The WhatsApp privacy scare you probably missed

Most of us open WhatsApp without thinking twice. It is where family chats live, where school groups share reminders, and where friends send memes at all hours. It feels personal and private, especially since WhatsApp messages are end to end encrypted. 

That is why a recent piece of research from the University of Vienna is so interesting. The researchers found a way to use WhatsApp’s own features to map 3.5 billion accounts worldwide, pulling in phone numbers and profile details at industrial scale. They did this under a bug bounty, reported everything to Meta, and the issue has now been fixed. 

So, if the problem is already solved, why talk about it? 

Because this was a glimpse of what could happen if the wrong people found the same weakness first. And because it reminds us that a simple phone number can expose much more about you than you might think. 

What the researchers actually did 

WhatsApp has a feature that feels completely normal: when you open the app, it checks the contacts in your phone and shows you which ones are already on WhatsApp. To do that, your app sends lists of phone numbers to WhatsApp’s servers, and the servers reply with “yes, this number has an account” or “no, it does not”. 

In theory, this kind of feature should be tightly controlled. You should only be able to check small batches of numbers, and you should not be able to ask that question millions of times in a row. 

The Vienna team showed that in practice, it was possible to do exactly that. With some clever scripting and a small number of accounts, they were able to feed in huge lists of phone numbers, check around 100 million numbers per hour from a single server, and see which ones had WhatsApp accounts. For many of those accounts, they could also see public profile photos, “about” texts and some technical details about the devices. 

They did not break the encryption on any messages and they did not spy on any chats. Instead, they turned a convenience feature into a kind of worldwide directory of WhatsApp users. 

Once they had proved the point, they worked with Meta, the parent company of WhatsApp. Meta added stricter protections on their side and said they found no evidence that criminals had used the same trick. 

From a user’s perspective, there is nothing you need to “fix” yourself about this particular bug. But there are a few important lessons hidden in the story. 

“No evidence of abuse” does not mean “no risk” 

Meta says there is no evidence that criminals used this technique in the wild. That is reassuring, and it is good that the issue was fixed under a bug bounty instead of being discovered after a major leak. 

At the same time, it helps to understand what that sentence really means. 

The researchers hammered WhatsApp’s systems very loudly from one place, on purpose, so that the problem would be impossible to miss once you went looking for it. A careful attacker would do the opposite. They would spread the same kind of traffic over many accounts, many IP addresses and a longer period of time, so that it blends in with normal use. 

That kind of activity is much harder to spot. You need the right kind of monitoring, you need to know what patterns to look for and you need to keep detailed logs for long enough. 

This is why security professionals often say “absence of evidence is not evidence of absence”. In simple terms, you can honestly say “we did not see anything worrying”, but you cannot promise that nobody ever tried it in a quieter way. 

For you as a user, the practical takeaway is that this was not a scare about people reading your chats. It was a reminder that the information around your chats, such as your phone number, profile and online presence, can be very valuable on its own. 

Your phone number is not “just a number” anymore 

There is another detail in the study that should make anyone with a smartphone stop and think. 

The researchers compared their WhatsApp data with numbers from a big Facebook scraping incident that hit the news in 2021. In that earlier case, attackers abused a different contact importer to pull phone numbers and profile details from Facebook. 

When the team compared the two, they found that roughly half of the numbers from the old Facebook leak are still active on WhatsApp today. 

That tells us a few things. 

Most people do not change their phone number after a leak, even a very large one. A phone number is tied to your contracts, your accounts, your family and work life. Swapping it out is painful, so we keep it. 

At the same time, more and more services treat your number as your identity. It is your login, your recovery method, your verification code and your contact point. It links together your messaging apps, social networks, shopping accounts and even loyalty cards. 

Once a number appears in one big leak, it becomes the thread that lets scammers pull on every other part of your digital life. Years later, your number can still be used to look you up on new platforms, refresh old data and craft more convincing scams. 

So the real problem is not “reusing the same account across platforms”. The problem is that the phone number itself has quietly turned into a long term identifier that follows you everywhere. 

What could criminals do with a database like this? 

Imagine, for a moment, that this research had not been done by academics but by a criminal group that kept the data for itself. 

They would not have your message contents. Encryption still protects that part. What they would have is: 

• A huge, up to date list of real WhatsApp numbers.
• For many of them, a name and face from the profile photo.
• Clues about which country you live in, which language you use and what device you own. 

That is more than enough to run some very effective scams. 

A scammer does not need to read your chats to trick you. They need a working number, some believable background details and a good story. 

With a database like this, they could: 

• Target people in a specific country with messages in the right language and time zone.
• Focus on numbers that look like they belong to businesses and try fake “boss” or “supplier” messages.
• Match numbers with old leaks to build a fuller picture of who you are. 

In countries where WhatsApp use is restricted or frowned upon, such a database in the wrong hands could even be used for surveillance, for example by revealing how many people are secretly using the app. 

The important point is that a single design flaw in a familiar feature almost turned into an “address book for the planet”. 

What you can do to protect yourself 

You cannot redesign WhatsApp yourself, and you cannot change the fact that researchers found this flaw in the past. What you can do is reduce how much of your life is exposed through your phone number. 

Here are a few practical steps, explained without technical jargon. 

Tighten your WhatsApp privacy settings 

Spend two minutes in WhatsApp settings and look at who can see what. 

Set your profile photo and “about” information so that only your contacts can see them. If you do not need strangers to see your picture, there is no reason to make it public. You can also limit your “last seen” and online status if you prefer. 

This does not stop your number being checked behind the scenes, but it does reduce how much personal detail is revealed at a glance. 

Treat your main number as sensitive 

Think about where your main number appears in public. Is it on social media bios, websites, adverts, public groups or forums? 

When possible, use a different number for public things like classifieds, business listings or newsletters. Many people now use a second SIM or a separate online number for that, so that their “real” number stays more private. 

Be aware of long-term risk 

If you know, or strongly suspect, that your number has been part of a big leak in the past, assume it will stay attractive to scammers for years. 

That does not mean you should panic. It simply means you should be more cautious with any unexpected WhatsApp message or call, especially if the sender already seems to know something about you. 

Slow down, verify who you are talking to using another channel if needed, and never feel rushed into clicking links or sending codes. 

The bigger lesson for all of us 

The WhatsApp case is not a story about broken encryption or leaked message content. It is something more subtle. 

A feature that was built to make our lives easier, by telling us which friends are “already on WhatsApp”, turned out to be abusable on a massive scale. A group of researchers caught it in time, and the company fixed it. This time we were lucky. 

The bigger lesson is that convenience features often rely on information that looks harmless on its own, such as a phone number. When you combine that information with scale and automation, it can suddenly become very sensitive. 

For everyday users, the best response is not to delete every app and vanish from the internet. It is to: 

• Treat your phone number as an important piece of personal data, not just something you hand out without thinking.
• Use the privacy controls that apps already give you.
• Stay skeptical of unexpected messages, even when they arrive on apps that feel “safe”. 

The technology around us will keep changing, and security research like this will keep uncovering problems. The more we understand what our data can reveal, the better choices we can make about how and where we share it.