Researchers from the University of Vienna and SBA Research discovered a vulnerability in WhatsApp's contact-discovery feature that can expose the phone numbers and profile data of over three billion users. The flaw enables automated enumeration and scraping of phone numbers, profile photos and 'About' statuses, creating opportunities for targeted impersonation and scams. Meta says it has implemented mitigations, but it is unclear if the issue was exploited before the fixes.
WhatsApp Flaw Lets Attackers Harvest Billions of Phone Numbers and Profiles
Researchers from the University of Vienna and SBA Research discovered a vulnerability in WhatsApp's contact-discovery feature that can expose the phone numbers and profile data of over three billion users. The flaw enables automated enumeration and scraping of phone numbers, profile photos and 'About' statuses, creating opportunities for targeted impersonation and scams. Meta says it has implemented mitigations, but it is unclear if the issue was exploited before the fixes.
09:39 PM, 11/20/2025Security
Security researchers have identified a serious vulnerability in WhatsApp's contact-discovery system that could expose the phone numbers and profile information of more than three billion users (commonly cited around 3.5 billion). The weakness allows automated enumeration of accounts, enabling attackers to collect phone numbers along with profile photos and users' 'About' status text at scale.
What the researchers found
A team from the University of Vienna and SBA Research traced the issue to WhatsApp's mechanism for matching a user's address-book numbers with the app's central database. Although the feature is intended to show which contacts are on WhatsApp, its enumeration behavior can be abused to systematically scrape large numbers of accounts and associated profile data.
“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences,” said Gabriel Gegenhuber of the University of Vienna. “Security and privacy are not one-time achievements; they must be continuously re-evaluated as technology and threats evolve.”
Why this matters
Because WhatsApp uses phone numbers as the primary identifier for accounts, an attacker can automatically test many numbers and retrieve profile information quickly. With a phone number, profile photo and 'About' text, criminals can craft highly targeted impersonation and social-engineering attacks, making large-scale scams far more effective.
“This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability,” said Marijus Briedis, CTO at NordVPN. “At scale, this becomes a goldmine for scammers, criminals and well-resourced cyber groups.”
Response and context
The researchers published their results in a preprint titled 'Hey there! You are using WhatsApp: Enumerating three billion accounts for security and privacy.' Meta, WhatsApp's parent company, has reported applying mitigations to address the vulnerability. It remains unclear whether the flaw was exploited before the fixes were implemented.
The discovery also appears alongside other security concerns: Attaullah Baig, who served as WhatsApp's head of security from 2021 to 2025, filed a lawsuit in September in the US District Court for the Northern District of California alleging that WhatsApp failed to stop widespread account takeovers affecting more than 100,000 accounts per day.
What users should do
Users should be cautious about sharing personal details publicly, review privacy settings for profile photos and status, and be alert to unsolicited messages or impersonation attempts. Providers that use phone numbers as primary identifiers should re-evaluate whether that approach balances convenience with long-term security and privacy risks.