WhatsApp security flaw exposes 3.5 billion people’s phone numbers

Security researchers have discovered a critical vulnerability with WhatsApp that exposes the phone numbers of more than 3 billion users worldwide.

The privacy flaw could be used by cyber criminals to gather profile information and infer the identities of users of the world’s most popular messaging app, which could then be used to carry out highly-targeted attacks.

Uncovered by a team from the University of Vienna and SBA Research, the privacy weakness centres on WhatsApp’s contact discovery mechanism, which asks users’ for permission to match mobile numbers in their address book to the app’s central database.

This allows WhatsApp to show which contacts are also using the messaging app, however the enumeration mechanism could also be used by malicious actors to scrape phone numbers, profile photos, and users’ ‘About’ status.

“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences," said researcher Gabriel Gegenhuber from the University of Vienna.

"They show that security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves."

The team’s findings were published in a preprint paper titled ‘Hey there! You are using WhatsApp: Enumerating three billion accounts for security and privacy’.

Security experts have described the discovery as a “wake-up call” for platforms still using phone numbers as a form of user identity, which they warn are too public, too permanent, and too easily scraped to be used for this purpose.

“This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability,” Marijus Briedis, chief technology officer at VPN and security firm NordVPN, told The Independent.

“WhatsApp uses numbers as its core identity system, [so] attackers were able to automatically test billions of them and pull back profile details at extraordinary speed.”

With someone’s phone number, profile photo and status, cyber criminals would be able to build highly-targeted impersonation attacks, Mr Briedis noted.

“At scale, this becomes a goldmine for scammers, criminals and well-resourced cyber groups,” he said.

Meta, WhatsApp’s parent company, has since addressed and mitigated the issue, and claims that it has found no evidence of malicious actors abusing the flaw.

“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program,” a spokesperson told The Independent.

“Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.”

A former security chief of WhatsApp recently accused Meta of violating cyber security regulations that put billions at risk.

Attaullah Baig, who served as WhatsApp’s head of security from 2021 to 2025, filed a lawsuit in September with the US District Court for the Northern District of California that alleged WhatsApp failed to address the hacking and takeover of more than 100,000 accounts each day.