Analysis Summary

A newly uncovered critical flaw in WhatsApp’s contact discovery feature has exposed the phone numbers of 3.5 billion users, marking one of the largest privacy breaches in history. Despite warnings issued as early as 2017, Meta failed to address the issue for eight years. The vulnerability allowed researchers to confirm whether any phone number worldwide was linked to a WhatsApp account and view public profile details such as pictures, status texts, encryption keys, and timestamps. Using the tool libphonegen, the research team generated realistic phone numbers from 245 countries and systematically queried the platform without encountering any rate limits or defensive countermeasures.

Between December 2024 and April 2025, Researchers exploited WhatsApp’s XMPP protocol through a modified client, enabling them to identify 3.5 billion active accounts out of 63 billion numbers tested, achieving a querying rate of over 100 million checks per hour using only five authenticated accounts. Alarmingly, they also discovered 2.9 million reused public keys, including identity and prekeys, which could potentially weaken end-to-end encryption if abused by malicious actors or unofficial clients. In several extreme cases, U.S. numbers were found sharing the same all-zero key, indicating broken implementations or fraud attempts. Additionally, nearly one-third of exposed profiles contained sensitive personal information, including political beliefs, religious affiliations, and links to other platforms.

The study revealed that countries with high WhatsApp usage such as India, Indonesia, Brazil, Pakistan, and West African regions showed widespread public visibility of profile photos and “about” texts, significantly increasing risks of phishing, SIM-swapping, impersonation, and doxxing. The findings also highlight the security concerns around WhatsApp Business accounts, which made up 9% of scraped profiles and often expose additional metadata. The dataset showed major overlap with earlier breaches, including the 2021 Facebook leak, meaning attackers could easily combine old and new data for targeted campaigns. Users in countries where WhatsApp is banned, such as China, Iran, and North Korea, face amplified risks due to potential state surveillance and persecution.

Meta acknowledged the flaw through its bug bounty program in April 2025 and applied stricter rate limits in October 2025, maintaining that the exposed data was already public while stressing that message encryption remains intact. However, experts warn that the patch does not fully eliminate enumeration risks, and large-scale scraping remains a threat. Researchers deleted their dataset but criticized WhatsApp for lacking basic protections during their testing. As regulators increase scrutiny especially under GDPR cybersecurity professionals urge users to restrict profile visibility, limit sensitive status information, and monitor for suspicious activity in the wake of this unprecedented global exposure.

Impact

• Sensitive Data Theft
• Gain Access

Remediation

• Limit visibility of profile photos, “about” texts, and status updates to contacts only.
• Do not include personal details, political/religious affiliations, or links to other social media in profiles or statuses.
• Add an extra layer of security to prevent unauthorized account access.
• Regularly check for suspicious logins, messages, or unknown devices.
• Ensure the app is always running the latest version with security patches applied.
• Limit exposure of metadata and sensitive information via WhatsApp Business features.
• Avoid interacting with unsolicited messages or calls that could be part of phishing or SIM-swapping attempts.
• Participate in responsible disclosure if any suspicious activity or flaw is discovered.