Security researchers have uncovered a major vulnerability in WhatsApp that left more than 3 billion users’ phone numbers exposed, raising fresh concerns about the privacy safeguards of the world’s most widely used messaging service. Experts warn that the flaw could have enabled cyber criminals to compile detailed user profiles and potentially identify individuals, paving the way for highly targeted cyber attacks.
++ The peregrine falcon: nature’s fastest killer in the sky
The issue was identified by a team from the University of Vienna and SBA Research, who found that the weakness stemmed from WhatsApp’s contact discovery system. This feature, which asks for permission to sync the numbers in a user’s address book with WhatsApp’s central database, is designed to show which contacts also use the platform.
However, researchers discovered that this same mechanism could be exploited by malicious actors to systematically harvest phone numbers, profile photos, and users’ “About” information.
Gabriel Gegenhuber, of the University of Vienna, emphasised the broader implications of the discovery:
“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws with real-world consequences. They show that security and privacy are not one-time achievements, but must be continually reassessed as technology develops.”
The research was published in a preprint titled “Hey there! You are using WhatsApp: Enumerating three billion accounts for security and privacy.”
Cyber security specialists have described the revelation as a “wake-up call” for technology firms still relying on phone numbers as identifiers, arguing that they are too public, too permanent, and too easily harvested to serve as secure digital credentials.
Marijus Briedis, chief technology officer at NordVPN, told The Independent:
“This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability. Attackers were able to automatically test billions of numbers and retrieve profile details at remarkable speed.”
++ Power and finesse: the monkey that bites like a jaguar
He added that with access to a person’s number, profile picture, and status, criminals could create highly convincing impersonation attacks.
“At scale, this becomes a goldmine for scammers, criminals, and sophisticated cyber groups.”
Meta, WhatsApp’s parent company, has since mitigated the vulnerability and says it has found no evidence that the flaw was exploited by malicious actors.
A Meta spokesperson told The Independent:
“We are grateful to the University of Vienna researchers for their responsible collaboration as part of our Bug Bounty programme. Crucially, the researchers securely deleted all data collected for the study, and we have found no indication that the flaw was abused in the wild.”
The discovery comes amid wider scrutiny of Meta’s security practices. In September, Attaullah Baig, WhatsApp’s former head of security (2021–2025), filed a lawsuit in the US alleging that the company failed to curb the hacking and takeover of more than 100,000 accounts each day, potentially placing billions of users at risk.
