A security flaw in WhatsApp allowed researchers to extract the phone numbers of 3.5 billion users, representing a massive exposure of personal data. The vulnerability, discovered by a team at the University of Vienna, stemmed from a feature designed to help users identify contacts on the platform. Researchers were able to exploit this feature by systematically querying WhatsApp’s contact discovery tool, effectively mapping out a significant portion of the service’s user base.
The method involved repeatedly submitting requests to determine whether specific phone numbers were registered on WhatsApp. For a substantial percentage of those numbers – 57% – researchers were also able to retrieve profile photos, and for another 29%, they accessed the text displayed in users’ “About” sections. This highlights the potential for not just identifying users, but also gathering additional publicly available information.
While a previous warning about this type of data exposure was issued in 2017, Meta, WhatsApp’s parent company, did not initially limit the rate at which these contact discovery requests could be made. Researchers were able to check approximately 100 million numbers per hour, accelerating the data collection process. According to the researchers, this lack of rate limiting transformed a convenience feature into a tool for potentially the “largest data leak in history,” had the data not been collected as part of a responsible research study.
The researchers alerted Meta to their findings in April 2025. The company subsequently implemented a more stringent “rate limiting” measure in October 2025, effectively blocking the large-scale contact discovery technique used in the study. However, until that point, the vulnerability could have been exploited by malicious actors.
The extent of the exposure varied geographically. In India, where WhatsApp has a particularly large user base (nearly 750 million numbers were identified), 62% of accounts had publicly visible profile photos. In Brazil, 61% of the 206 million numbers discovered had publicly accessible profile pictures. This suggests that privacy settings are not uniformly applied across WhatsApp’s user base, and that a significant number of users may be inadvertently sharing more information than they intend.
WhatsApp’s Vice President of Engineering, Nitin Gupta, acknowledged the research and emphasized its value in strengthening the platform’s security. In a statement, Gupta noted that the researchers’ work helped validate the effectiveness of anti-scraping systems already under development. He also stressed that no non-public data was accessible to the researchers and that the messages of users remained protected by WhatsApp’s end-to-end encryption.
The core of the vulnerability lies in the way WhatsApp handles contact syncing. When a user opens the app, it scans their phone’s contacts to identify other WhatsApp users. This feature, while convenient, creates an opportunity for malicious actors to systematically query the platform for phone numbers. The researchers exploited this by automating the process, effectively turning a user-friendly feature into a data harvesting tool.
This incident underscores the inherent tension between usability and privacy in modern messaging applications. Features designed to simplify communication – such as automatic contact syncing – can inadvertently create security vulnerabilities. The incident also highlights the importance of robust rate limiting and other security measures to prevent abuse of these features.
The implications of this data exposure are significant. While WhatsApp maintains that user messages were protected by end-to-end encryption, the exposure of phone numbers and profile information could be used for targeted phishing attacks, spam campaigns, or other forms of social engineering. The sheer scale of the data breach – affecting billions of users – makes it particularly concerning.
The researchers responsibly deleted their copy of the collected data after alerting Meta. However, the incident serves as a stark reminder of the importance of regularly reviewing and adjusting privacy settings on messaging applications. Users should be aware of the information they are making publicly available and take steps to limit their digital footprint.
WhatsApp’s response, while ultimately effective in mitigating the vulnerability, raises questions about the speed with which the company initially addressed the issue. The fact that researchers were able to collect billions of phone numbers over a period of months before the issue was fully resolved suggests a potential lag in security responsiveness. The incident will likely prompt further scrutiny of WhatsApp’s security practices and a renewed focus on protecting user data.
