In a startling revelation that has sent shockwaves through the digital privacy community, security researchers have uncovered a method that potentially exposed the phone numbers of WhatsApp's entire 3.5 billion user base. The discovery, made by academics from the University of Vienna, represents what the team describes as one of the largest data leaks in history.
The Discovery That Shook WhatsApp's Security
The security flaw was revealed in a paper published on GitHub, the software platform where programmers routinely share code. Researchers managed to bypass WhatsApp's much-vaunted security through a surprisingly simple technique: systematically adding phone numbers to contacts.
This method exploited WhatsApp's contact discovery feature, which allows users to find contacts already using the service. When you add someone to your WhatsApp contacts, the app automatically checks if that number is registered and, if so, displays their profile picture and 'about' information.
The Austrian research team tested this vulnerability by automatically generating and searching for 63 billion possible phone numbers to identify those with active WhatsApp accounts. Their automated system successfully confirmed approximately 100 million user numbers per hour during tests conducted in December 2024 and April 2025.
Beyond Phone Numbers: Additional Privacy Concerns
The data exposure extended far beyond mere phone numbers. Researchers were able to access profile photographs of 57% of users and view the 'about' text sections for 29.3% of accounts. These profile sections often contained sensitive personal information, including religious and political views, and links to other social media profiles.
Perhaps more concerning were findings related to WhatsApp's end-to-end encryption system. The study identified 2.9 million instances where public keys were being reused, potentially undermining the app's encryption security. Alarmingly, at least twenty US numbers shared a public key composed entirely of zeros.
Marijus Briedis, Chief Technology Officer at NordVPN, expressed serious concerns about the implications. "This issue highlights a fundamental problem with WhatsApp's architecture: the phone number itself is the vulnerability," he told Metro. "Because WhatsApp uses numbers as its core identity system, attackers were able to automatically test billions of them and pull back profile details at extraordinary speed."
Industry Response and User Protection
Meta, WhatsApp's parent company, responded to these findings by emphasising that no private user messages were accessed and that all data collected during the study had been securely deleted. The company also stated it found no evidence of malicious actors exploiting this vulnerability.
Nitin Gupta, WhatsApp's Vice President of Engineering, thanked the Austrian academics for discovering what he described as a "novel" security flaw. The research was conducted as part of Meta's Bug Bounty programme, which rewards security researchers for identifying vulnerabilities.
In a statement to Metro, WhatsApp highlighted their ongoing security improvements: "We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defences."
Protecting Your WhatsApp Account
WhatsApp's Help Centre recommends several measures to enhance your account security:
- Use the Locked Chats feature with password protection to hide sensitive conversations
- Restrict who can view your profile picture through privacy settings
- Secure your account using Face ID, Touch ID, or fingerprint authentication
- Utilise the 'view once' option for media and voice messages to prevent saving
- Carefully manage who can see your status updates
Briedis concluded with a warning about the broader implications: "The scale of this incident – potentially affecting billions of numbers – should be a wake-up call for any platform that still relies on phone numbers for identity. Phone numbers were never designed to be secure identifiers; they're too public, too permanent and too easily scraped."
While Meta maintains that user messages remained secure throughout this incident, the discovery raises important questions about digital identity systems and the ongoing battle between convenience and security in our increasingly connected world.
