ISLAMABAD – Instant messaging app WhatsApp is part of everyone’s life, and amasssed over 3billion users. In a world connected by single app, one small experiment unveiled a massive threat. Using WhatsApp’s contact-lookup tool, researchers exposed billions of users’ phone numbers, turning what looked like a harmless convenience into a potential privacy disaster.
It started as curious experiment by a team of Austrian researchers, which quickly turned into revelation that shook digital world. The contact-lookup feature shows vulnerability that quietly exposed 3.5 billion phone numbers, revealing private details, profile photos, and personal info of nearly half the planet’s users.
The team warned this could have been largest data leak in history if the research hadn’t been conducted responsibly. The exposed data included phone numbers, timestamps, “about” info, profile pictures, and even public encryption keys.
The researchers bypassed app, tapping into WhatsApp’s XMPP interface with reverse-engineered client called whatsmeow. With just five sessions on a single server, they queried 7,000 numbers per second. They generated possible numbers in 245 countries and found no blocks, warnings, or limits from WhatsApp, making the sweep disturbingly easy.
The dataset revealed global usage patterns as device preferences, public profile visibility, and the sheer reach of WhatsApp even in banned countries. The team found 2.3 million active users in China, 1.6 million in Myanmar, 5 in North Korea, and over 59 million in Iran, where the app had been blocked until late 2024.
Meta confirmed vulnerability via its bug bounty program earlier this year and added stricter rate limits in October 2025. WhatsApp claims messages stayed encrypted and no malicious exploitation occurred. Officials said the study helped stress-test anti-scraping defenses, while critics argue the platform lacked real protections for users.
For the unversed, Business WhatsApp accounts may reveal even more personal information. Privacy experts warn that enumeration attacks like this could fuel phishing, SIM-swapping, and doxxing campaigns. Users are urged to lock profiles, limit personal info, and monitor accounts for suspicious activity.
The threat is especially serious in regions like West Africa, where 80pc of profiles are public, making identity theft and cyberattacks more likely.
Be Alert: Hackers stealing Mobile Data using Fake Wedding Invitations on WhatsApp
