A newly disclosed vulnerability in WhatsApp’s contact discovery system has exposed the phone numbers and profile metadata of up to 3.5 billion users, according to researchers from the University of Vienna.
The flaw, which existed for years, allowed attackers to automate the process of checking which phone numbers were registered on WhatsApp, revealing not only the numbers themselves but also associated profile photos, “about” texts, and device-related metadata.
The researchers demonstrated that they could query up to 100 million numbers per hour using WhatsApp Web, without triggering any rate limits or security blocks. Meta, WhatsApp’s parent company, acknowledged the issue and implemented a fix in October 2025, but emphasized that only “publicly available” data was exposed, not private messages or encrypted content.
????‼️ WhatsApp leaks data of more than 3.5 billion usersWhatsApp's entire member directory was freely accessible online.Austrian researchers downloaded all phone numbers and other profile data – including public keys – without any obstacles. pic.twitter.com/dniau2FoDV
— International Cyber Digest (@IntCyberDigest) November 19, 2025
Critics argue that the scale of the exposure makes it one of the largest data leaks in history, especially given Meta’s long-standing awareness of the vulnerability. The incident has reignited concerns about using phone numbers as universal identifiers and the need for stronger privacy defaults in messaging apps.
To protect your privacy on WhatsApp, go to Settings --- Privacy --- Profile Photo / About / Last Seen, and set each to “My Contacts” or “Nobody.” You can also disable “Read Receipts” and limit who can add you to groups. These steps help reduce your exposure, even if your number is already public.