WhatsApp, the messaging app used by 3.5 billion users, has long been celebrated for its ironclad security and privacy.
But researchers have managed to pick the app’s lock in a rather simple way – by adding people’s phone numbers.
The trick, revealed in a paper published on Github, a software platform where programmers share code, shows virtually every user’s number.
This amounts to one of ‘the largest data leaks in history’, the team from the University of Vienna in Austria said.
Meta, which owns WhatsApp, stressed to Metro that no private user information was accessed and all numbers were deleted afterwards.
The company has found no evidence of hackers ‘abusing’ the trick.
How did researchers discover 3.5 billion people’s phone numbers?
To message someone on WhatsApp, the user first has to add them to their contacts, with the app searching if the person already has an account.
If they do, the person is added to their contacts book and their profile picture and ‘about’ tagline, if they have them, are shown.
This is part of the app’s contact discover feature and phone numbers must be searchable for this to work.
Security researchers from the University of Vienna tested the security bug by automatically generating and searching for 63 billion possible phone numbers to see if they have WhatsApp accounts.
Doing so confirmed the phone numbers of 100 million users per hour.
It’s not just phone numbers the researchers pried open – they were able to see the profile photos of 57% of users.
For 29.3% of users, their ‘about’ text was accessible, with some sharing information about their religious and political views or links to their other social media accounts.
WhatsApp gives every user two sets of keys to keep their messages secure – a public key that can be shared with anyone who wants to encrypt a message to you and an unsharable private key that decrypts messages.
This is part of the app’s end-to-end encryption, a snoop-proof security tool that scrambles messages so only the sender and intended receiver can view the messages.
No one, not even WhatsApp, can read messages.
Researchers found that 2.9 million instances of public keys being reused, which could undermine end-to-end encryption.
At least 20 US numbers shared a public key made up of all zeroes.
The study, carried out in December 2024 and April 2025, generated the dataset using a tool called libphonegen, akin to a phone book.
Should I be worried about my privacy?
Marijus Briedis, the chief technology officer at the cybersecurity software NordVPN, told Metro that the vulnerability could be used by hackers.
‘This issue highlights a fundamental problem with WhatsApp’s architecture: the phone number itself is the vulnerability,’ he said.
‘Because WhatsApp uses numbers as its core identity system, attackers were able to automatically test billions of them and pull back profile details at extraordinary speed.
‘You didn’t need to hack messages – you just needed to check whether a number was registered, and the system would reveal far more than it should.’
Breidis said he worries that the flaw puts the information underlying all digital media – metadata – at risk, too.
Metadata includes IP addresses (which reveal your general location and can be tied back to your device) and when and who you message, according to WhatsApp’s privacy policy.
‘At scale, this becomes a goldmine for scammers, criminals, and well-resourced cyber group,’ Briedis added.
‘The scale of this incident – potentially affecting billions of numbers – should be a wake-up call for any platform that still relies on phone numbers for identity.’
‘Phone numbers were never designed to be secure identifiers; they’re too public, too permanent and too easily scraped.’
The study was conducted as part of Meta’s Bug Bounty program, where the social media giant pays people to alert the company to security flaws.
Meta told Metro it received 13,000 bug submissions this year, writing roughly £3 million in bounties for almost 800 valid reports.
The Austrian study was flagged by the company as one of the ‘greatest finds’ so far in a news release on Tuesday.
Nitin Gupta, VP of Engineering at WhatsApp, thanked the Austrian academics for discovering the ‘novel’ flaw.
How can I keep my WhatsApp account safe and secure?
The app’s Help Center says there are five ways to do so:
- Lock and password-protect personal chats, which hide conversations in a ‘Locked Chats’ folder.
- Limit who can see your profile picture.
- Secure your account with Face ID, Touch ID, or Fingerprint.
- Send media and voice messages as ‘view once’, so they are deleted afterwards and cannot be saved by the recipient.
- Choose who can see your status, the app’s answer to Instagram Stories, which can be a picture or video of what you’re doing.
‘We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defences,’ she said in a statement to Metro.
‘Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector.
‘As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers.’
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: Russian hackers target IVF clinics across UK used by thousands of couples
MORE: 1,300,000,000 passwords exposed in historic cybercriminal-linked breach
MORE: Two in five using devices like ‘dodgy’ Fire sticks have been financially hacked
