Researchers from the University of Vienna say that all 3.5 billion phone numbers on WhatsApp have been hacked because of a security flaw. Another thing the experts say is that they were able to see personal pictures of 57% of the people and even text on 29% of the accounts.
In particular, a different study in 2017 let WhatsApp and its parent company Meta know about the flaw. But the tech giant says that experts at the University of Vienna used a different way to count than what was shown in 2017.
If bad people had gotten the data, the experts said it would have been “the largest data leak in history,” even bigger than the Facebook scraping incident in 2021, when about 500 million records were lost.
The information has phone numbers, timestamps, about text, personal photos, and public keys for E2EE encryption. If it were made public, it would be bad for the people who are included, the experts said in their study.
WIRED talked to one of the experts who worked on the study and said, “As far as we know, this is the largest exposure of phone numbers and related user data ever recorded.”
Researchers say they told WhatsApp about the flaw in April 2025. At first, the company didn’t seem very interested in fixing it, but by October, it had worked with them to do so and put in place a tighter “rate-limiting” measure.
What did the flaw in WhatsApp look like?
When you send your address book to WhatsApp, the app will tell you which of your friends use WhatsApp. This is a basic function. Researchers found that because WhatsApp didn’t have a good way to limit the number of calls that could be made at once, the same function could be used to look up huge groups of phone numbers.
Read also:
- Apple Faces Legal Action in the US for Alleged Congo Conflict Mineral Links
- Teenagers Launch Legal Challenge Over Australia’s Social Media Ban for Children
- Apple i phone 18 expected in sept
Meta’s answer to the security hole
In a message to 9to5Mac, Meta admitted that there was a security problem. The company said in a statement, “We are grateful to the researchers at the University of Vienna for their responsible partnership and hard work under our Bug Bounty program.” Together, we found a new counting method that went beyond what we had planned, which let the researchers scrape basic information that was open to the public.
We were already working on the best anti-scraping tools in the business, and this study was a big part of putting them through their paces and proving that they worked right away. It’s important to note that the researchers have safely removed the data they collected for the study, and we haven’t seen any signs of bad people abusing this channel. To review, user texts stayed safe and private thanks to WhatsApp’s built-in end-to-end security. The hackers also couldn’t get to any private data, the report said.
How can you keep yourself safe?
You can’t take back info that has already been taken. But you can cut down on what people see going forward:
- Remember not to put private information in the “about” part of WhatsApp or any other social network page.
- Make sure that only your friends can see your personal picture and “about” section.
- Let us say that your phone number is a permanent way to identify you. Link as little public information as possible to it.
For people who live in places with strict rules, this kind of info could be really dangerous if it was used in the wrong way. Even though WhatsApp says it has “no evidence of malicious actors abusing this vector,” that doesn’t mean there isn’t any. This is especially true for hacking activity, which is famously hard to find after the fact.
