Shocking WhatsApp Flaw: 3.5 Billion Phone Numbers Were Just One Click Away from Anyone
Welcome to theustales.com.
Imagine this: someone sitting anywhere in the world could type billions of phone numbers into WhatsApp and instantly know who has an account. They could even grab your profile picture, your “About” status, and many other details you thought were safe. That is exactly what researchers from the University of Vienna just proved is possible. And they did it legally, through WhatsApp’s own bug bounty program.
What Actually Happened?
WhatsApp lets you check if a phone number is on the app. You type the number, and the app quickly says “yes” or “no.” This feature feels normal when you add a friend. However, researchers discovered they could automate this check millions of times per hour without WhatsApp stopping them.
Between December 2024 and April 2025, the team tested 63 billion possible phone numbers from 245 countries. Because the app’s speed limits were too weak, they successfully found around 3.5 billion active WhatsApp accounts. In simple words, almost every WhatsApp user on Earth appeared in their list.
You may Also Like:
It Was More Than Just Phone Numbers
When a number was on WhatsApp, the researchers also received:
- Public profile pictures (they downloaded 77 million from U.S. numbers alone)
- “About” messages
- Last-seen timestamps
- Device type (Android or iPhone)
- Public encryption keys
- Business account details
- Operating system information
Most worryingly, 66% of the downloaded U.S. profile pictures clearly showed people’s faces. Anyone with this data could build a facial-recognition search engine that links faces to phone numbers.
Dangerous Secrets in Banned Countries
The researchers found millions of people still using WhatsApp in places where the app is officially blocked by the government:
- 2.3 million accounts in China
- 59 million accounts in Iran
- 1.6 million accounts in Myanmar
In these countries, just having WhatsApp can lead to arrests or heavy fines. Now proof exists that these users are active, which could put them in real danger if bad actors get the same list.
Old Leaks Never Die
The team compared their new list with the famous 2021 Facebook data leak of 500 million records. Shockingly, almost half of those leaked numbers are still active on WhatsApp today, six years later. Scammers and robocall companies love old lists because they still work.
How Is This Different from a Real Hack?
Important point: the researchers never broke into WhatsApp’s servers. They never stole a secret database. They only used the same “is this number on WhatsApp?” button that every user sees, but they pressed it billions of times very fast. The real problem was that WhatsApp did not stop them soon enough.
What Did WhatsApp Do After the Report?
Meta (WhatsApp’s parent company) thanked the researchers and rolled out several fixes:
- New, smarter speed limits that watch patterns, not just count clicks
- Blocked download of profile pictures, even if you set them to “public”
- Removed timestamps from picture requests
- Fixed a bug that reused encryption keys on some Android phones
- Made status messages harder to collect in bulk
Your private chats stayed 100% safe the whole time because of end-to-end encryption. Only public or semi-public information was at risk.
Why This Still Matters to Every User
Even if you hide your “Last Seen” and profile picture, the simple fact that your number is on WhatsApp was discoverable. For many people, their phone number is the key to their whole digital life: bank alerts, two-factor codes, dating apps, everything. Knowing who uses WhatsApp is the first step for spam, phishing, stalking, or worse.
The Bigger Lesson
Features that feel convenient can become huge privacy holes when someone uses them at massive scale. Almost every messaging app has a similar “check number” feature, but most now have much stricter limits. The researchers showed that WhatsApp was playing catch-up.
FAQs
- Is my phone number still exposed right now?
No. WhatsApp has added strong new limits. The researchers could not repeat the same attack today. - Were my private messages read?
Never. End-to-end encryption stayed perfect. Only public profile details were collected. - Should I delete WhatsApp?
Not necessary. The fixes are already live, and your chats remain private. Just keep your profile picture and “About” section private if you’re worried. - Can someone still find out if I have WhatsApp?
Yes, but now they can only check a tiny number of phones before WhatsApp blocks them. - Why did WhatsApp allow this for so long?
The company says they were already building better protections. This research helped them test and finish those defenses faster. - I live in a country where WhatsApp is banned. Am I in danger?
The researchers deleted all personal data and published nothing that identifies individuals. Still, it’s a reminder to be extra careful and consider using a VPN.
Stay safe, keep your profile settings locked down, and remember: the biggest risks often hide in the features we use every day without thinking.