WhatsApp flaw puts 3.5 billion users phone numbers at risk

A flaw in plain sight

Imagine if a stranger could find your phone number and photo online just by guessing. Researchers discovered a security gap in WhatsApp that enabled this for billions of people.

They were able to collect data about nearly half the planet’s population without using any traditional hacking techniques.

This happened simply by using WhatsApp’s own “contact discovery” feature. The platform’s design allowed for the confirmation of active accounts on a massive, automated scale, highlighting a significant oversight.

The simple method revealed

The team automated the process of checking phone numbers against WhatsApp’s system. They generated billions of possible numbers and submitted them for verification through the app’s interface.

Crucially, WhatsApp’s systems did not slow down or block this enormous flood of queries. This lack of “rate limiting” allowed the researchers to confirm over 100 million accounts in a single hour from one server.

A global data snapshot

This sweep confirmed 3.5 billion active accounts linked to phone numbers worldwide. The data painted a detailed picture of the app’s global reach and usage patterns across different countries.

For a huge portion of these accounts, public profile photos and about text bios were also accessible. This turned a list of numbers into a much more personal database of faces and self-descriptions.

Meta’s official statement

Meta, WhatsApp’s parent company, responded to the findings. They thanked the researchers for reporting through their bug bounty program and stated they were already working on new anti-scraping defenses.

The company emphasized that the exposed data was already publicly accessible based on user settings. They also confirmed that private message content remained protected by end-to-end encryption throughout.

An eight year old warning

A similar vulnerability was publicly reported by a different researcher back in 2017. That earlier report demonstrated how phone numbers and profile data could be collected en masse.

Meta’s response at the time was that user privacy settings were functioning as designed. The new research proves the underlying issue remained exploitable for years after the initial warning.

Real risks for regular people

For the average user, this exposure poses a genuine risk. Scammers could use the confirmed number list to target phishing messages with high confidence, knowing the recipient uses WhatsApp.

The combination of a phone number, a face, and personal details from a bio fuels highly convincing scams. This information makes social engineering attacks far more effective and threatening.

Accounts in banned nations

The research uncovered millions of active accounts in countries where WhatsApp is officially banned. This included about 2.3 million in China and 1.6 million in Myanmar.

For users in these regions, such exposure could carry severe personal risk from their own governments. It shows how digital footprints can have serious real-world consequences.

A glitch in the encryption keys

While examining the data, researchers found a surprising issue with the encryption keys. They discovered that some accounts were using duplicate cryptographic keys, which should be unique.

The researchers say this key reuse likely stems from insecure custom or third-party implementations and potentially fraudulent activity, representing a weakening of security for those specific accounts.

Link to a past Facebook leak

The researchers cross-referenced their data with phone numbers leaked from Facebook in 2021. They found a staggering 58% of those old leaked numbers were still active on WhatsApp.

This shows the long-lasting impact of a single data breach. Leaked information can be used and reused against people for many years across different platforms.

Steps you can take now

You can quickly take steps to strengthen your privacy on the app today by reviewing and updating your WhatsApp privacy settings under Account and Privacy, ensuring your information remains protected.

Set your profile photo and About info to My Contacts only. Also, enable two-step verification for an essential extra layer of security on your account.

The problem with phone numbers

This incident underscores a core design problem. Phone numbers were never intended to be secret identifiers, yet apps use them as primary account keys.

Because numbers are easy to guess and sequence, they become a weak point. This flaw suggests a need for alternative identifiers, like usernames, which WhatsApp is now testing.

Ethical research protects us

The Austrian team followed strict ethical guidelines throughout their work. They responsibly reported the flaw to Meta first and securely deleted all collected data after.

Their work demonstrates how good-faith security research makes everyone safer. It pushes companies to strengthen defenses before malicious actors exploit the same weaknesses.

Want to hear what an insider has to say? Get the scoop from an ex-Meta worker who’s revealing more.

Staying secure moving forward

This event is a powerful reminder about digital privacy. No platform is perfect, and convenience often comes with unseen trade-offs regarding our personal information.

Staying safe requires proactive habits. Regularly check your privacy settings on all social apps, be skeptical of unexpected messages, and use all available security features.

Curious how hackers are targeting the app? See how they operate and protect yourself here.

Did this make you check your privacy settings? Share your thoughts in the comments and give a thumbs up if you found it useful.

Read More From This Brand:

• Instagram iPad app arrive soon?
• Facebook cuts reach for spammy posts
• Say goodbye to WhatsApp on older phones

Don’t forget to follow us for more exclusive content right here on MSN.

If you liked this story, you’ll LOVE our FREE emails. Join today and be the first to get stories like this one.

This slideshow was made with AI assistance and human editing.