Whatsapp Security Breach: 3.5 Billion Phone Numbers Exposed

WhatsApp Privacy Scare: 3 Billion Users Affected

In an alarming discovery, security researchers identified a critical vulnerability in WhatsApp, exposing the phone numbers of over 3 billion users worldwide. This privacy lapse could allow cybercriminals to collect information and identify users, opening doors to highly-targeted attacks.

This vulnerability was unearthed by experts from the University of Vienna and SBA Research. The flaw is linked to WhatsApp’s contact discovery feature, which aligns mobile numbers in a user's address book with the app's central database. While designed to show which contacts are on WhatsApp, this feature could be exploited by nefarious actors to mine phone numbers, profile pictures, and users’ status updates.

“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences,” noted Gabriel Gegenhuber from the University of Vienna.

Security Experts Sound Alarm

The research, published in a preprint paper titled ‘Hey there! You are using WhatsApp: Enumerating three billion accounts for security and privacy,’ has set alarm bells ringing in the security community. Experts describe it as a "wake-up call" for platforms using phone numbers as IDs, given their vulnerability to scraping.

Marijus Briedis, CTO at NordVPN, explained to The Independent, “This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability.” Briedis emphasized how attackers could test millions of numbers to retrieve profile details rapidly, creating a goldmine for scammers and cybercriminals.

Meta Takes Action

Meta, WhatsApp's parent company, has responded by addressing and mitigating this issue, asserting that there is no evidence of misuse by malicious actors. A company spokesperson expressed gratitude towards the University of Vienna researchers for their responsible collaboration through Meta's Bug Bounty program.

In a related development, former WhatsApp security chief Attaullah Baig filed a lawsuit in California in September, accusing Meta of breaching cybersecurity regulations that jeopardize billions of users. Baig, who served as head of security from 2021 to 2025, claimed the company failed to prevent daily hacks affecting over 100,000 accounts.