WhatsApp’s global reach has grown out of the simplicity of its user model, where finding or connecting with someone only requires a phone number. This convenience, however, created a sizeable privacy issue that remained unaddressed for years. Austrian researchers recently disclosed that until a few weeks ago, the phone numbers of every WhatsApp user worldwide could be gathered by anyone without breaking into the service. Their findings showed that more than 3.5 billion numbers were accessible, and for many users, additional profile details were also visible. According to the researchers, profile photos were viewable for around 57 percent of accounts and status text for 29 percent, depending on privacy settings chosen by the user.
The team explained that the method they used did not involve security flaws or advanced intrusion. Instead, they relied on the normal behavior of WhatsApp Web. When a number is entered into the platform, WhatsApp checks whether it belongs to an active account and displays any publicly shared profile information. By repeating this simple lookup at scale, the researchers were able to confirm which numbers were linked to WhatsApp accounts and gather publicly visible data. Earlier this year, they carried out the process at a rate of nearly one hundred million phone numbers every hour, demonstrating how easily automated systems could harvest user information without raising suspicion or triggering alerts.
Their findings highlighted a broader issue that had been known for a long time. WhatsApp’s parent company Meta was informed about this type of data collection risk in 2017 but did not impose technical restrictions to stop bulk harvesting. The researchers again notified Meta in April of this year, and by October, Meta introduced rate limits designed to prevent mass lookups. Although the company acted after the second report, the delay meant that for several years anyone with basic automation tools, including threat actors, could gather extensive user data with minimal effort. The scale of the exposure indicates that various groups could have exploited this method long before rate limits were put in place.
Meta responded by saying that the details visible through the lookup process qualify as basic publicly available information. It also noted that users who restricted their profile photo or status visibility to contacts only were not included in the exposed dataset. Meta further stated that its internal review found no evidence of malicious use of this lookup pattern. The company emphasized that the researchers did not gain access to private messages, contact lists, or sensitive account details. Even so, the researchers pointed out that large scale access to matched phone numbers can still be used for mapping social connections, targeted scams, or identity based attacks because the link between a phone number and an active messaging account carries inherent value for malicious activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
