Data of 3.5 billion users of WhatsApp is in danger: Details like profile picture-status are being leaked, researchers found a flaw in the app.

Researchers said that the problem lies in the contact discovery feature of WhatsApp. When you enter a phone number in the app, it tells whether that user is on WhatsApp or not. But it lacks rate limiting, which means anyone can check millions and crores of numbers with the automated tool. Researchers at Vienna University used a tool called libphonegen. This generated realistic phone numbers of 245 countries. Then connected to WhatsApp’s XMPP protocol and sent the query.

This research was done between December 2024 and April 2025. In which 63 billion potential numbers were checked from 5 accounts and a university server. The result found 3.5 billion active accounts at a speed of 100 million per hour. Out of which profile pictures of 56.7% users and about text of 29.3% were exposed i.e. leaked.

These texts included political views, religion or other social media links. Apart from this, public keys were reused in 29 lakh cases, which can weaken end-to-end encryption. In America, zero keys were shared on 20 numbers, which is a sign of fraud. The researchers deleted the data, but it shows how easy it is to scrape public data.

3.5 billion users affected, 75 crore affected in India

Researchers said that this leak is global and users from 245 countries were included in this research. Out of total 3.5 billion i.e. 350 crore users, maximum accounts are affected in India at 74.9 crore (21.67%), followed by Indonesia at 23.5 crore (6.81%), Brazil at 20.7 crore (5.99%), America at 13.8 crore (3.99%) and Russia at 13.3 crore (3.84%).

This includes 81% Android and 19% iOS users. Apart from this, there are 9% business accounts, which share more data through WhatsApp business features. In regions like West Africa, 80% of profiles are public, where only WhatsApp is used for messaging. In countries like China, Iran, North Korea where the app is banned, the risk of government surveillance is higher.

At the same time, half of the 50 crore numbers of Facebook leak of 2021 are still active on WhatsApp. This may increase phishing, SIM swapping, doxxing or targeted attacks. This is an even bigger risk for business users because customer data may be leaked.

Warning since 2017, yet META ignored it for 8 years

This flaw was first reported by a researcher in 2017, but Meta sidelined it. The Vienna team shared from Meta’s bug bounty program in April 2025. Strict rate limits were finally imposed in October 2025.

Meta says that this data was already public, the messages remain encrypted. WhatsApp VP of Engineering Nitin Gupta said, ‘This research helped test our anti-scraping measures. No malicious use has been seen yet. Researchers criticized that no defense was found during the probe. This shows how big the security challenges are on a platform with billions of users.

Meta is now developing stronger anti-scraping tools

Meta is now developing stronger anti-scraping tools. But users themselves will have to remain alert. Cyber ​​security experts say that set the profile private, do not enter personal details in ‘About’, limit status sharing.

Apart from this, keep an eye on suspicious activity, like messages from unknown numbers. If you are a business user, use the secure features of WhatsApp Business API. Such vulnerabilities will reduce in future, but privacy is now also the responsibility of the user.

Read this news also…

How did Internet’s watchdog Cloudflare fail: X-Whatsapp-Canva did not work for 4 hours, years old bug found responsible

It happened yesterday evening. Rahul’s phone started behaving strangely. Scrolling to X just blank screen. Had to ask Chat GPT for the recipe to make for dinner, that too started showing “Something went wrong”. Rahul thought that maybe there was a problem with his phone itself. Read the full news…

There is more news…