Outlook Business Desk
A security vulnerability in WhatsApp has put all of the platform’s approximately 3.5 billion phone numbers at risk, according to researchers from the University of Vienna. They were able to access profile photos for 57% of users and profile text for 29%.
The researchers found that they could see profile photos for more than half of the exposed numbers and read profile text for almost a third. Their findings showed how easily huge amounts of public user data could be gathered in bulk and more.
A separate research group first alerted Meta and WhatsApp to this vulnerability in 2017. Despite the warning, the required action was not taken, allowing the same weakness to remain active for years and escalate further and more.
The researchers warned that if hackers had obtained this dataset, it would have been the largest data leak in history. It would have surpassed the 2021 Facebook scraping incident, which affected 500 million records, setting a new scale of exposure.
The exposed dataset contained phone numbers, timestamps, “about” text, profile photos, and public keys used for end-to-end encryption. Researchers noted that if this information had been released, it could have caused serious harm to the affected users.
A member of the research team also confirmed that this incident represented the most extensive exposure of phone numbers and linked data ever recorded. The scale of the issue highlighted how widely the flaw could be abused if exploited and more.
The researchers reported the security flaw to WhatsApp in April 2025. Although the company was initially slow to act, it later collaborated to resolve the issue. By October, stricter rate-limiting measures were introduced to prevent large-scale data harvesting.
The issue originated from WhatsApp’s contact discovery feature. Lacking effective rate-limiting, it allowed attackers to scan large ranges of phone numbers to see who used the app and access publicly available details such as profile photos, “About” text, and device information.
Meanwhile, Meta confirmed that the study revealed a new scraping method that went beyond existing safeguards. The company stated that user messages stayed secure with end-to-end encryption and found no signs of malicious misuse, resolving the issue responsibly.