WhatsApp Security Flaw: Billions Had Their Phone Numbers and Photos Exposed
WhatsApp is one of the world’s most popular messaging apps, used by over two billion people to chat, share photos, and keep in touch. It has always claimed to be a safe app, with messages protected by “end-to-end encryption.” However, in late 2025, security researchers discovered a severe issue. Due to a flaw in how WhatsApp determines which of your contacts use the app, it was possible for anyone—from hackers to scammers—to discover if almost any phone number in the world was on WhatsApp. Worse, they could also see that person’s profile photo and their “about” text if the user hadn’t changed privacy settings.
How Did This Flaw Work?
When you use WhatsApp, the app has a feature called “contact discovery.” This is what makes it so easy to find your friends on WhatsApp: you upload your phone contacts, and WhatsApp tells you which of your contacts are also using the app. The problem was, there was no real limit to how many phone numbers someone could check at once. Security experts showed that anyone could test millions—even billions—of phone numbers with special software, finding out not just which numbers belonged to WhatsApp users, but also collecting profile pictures and texts linked to those numbers, if they were set to public.
It didn’t matter whether someone was on your contact list or not. If their profile photo or “about” text was public, anyone in the world could see it. Researchers were able to do this for 3.5 billion accounts. For 57% of them, they pulled actual photos; for 29%, they also got status texts.
Why Is This a Big Deal?
This isn’t just a technical issue for computer experts—it affects everyday people. Your phone number can reveal your identity, especially if it’s linked to other information about you. Your profile photo could include your face, your family, where you work, or the town you live in. By matching phone numbers to faces or personal info, scammers, stalkers, or even governments in countries where WhatsApp is banned could single out or target people much more easily.
This kind of flaw could also let telemarketers, advertisers, or people running phishing scams build “reverse phone books”—giant databases linking numbers with real names, photos, or other identity details, just from WhatsApp. These lists can be resold on the dark web or used in social-engineering attacks, making users even more vulnerable.
How Long Did This Go Unnoticed?
This isn’t a brand new problem. Security experts warned WhatsApp and its parent company Meta (previously Facebook) about similar issues as far back as 2017. But the company didn’t put limits on how fast or how often someone could check phone numbers. It wasn’t until this latest research, in late 2025, that WhatsApp finally put in strong “rate limits” to stop this abuse.
Was My Account Affected?
Chances are, yes. If you use WhatsApp and haven’t changed your privacy settings to restrict your profile photo and “about” text to “My Contacts” only, strangers could have seen your info. This was true for users worldwide, including those in countries where WhatsApp is technically illegal or blocked. Researchers said 3.5 billion numbers could have been matched in just a few days with the tools they used. Even if you’d never get scammed, that means your information could have been gathered by anyone—without you ever knowing.
What Did WhatsApp Do?
Once the company saw the new evidence, WhatsApp (Meta) told reporters and the researchers that they were grateful for the discovery. They finally put up defenses so that now, if someone tries to check millions of numbers very quickly, WhatsApp stops them. They said no actual evidence of mass abuse was found, though it’s hard to be sure because such attacks leave few visible traces. The flaw did not affect message privacy—your chats and calls still stayed encrypted and private.
What Can You Do About It?
Here are some simple steps to protect your privacy on WhatsApp (and many other messaging apps):
- Go to your WhatsApp settings, tap Account, then Privacy.
- Set your Profile Photo and About section to “My Contacts” (not “Everyone”).
- Only add people you trust to your contacts, and be careful about accepting unknown messages or calls.
- Never put sensitive or personal information in your “About” field or use a profile photo you wouldn’t want strangers to see.
- Always run the latest version of WhatsApp, as new updates often include important security fixes.
Why Was This a “Design Flaw” and Not a Hack?
This wasn’t the result of hackers breaking into WhatsApp’s servers or decrypting messages. Instead, it was a basic design oversight—the company just didn’t expect people to check millions of phone numbers automatically. But in today’s world, computers can automate these checks much faster and at a much bigger scale than before. What seems like a simple convenience for users can turn into a nightmare if not carefully managed.
Many apps use phone numbers to identify users, but this incident shows why that’s risky. WhatsApp is now testing new “usernames” as a different way for people to connect, avoiding phone number overexposure.
What’s Next for WhatsApp and User Privacy?
WhatsApp is a critical part of digital life for billions, especially in countries where it’s the main way to chat and call for free. This security issue proves how important it is for app makers to think about every way personal information can leak—not just from hackers, but from features and shortcuts that prioritize convenience over security.
For users, the main takeaway is to always protect your privacy settings, keep apps up to date, and be cautious about sharing personal information online. For WhatsApp and Meta, this is a lesson that even the biggest, most popular apps can make basic mistakes—and need to listen sooner when experts point out risks.
Click Here to subscribe to our newsletters and get the latest updates directly to your inbox