A major security concern has come back to haunt WhatsApp after researchers showed how easily millions of phone numbers could be verified on the platform. The weakness lies in WhatsApp’s contact discovery feature, the tool that checks if a phone number is registered on the app.
Even though this issue was first flagged to Meta in 2017, it remained unaddressed for years. That delay has now revived questions about how safely WhatsApp manages the personal data of its massive user base.
How Researchers Broke Through the System
A team from the University of Vienna uncovered how simple it was to run large automated checks on WhatsApp’s backend. Instead of slowing down or blocking their activity, the system allowed them to continue without interruption due to weak rate–limiting controls.
Over several months, from December 2024 to April 2025, the team tested 63 billion phone numbers across 245 countries. They managed to confirm 3.5 billion active WhatsApp accounts, making it one of the largest verification efforts ever documented.
Using a modified version of an open-source client, the researchers could see far more than just phone numbers. Public details such as profile photos and “about” sections were collected for more than half the accounts. Around 29 percent of users had “about” texts visible, and some contained sensitive information.
The study also found 2.9 million instances of public key reuse, something cryptography experts say could weaken WhatsApp’s end-to-end encryption in some situations.
What This Means for Everyday Users
This type of mass data confirmation creates several risks. When combined with older leaks, like the Facebook breach in 2021, attackers can build targeted lists for phishing attempts, scam calls, and SIM-swap operations.
The threat becomes even more serious in countries where WhatsApp is banned or heavily monitored, including China, Iran, or North Korea. Simply proving that a number uses WhatsApp could put people at risk.
Researchers also noticed that 9 percent of the discovered numbers belonged to WhatsApp Business accounts, which often reveal more by default and may unintentionally expose business owners to additional threats.
Meta Steps In After the Alert
Meta was notified about the research in April 2025. By October 2025, the company had tightened its rate-limiting controls to prevent similar mass scraping attempts.
In a statement, Meta said the findings were useful in testing WhatsApp’s defences. The company insisted that end-to-end encryption remained secure and added that there was no sign of this flaw being exploited by malicious actors.
Steps Users Should Take
Even with Meta’s fix, cybersecurity experts advise users to stay cautious. Simple steps can reduce exposure:
• Restrict who can see your profile photo and “about” info
• Avoid sensitive or personal details in status updates
• Pay attention to unusual calls, login prompts, or verification messages
The Bigger Question for the Tech World
This episode highlights a growing reality: features built for convenience can quickly become privacy risks when used by billions. As platforms like WhatsApp continue to expand, even small cracks in the system can expose enormous amounts of information.
With Meta already under global regulatory scrutiny, this discovery is likely to add more pressure to strengthen its privacy protections and invest in more proactive security tools.
