WhatsApp Flaw Exposes 3.5 Billion Users’ Phone Number

Researchers from the University of Vienna discovered a major privacy flaw in WhatsApp: they were able to enumerate 3.5 billion registered phone numbers using a simple trick involving WhatsApp’s contact-discovery feature. By checking whether a number is on WhatsApp, the researchers collected not only phone numbers but also associated profile data — including profile photos for over half of those accounts, and “About” texts for nearly 30%.

They did this by automating requests through WhatsApp Web at extremely high speed — around 100 million numbers per hour, with no real barrier from WhatsApp. The scale of this enumeration is unprecedented.

The vulnerability had been flagged before, in 2017, but it was only in October 2025 that WhatsApp added stricter rate-limiting protections to slow down this type of mass scraping. Meta, WhatsApp’s parent company, thanked the researchers through its bug bounty programme. Meta insists that the exposed data was “public by default” and that the end-to-end encryption protecting user messages was never compromised.

The researchers also raised concerns about how phone numbers are used as unique identifiers. They argued that this model is problematic because it makes large-scale data collection easier. They suggest that WhatsApp should switch to a more privacy-respecting system — such as usernames — to avoid this risk in future