In a digital privacy crisis that has sent shockwaves through the cybersecurity world, a critical flaw in WhatsApp’s infrastructure has reportedly exposed the phone numbers and account details of nearly 3.5 billion users—almost half of the global population.
Researchers from the University of Vienna and SBA Research have uncovered a “systemic flaw” in the messaging giant’s contact discovery system, allowing them to harvest a staggering amount of user data without triggering security alarms.
The “Rate Limit” Loophole
The vulnerability wasn’t a sophisticated hack, but a glaring oversight in WhatsApp’s design. According to the report released yesterday, the platform failed to enforce “rate limits”—the digital speed bumps that usually stop bots from making too many requests at once.
Exploiting this, researchers were able to automate a process that checked billions of phone numbers to see if they were registered on WhatsApp. The system happily returned the data, allowing the team to map users on a global scale.
“Phone numbers were not designed to be used as secret identifiers for accounts, but that’s how they’re used in practice,” the researchers noted in their explosive findings.
What Was Leaked?
While message contents remain encrypted, the metadata exposed is a goldmine for scammers and phishing operations. The scraped data includes:
- Active Phone Numbers: Confirmation that a number is real and active.
- Profile Pictures: roughly 57% of the exposed accounts had profile images set to “Public.”
- “About” Text: Personal bios and status updates for 29% of users.
- Device Data: Timestamps that can reveal usage patterns.
Crucially, the researchers managed to identify millions of accounts in countries where WhatsApp is officially banned, identifying 2.3 million users in China and 60 million in Iran, potentially putting those citizens at risk.
| Rank | Country | # Accounts | Global Share | Android (%) | iOS (%) | Picture (%) | About Text (%) | Business (%) | Companions (%) |
|---|---|---|---|---|---|---|---|---|---|
| 1 | India | 749,075,246 | 21.67% | 95 | 5 | 62.2 | 29.5 | 9.8 | 6.2 |
| 2 | Indonesia | 235,245,077 | 6.81% | 92 | 8 | 49.1 | 27.5 | 10.7 | 9.3 |
| 3 | Brazil | 206,949,224 | 5.99% | 81 | 19 | 61.1 | 41.5 | 10.3 | 15.5 |
| 4 | United States | 137,859,284 | 3.99% | 33 | 67 | 44.0 | 32.8 | 2.4 | 6.1 |
| 5 | Russia | 132,855,022 | 3.84% | 76 | 24 | 61.7 | 33.5 | 3.6 | 9.4 |
| 6 | Mexico | 128,324,166 | 3.71% | 82 | 18 | 46.1 | 23.3 | 4.1 | 11.7 |
| 7 | Pakistan | 98,277,665 | 2.84% | 95 | 5 | 58.5 | 20.0 | 21.7 | 5.4 |
| 8 | Germany | 74,565,425 | 2.16% | 58 | 42 | 51.0 | 35.4 | 2.2 | 13.4 |
| 9 | Türkiye | 72,131,903 | 2.09% | 73 | 27 | 48.0 | 33.4 | 3.0 | 12.0 |
| 10 | Egypt | 69,317,806 | 2.01% | 90 | 10 | 53.2 | 25.1 | 11.3 | 6.1 |
| 11–245 | Others | 1,552,021,571 | 44.90% | 77 | 23 | 56.9 | 27.9 | 9.3 | 9.0 |
| Global | (245 countries) | 3,456,622,389 | 100.00% | 81 | 19 | 56.7 | 29.3 | 9.0 | 8.8 |
Meta’s Response
Meta, WhatsApp’s parent company, has stated that the issue was patched in October 2025 following a disclosure by the researchers. A spokesperson downplayed the severity, characterizing the leaked data as “basic publicly available information.”
However, cybersecurity experts warn that this “basic” data is exactly what bad actors need to execute sophisticated Smishing (SMS Phishing) attacks and identity theft.
How to Protect Yourself Now
While the flaw has been patched, the data may already be in the wild. Experts recommend immediately tightening your privacy settings:
- Open WhatsApp Settings.
- Navigate to Privacy.
- Change Profile Photo, About, and Status visibility to “My Contacts” or “Nobody.”
- Enable Two-Step Verification to prevent account hijacking.
Stay tuned as this story develops.
