WhatsApp Security Flaw Exposes 3.5 Billion Numbers in Massive Global Leak

India sits at the centre of a shocking global exposure after researchers uncovered a major WhatsApp security flaw. The team from the University of Vienna revealed that weak protections in WhatsApp’s contact discovery system allowed them to collect 3.5 billion phone numbers. They also found linked profile photos and public “about” text for millions of users.

India alone had nearly 750 million exposed numbers, which makes it the largest affected region.

A Simple Trick Led to a Massive Leak

The exposure began with a simple feature. WhatsApp lets users add a phone number and instantly see if it exists on the platform. It also displays the account’s profile photo and sometimes the “about” text.

Researchers tested what would happen if someone repeated that action billions of times. WhatsApp did not block or slow the requests. Therefore, they could plug in phone numbers at high speed and check every possible number.

They discovered that WhatsApp’s web-based interface allowed them to check about 100 million numbers every hour. With no strict rate-limiting in place, the team enumerated nearly every WhatsApp number in the world.

How Much Data Was Visible

The researchers revealed that 57 percent of all collected accounts displayed their profile photos publicly. Another 29 percent exposed their “about” text.

In India, public exposure was higher. The study notes that 62 percent of Indian users had public profile photos. This means millions unknowingly revealed personal details without modifying privacy settings.

Countries like Brazil showed similar trends, while even restricted regions such as China and Myanmar had millions of exposed users.

Meta Fixed the Issue Only After the Warning

The researchers alerted Meta in April. By October, the company activated stronger rate-limiting to block automated scraping.

Meta described the leaked data as “basic publicly available information.” It also added that messages remained safe because of end-to-end encryption. However, researchers insisted that they never encountered meaningful defenses while conducting the study.

This incident echoed a similar warning sent to WhatsApp in 2017, when another researcher showed that scraping phone numbers was possible. That earlier issue did not lead to strong protections.

A Fresh Privacy Concern for WhatsApp Users

The study highlights a deeper problem. Phone numbers are not random enough to serve as secure account identifiers for a platform as large as WhatsApp. Anyone with automated tools could generate and test billions of numbers quickly.

Researchers warn that scammers, spammers, and even governments could misuse such data. The study also found WhatsApp accounts with duplicated cryptographic keys, often linked to unofficial clients used by scammers.

WhatsApp has started testing a username-based system, which could reduce dependence on phone numbers in the future.

What Users Can Do Now

Users can reduce exposure by changing WhatsApp privacy settings. They can restrict profile photos and “about” text to contacts only. They can also avoid using third-party WhatsApp clients that may create security issues.

Yet, the latest findings show how a simple feature turned into one of the largest data exposures ever recorded.