In a shocking revelation highlighting the fragility of privacy on the world’s largest messaging platform, researchers from the University of Vienna announced a serious security vulnerability in WhatsApp that allowed access to the phone numbers of approximately 3.5 billion users worldwide, along with their profile photos and “About” text information. Experts described the discovery as what could have been the largest data leak in history, had the information not been collected as part of a controlled research study—raising major questions about WhatsApp’s ability to protect users while relying on phone numbers as account identifiers.
اضافة اعلان
According to the Austrian research team, the vulnerability enabled the extraction of personal details on billions of users, making it one of the most extensive exposures of user data ever documented.
How the Flaw Worked
As reported by Wired, the issue stemmed from WhatsApp’s contact discovery mechanism, which allows users to add a phone number to determine whether it is registered on the platform. The researchers found that this system could be exploited to automatically check billions of phone numbers and harvest data at massive scale.
They were able to:
Collect phone numbers for roughly 3.5 billion users
Access profile photos for around 57% of accounts
Retrieve “About” text for approximately 29% of accounts
Despite warnings dating back to 2017 about potential risks, the app reportedly did not implement strict rate limits on web requests, enabling researchers to check up to 100 million numbers per hour. They noted that, in the wrong hands, this could have resulted in the largest personal data exposure ever recorded.
Meta Responds
Alyosha Gudmeier, one of the researchers, stated:
“To the best of our knowledge, this represents the largest documented exposure of phone numbers and associated user data ever recorded.”
The research team notified Meta—the parent company of WhatsApp—of their findings in April 2025 and deleted their database afterward. By October, Meta had patched the flaw by introducing strict limits on lookup requests, preventing large-scale exploitation of the contact discovery feature.
Researcher Max Günther warned:
“If we were able to do this easily, others could have as well.”
Meta confirmed that only publicly visible information was accessible and that no private messages were compromised, which remain protected by end-to-end encryption.
Nitin Gupta, Vice President of Engineering at WhatsApp, stated:
“We found no evidence of malicious exploitation of this vulnerability, and user messages remained fully secure.”
Broader Security Concerns
The study also highlighted that some accounts were using duplicated encryption keys—an issue that could pose risks if misused to decrypt messages. Researchers believe this may be linked to the use of unofficial WhatsApp applications, rather than the official platform.
The findings underscore a fundamental limitation of relying on phone numbers as primary user identifiers. Phone numbers, the researchers argue, lack sufficient randomness to serve as secure identifiers for billions of accounts.
Gudmeier added:
“Phone numbers were never meant to be secret identifiers, yet they are used as such in practice. This reveals a core challenge in protecting user data at global scale.”
Data Exposure by Country
The percentage of exposed data varied by region:
United States: 44% of accounts showed profile photos; 33% revealed “About” text
India: 62% displayed profile photos
Brazil: 61% displayed profile photos
The study highlights growing concerns about data privacy on platforms that rely on phone numbers as account keys—placing increased pressure on WhatsApp and Meta to further strengthen their security frameworks.
