According to 9to5Mac, a massive WhatsApp security flaw exposed the phone numbers of approximately 3.5 billion users worldwide. The vulnerability was first reported to Meta back in 2017 by security researchers who discovered the platform had no limits on phone number verification checks. Incredibly, the exact same flaw remained unpatched for eight years until Austrian researchers from the University of Vienna demonstrated it again in 2025. These researchers captured 30 million US phone numbers in just 30 minutes and could have scraped data from virtually every WhatsApp user globally. The researchers described this as potentially “the largest data leak in history” if exploited maliciously. Meta finally implemented rate-limiting protections about six months after being alerted by the Austrian team.
How the flaw worked
Here’s the thing about WhatsApp‘s design – it makes finding contacts incredibly easy. You add someone’s number, and boom, you instantly see if they’re on WhatsApp along with their profile picture and name. That convenience feature became the vulnerability. Basically, there was nothing stopping someone from automating this process and checking every possible phone number combination. The researchers essentially built a script that did exactly that, turning a user-friendly feature into a massive data harvesting tool. And the scary part? This wasn’t some sophisticated hack – it was exploiting the normal way WhatsApp works, just at an industrial scale.
Eight years of ignored warnings
What’s truly mind-boggling about this whole situation is the timeline. A security researcher first flagged this exact issue to Meta in 2017. That’s eight years ago. Think about how much has changed since then – different phones, different operating systems, different privacy regulations. Yet this simple protection measure, something as basic as rate-limiting, sat unimplemented. The researchers needed to demonstrate the vulnerability on a massive scale before the company finally acted. WhatsApp claims they were already working on a fix, but come on – eight years? That’s not working on a fix, that’s ignoring a fundamental security issue.
What this means for users
So your phone number was probably in that database. Maybe your profile picture too. While the researchers acted responsibly and deleted everything, the concern is whether anyone else discovered this vulnerability during those eight years. Phone numbers are particularly sensitive because they’re often tied to other accounts through two-factor authentication. Having a database of 3.5 billion verified active numbers would be a goldmine for spammers, scammers, or worse. The real question is – if academic researchers found this so easily, who else might have been exploiting it quietly? The scale here is almost unimaginable – we’re talking about nearly half the world’s population having their contact information exposed through what should have been a simple fix.
Big tech’s security problem
This incident highlights a troubling pattern in big tech. Security researchers do the hard work of finding vulnerabilities, report them responsibly, and then… crickets. It takes public demonstrations or media attention to force action. Meanwhile, companies like Meta process unimaginable amounts of sensitive data while apparently treating basic security measures as optional. When you’re dealing with systems at this scale, you can’t afford to wait eight years on fundamental protections. The researchers proved this wasn’t some edge case – they scraped millions of numbers in minutes using completely legitimate API calls. That’s not a sophisticated attack – that’s a feature that became a weapon through sheer negligence.
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?