Major privacy risk on WhatsApp: Research finds potential leak of 3.5 billion numbers

Staff Report: PNN

A new study reveals that WhatsApp users’ phone numbers and profile information could be exposed on a massive scale. Researchers from Vienna University, Austria, reported that using WhatsApp’s “contact discovery” feature, they were able to retrieve phone numbers of 3.5 billion users. About 57% of profile photos and 29% of profile texts were also accessible.

The ease of finding WhatsApp users increases the risk of data exposure. Adding a phone number allows the platform to indicate if the person is on WhatsApp, displaying their name and profile photo. Researchers warned that if all numbers worldwide were tested this way, it could create widespread privacy risks.

Researchers alerted Meta (WhatsApp’s parent company) in April, and the 3.5 billion phone number copies were deleted. By October, Meta implemented a “rate-limiting” system to prevent large-scale data scraping. Previously, anyone could have used this method to gather the data.

Meta stated that the leaked data was “generally public,” and profiles are visible based on privacy settings. End-to-end encryption remains intact.

The problem mainly stems from using phone numbers as unique identifiers. Limited randomness of numbers makes large-scale scraping easy. Researchers recommend stronger privacy measures to protect user information.

Country-specific analysis showed that 44% of 137 million numbers in the U.S. had public profile photos, 62% of 750 million numbers in India, and 61% of 206 million numbers in Brazil.

Researchers warned that such data could be misused by cybercriminals, spammers, or even governments, especially in countries where WhatsApp is banned, such as China and Myanmar.

This serves as a warning to WhatsApp that risks remain in handling users’ phone numbers and profile information.