A significant privacy flaw in the widely used instant messaging platform WhatsApp has reportedly exposed the phone numbers and profile photos of 3.5 billion people worldwide. Cybersecurity researchers had discovered that a technical issue allowed external websites and third-party tools to access user information even without being added as contacts.
Researchers at the University of Vienna were able to pull 3.5 billion phone numbers by leveraging a “simple” method that took advantage of WhatsApp’s contact-discovery feature.
This has raised serious concerns about personal data security on one of the world’s most widely used instant messaging apps.
What exactly happened?
According to cybersecurity experts, a flaw was linked to WhatsApp’s “Click to Chat” feature, which allows users to start a chat without saving a phone number. When this link was generated, it sometimes leaked user details through publicly accessible URLs on search engines. As a result, phone numbers, profile pictures, and even names became visible to anyone who knew where to look.
Global Impact
Since WhatsApp has more than two billion users, the flaw potentially exposed information from almost every user worldwide. This kind of data leak can put people at risk of spam, scams, impersonation, and cyber-harassment.
Therefore, privacy experts are saying this again that sensitive data like phone numbers should never be publicly accessible, especially on platforms that position themselves as secure.
Meta Bug Bounty Response!
As per, Meta Bug Bounty this is misleading – there was no data leak or security flaw. These are results from an academic research WhatsApp collaborated on through our Bug Bounty program to help identify and successfully mitigate potential gaps against novel enumeration/scraping methods.
https://x.com/metabugbounty/status/1991230258276614476?s=19No non-public data was accessible to the researchers, they securely deleted the data collated as part of the study, and we’ve found no evidence of adversarial abuse of this vector.
WhatsApp responds:
“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.” – Nitin Gupta, VP of Engineering at WhatsApp said.
Why This Matters?
This incident shows how even trusted social media apps can expose users data due to overlooked technical issues.
In an era when billions of people rely on messaging apps for personal, professional, and financial conversations, protecting basic details like phone numbers is essential for these platforms and apps.
Cybersecurity experts recommend that users review their privacy settings regularly and stay alert to unusual activity on their accounts.
