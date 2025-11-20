Your support helps us to tell the story Read more Support Now From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging. At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story. The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it. Your support makes all the difference. Read more

Security researchers have discovered a critical vulnerability with WhatsApp that exposes the phone numbers of more than 3 billion users worldwide.

The privacy flaw could be used by cyber criminals to gather profile information and infer the identities of users of the world’s most popular messaging app, which could then be used to carry out highly-targeted attacks.

Uncovered by a team from the University of Vienna and SBA Research, the privacy weakness centres on WhatsApp’s contact discovery mechanism, which asks users’ for permission to match mobile numbers in their address book to the app’s central database.

This allows WhatsApp to show which contacts are also using the messaging app, however the enumeration mechanism could also be used by malicious actors to scrape phone numbers, profile photos, and users’ ‘About’ status.

“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences," said researcher Gabriel Gegenhuber from the University of Vienna.

"They show that security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves."

The team’s findings were published in a preprint paper titled ‘Hey there! You are using WhatsApp: Enumerating three billion accounts for security and privacy’.

Security experts have described the discovery as a “wake-up call” for platforms still using phone numbers as a form of user identity, which they warn are too public, too permanent, and too easily scraped to be used for this purpose.

“This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability,” Marijus Briedis, chief technology officer at VPN and security firm NordVPN, told The Independent.

“WhatsApp uses numbers as its core identity system, [so] attackers were able to automatically test billions of them and pull back profile details at extraordinary speed.”

With someone’s phone number, profile photo and status, cyber criminals would be able to build highly-targeted impersonation attacks, Mr Briedis noted.

“At scale, this becomes a goldmine for scammers, criminals and well-resourced cyber groups,” he said.

Meta, WhatsApp’s parent company, has since addressed and mitigated the issue, though it is not clear whether hackers exploited the flaw before it was fixed. The Independent has reached out to Meta for further information.

A former security chief of WhatsApp recently accused Meta of violating cyber security regulations that put billions at risk.

Attaullah Baig, who served as WhatsApp’s head of security from 2021 to 2025, filed a lawsuit in September with the US District Court for the Northern District of California that alleged WhatsApp failed to address the hacking and takeover of more than 100,000 accounts each day.