A major security flaw on WhatsApp, one of the world's largest messaging platforms, exposed the phone numbers of nearly 3.5 billion users worldwide. Researchers noted that the vulnerability could be exploited in just half an hour using a "simple" method capable of collecting millions of numbers.
Security experts who discovered the flaw warned that if malicious actors used the same method, it could result in "the largest data leak in history."
The most striking criticism is that this vulnerability was first reported to Meta in 2017, yet the company had not implemented necessary security measures for eight years.
WhatsApp's core communication system allows instant detection of whether a user is on the platform when their phone number is added to a contact list. This process can also reveal details such as profile photos and names. Researchers exploited the ability to repeat this process without limits, systematically scanning and extracting nearly all WhatsApp users' numbers.
Researchers from the University of Vienna said they accessed the first 30 million U.S. phone numbers within half an hour. Aljosha Judmayer, one of the researchers, stated, "To our knowledge, this is the largest disclosure of phone numbers and associated user data to date."
The researchers securely deleted the database after submitting it to Meta, which confirmed no evidence of malicious use of the system.
Meta said it has long been working on anti-scraping systems, and this research helped test new defenses. The company emphasized that users' messages remain protected with end-to-end encryption and private content was not accessed.
Meta's statement included:
"This research played an important role in testing our security systems. The data collected by the researchers was securely deleted, and there is no evidence of malicious attacks using this method."
Following the incident, Meta introduced limits on system operations to prevent mass scraping of user data.
