatsApp’s contact discovery feature. Security researchers at the University of Vienna in Austria used this feature to scan an enormous number of mobile phone numbers. They found that when any mobile number is searched on WhatsApp, the app reveals whether the number is active, and in many cases also displays the profile photo and status text.
Using just five WhatsApp accounts and a single server, the researchers tested 63 billion possible numbers at a rate of approximately 100 million per hour, ultimately identifying 3.5 billion active WhatsApp numbers.
To do this, they used a tool called “libphonenumber” to generate real mobile numbers from 245 countries and leveraged WhatsApp’s communication protocol. Alarmingly, Facebook had been informed about this vulnerability as early as 2017—yet it took eight years to fix.
The Vienna-based researchers reported that from 56.7% of the accounts, they were able to extract mobile numbers, profile photos, “About” texts, encryption keys, last-seen timestamps, and in some cases even linked social-media profile details.
Moreover, 29.3% of users had religious, political, or highly personal details displayed in their “About” section. Nearly 2.9 million accounts were found using the same encryption key, which puts WhatsApp’s end-to-end encryption at risk. For example, 20 U.S. phone numbers—already associated with fraud concerns—were found to have the same zero-number encryption key.
Meta acknowledged the flaw in April 2025. Later, in October, it released rate-limiting patches. The company claims that the leaked numbers were already publicly available and that chats remain secure. It also says that anti-scraping systems are being strengthened.
However, experts warn that risks remain—especially because WhatsApp Business accounts expose even more information. For better privacy protection, experts recommend that users set profile visibility to Contacts Only, avoid placing personal details in the “About” section, ignore calls or messages from unknown numbers, and regularly review privacy settings.
DBTech/PM/IK/OR
