- By Alex David
- Wed, 19 Nov 2025 05:13 PM (IST)
- Source:JND
For an app used by more than three billion people, WhatsApp’s biggest strength has always been its simplicity: find a phone number, start chatting. But here’s the thing—this exact convenience quietly opened the door to one of the largest privacy exposures in recent memory. Austrian researchers have now shown that WhatsApp allows anyone, without hacking or exploits or malware being installed on any computer system, to extract all 3.5 billion users' phone numbers and sometimes see profile photos and account text – even for all 3.5 billion registered accounts! Just the basic “Add Contact” flow scaled up to billions. And despite earlier warnings dating back to 2017, Meta didn’t close the loophole until late this year.
How Researchers Extracted 3.5 Billion Numbers
The method wasn’t sophisticated. Researchers simply automated the same steps any user takes when adding a contact. Enter a number, let WhatsApp confirm whether an account exists, and fetch whatever public info the user hasn’t hidden.
Using WhatsApp Web, they scaled this up to check roughly 100 million numbers per hour. Over time, they successfully identified every WhatsApp number on the planet.
What Data Was Visible
Once the number was confirmed to be active, WhatsApp exposed:
- The phone number itself
- The user’s profile photo (for 57% of accounts)
- Their profile text or bio (for another 29%)
If users had manually set these to “Nobody” in privacy settings, the data would have stayed hidden — but most people hadn’t.
Meta’s Delayed Response
Researchers say Meta was warned about this exact vulnerability in 2017 and did nothing.
After being informed again this April, the company implemented rate-limiting by October. This drastically decreased automated lookup speeds.
However, the uncomfortable truth remains that this window remained wide open for years – giving malicious actors ample opportunity to exploit it unnoticed.
ALSO READ: BSNL Cuts Validity On Its Rs 107 Plan Again: What Changes For Prepaid Users
Meta’s Defence
Meta insists:
- The exposed information was “basic publicly available data”
- No private data was accessed
- There’s “no evidence” hackers abused this loophole
Still, given the scale, the reassurance feels thin for many security experts.
Final Thoughts
This incident doesn’t involve leaked messages or hacked servers, but it exposes a deeper problem: WhatsApp left a critical privacy door unlocked for years. Even if Meta claims no known abuse, the sheer scale of exposed data raises real concerns about user safety, spam, and targeted fraud. The fix has arrived late, and the episode serves as a reminder that convenience often comes at the cost of security — unless companies take privacy threats seriously before they escalate.
