WhatsApp had a massive flaw that put phone number of 3.5 billion users at risk: here's what happened

A security flaw on WhatsApp has led to all of the approximatel 3.5 billion phone numbes on the platform being compromised, according to researchers from University of Vienna. The researchers further say that they were able to access profile photos of the users in 57% of the caes and even the ext on their profiles for 29% of the users.

Notably, WhatsApp and its parent company Meta were made aware about the vulnerability by a different research in 2017 but the company failed to take appropriate action on it.

The researchers warned that if the data had been collected by bad actors it would have become the “the largest data leak in history”, even eclipsing the 2021 Facebook scraping incident where around 500 million records were compromised.

“The dataset contains phone numbers, timestamps, about text, profile pictures, and public keys for E2EE encryption, and its release would entail adverse implications to the included users.” the researchers confirmed in their study

Aljosha Judmayer, one of the researchers who worked on the study, told WIRED, “To the best of our knowledge, this marks the most extensive exposure of phone numbers and related user data ever documented,”

The researchers say they had made WhatsApp aware about the vulnerability in April 2025 and while the company didn't show much interest in the problem early on, it eventually worked with them to fix the problem and enabled a stricter “rate-limiting” measure by October.

What was the vulnerability with WhatsApp?
WhatsApp has a basic feature called contact discovery: when you upload your address book, the app tells you which of your contacts use WhatsApp. The researchers found that since WhatsApp had no ‘effective rate-limiting’, the same feature could be used to “scan” huge ranges of phone numbers.

And once a number was confirmed to be on WhatsApp, the same loophole could also be used to retrieve other publicly available information like profile picture, profile text, device type, and linked companion devices.

“We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.” it added

If you use WhatsApp, you might be surprised to know that a group of Austrian researchers managed to extract the phone numbers of 3.5 billion WhatsApp users. Yours might be among them as well. Here's everything you need to know.

Honestly, anyone could've scraped every WhatsApp number out there

When you want to check whether a number is registered on WhatsApp, you simply search for that number on the platform. If the number is associated with a WhatsApp account, you'll see the profile picture and the name set for it. Security researchers at the University of Vienna in Austria used this same technique to extract the WhatsApp numbers of 3.5 billion users.